Draft
Conversation
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Running on the 'master' is not enough, actions also need to run on release branches. Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
checkpatch.pl has a list of mispelled words and the codespell test fails on that. Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
- The MAINTAINERS test is not valid for libfuse. - Correct the base commit Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Actually checkpatch.pl already checks for "Signed-off-by" and also handles merge commits - no need for duplicate logic. Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
After pulling latest code, memfs_ll build would fail because it builds with C++11. Changing the default of cpp_std in meson.build is not enough to fix this problem even if user runs 'meson setup --reconfigure'. I had to run 'meson setup -Dcpp_std= --reconfigure' to fix the build as mentioned in this meson issue: mesonbuild/meson#8062 (comment) Signed-off-by: Amir Goldstein <amir73il@gmail.com>
passthrough example supports the --plus command line argument to reply to readdirplus with fill_dir_plus and unspecified (0) fill offsets. As explained in this comment: libfuse#896 (comment) passthrough example needs a few more changes to be able to test commit dd95d13 ("fix readdirplus when filler is called with zero offset (libfuse#896)) With the changes in this commit, readdirplus without fill offsets can be tested to verify the readdirplus fix above with command line: passthrough --plus -o auto_cache,modules=subdir,subdir=/src /mnt Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Commit dd95d13 ("fix readdirplus when filler is called with zero offset (libfuse#896)) broke readdirplus with passthrough example command: passthrough -o auto_cache,modules=subdir,subdir=/src /mnt The /src directory looks like this: ~# ls -l /src total 0 drwx------ 3 root root 60 Jan 2 17:51 testdir And the fuse directory looks like this: ~# ls -l /mnt total 0 d--------- 0 root root 0 Jan 1 1970 testdir Because readdir_fill_from_list() ignores the fact that filesystem did not pass the FUSE_FILL_DIR_PLUS flag with valid stat info. Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Commit 58f85bf ("Add in the libfuse version a program...") forgot to add a fuse_main_real function for libfuse compilations that are not symboled. That is now added in compat.c. Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
_fuse_new() is not supposed to be called by external users outside of internal functions or static inlined functions. This also removes several functions from lib/fuse_versionscript which where added and exported by commit 58f85bf ("Add in the libfuse version a program...) as these are libfuse internal only. Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
We do actually need these, at least for compat.c. Also disable git commit id warnings, these are doing more harm than good (for example trigger long line warnings when fulfilled). Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Addresses libfuse#1092 We actually don't need to make fuse_main_real() symboled, as it is not part of the official API. The inlined function now always calls into fuse_main_real_317 and the compat ABI function (which should also be available for dlopen/dlsym) is now always compiled, independent if the compiler/linker support versioned symbols. Additionally, fuse_main_real() is also declared as inlined function and a warning message is created when that function is called. Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Issue: There is no directly way to get the FD hold by parent process which asked do fuse mount. Use Case: For auto_unmount case, identify the FD can easy to close the FD and make automatically unmount manually and explicitly. The FD[1] can be got via getenv(FUSE_COMMFD2_ENV). One potential use case is to satisfy FD-Leak checks. Solution: Add an extra env _FUSE_COMMFD2 to store the FD. This will provide a easy way to get the FD via FUSE_COMMFD2_ENV. Signed-off-by: Zegang Luo <zegang.luo@qq.com>
Comments for fuse_reply_open and fuse_reply_create and with that doxygen had not been updated for parallel_direct_writes and others. Signed-off-by: Bernd Schubert <bschubert@ddn.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.28.0 to 3.28.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@48ab28a...b6a472f) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
These seem to be fine and exist in the code and also seem to be common English (there are debates which spelling is right). Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
This ENOSYS is the fuse protocol return code to tell fuse client/kernel that an operation is not supported, warning on it is not right. Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
So far we only want it to warn about changed symbols. Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Main worker threads: fuse_worker high level clean up threads: "fuse_prune_nodes" Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.28.1 to 3.28.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@b6a472f...17a820b) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Probably lots of issues right now, so let's fix it step by step by only checking modified files - new PRs should fix their modified files. Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Because conn.want_ext is a uint64_t, copying it into a uint32_t may result in truncating it's value. This patch fixes a bug in do_init() where the 32 bits copy is again converted into a 64 bits value, because it will be used in convert_to_conn_want_ext(). Signed-off-by: Luis Henriques <luis@igalia.com>
The comment is probably a leftover from older versions, as the application of the 32 bits of conn.capable_ext to conn.capable is done before function convert_to_conn_want_ext() is invoked. Signed-off-by: Luis Henriques <luis@igalia.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.28.6 to 3.28.8. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@17a820b...dd74661) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
As suggested by Bill in Issue libfuse#1092, rename to _versioned so that applications using dlopen/dlvsym better understand the meaning of this function. Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
As suggested by Bill in Issue libfuse#1092 make fuse_main a macro again, just in case some applications expect it to be a macro. Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 5.0.0 to 5.0.1. - [Release notes](https://github.com/actions/checkout/releases) - [Commits](actions/checkout@v5...v5.0.1) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 5.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
"struct fuse_entry_param e" was not initialized when get_path_name() returned an error, which made recent clang versions to complain. However, the compiler missed that reply_entry() checks for an error code and ignores fuse_entry_param then. Closes: libfuse#1360 Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
During fsstress stress testing using passthrough_hp as the backend, the
backend process crashes. The root cause is that when forget_one() and
do_lookup() concurrently process the same inode, do_lookup may return
either an invalid inode or a different inode reusing the same memory
address.
CPU0 CPU1
----------------------- --------------------
forget_one do_lookup
lock fs
inode = fs.inodes[id] //inode.fd > 0
unlock fs
lock inode
inode.nlookup -= n
<inode.nlookup equal to 0>
lock fs
unlock inode
fs.inodes.erase
unlock fs
lock inode
inode.nlookup++
unlock inode
<lookup a invalid inode>
This can lead to abnormalities in the inode nlookup count. Since the
value of inode.nlookup determines the inode's lifecycle, and considering
the locking order requirements between the inode lock and fs lock, using
the inode lock alone does not resolve the issue effectively. The fix is
to convert inode.nlookup to an atomic type, which removes the need for
write protection via inode lock, while using fs lock to guard the inode's
lifetime.
Signed-off-by: Long Li <leo.lilong@huawei.com>
When multiple threads concurrently call forget_one() on the same inode,
a use-after-free memory issue can occur.
forget_one() forget_one()
---------------- ---------------
<inode.nlookup == 2>
inode.nlookup -= 1
inode.nlookup -= 1
<inode.nlookup == 0>
if (!inode.nlookup)
fs.inodes.erase()
if (!inode.nlookup) {} //UAF
Fix it by restoring the inode lock protection in forget_one().
Signed-off-by: Long Li <leo.lilong@huawei.com>
The incorrect removeal of the fs.debug check caused the message "DEBUG: forget: cleaning up inode" to be printed even when debug was not enabled. Signed-off-by: Long Li <leo.lilong@huawei.com>
Starting from commit 752b59a, the buffer must be freed with fuse_buf_free, not plain free. Signed-off-by: Alexander Monakov <amonakov@ispras.ru>
Bumps [actions/checkout](https://github.com/actions/checkout) from 5.0.1 to 6.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Commits](actions/checkout@v5.0.1...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.3 to 4.31.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@014f16e...fdbfb4d) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
commid_id is 64 bits. fuse_uring_sqe_set_req_data() accepts commid_id as 'unsigned int' type, which is only guaranteed to be no less than 32 bits. Thus the high 32 bits are dropped, and the replied commit_id is truncated to the lower 32 bits as well in the following replied fuse_uring_cmd_req when issuing FUSE_IO_URING_CMD_COMMIT_AND_FETCH subcmd. This can lead to "fuse: qid=XX commit_id YY not found" error, where YY is the low 32 bits of the actual commid_id. Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.5 to 4.31.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@fdbfb4d...fe4161a) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Under certain conditions, libfuse was yielding a zero d_ino from high-level filesystems. This caused a number of bugs as other software mis-handled these entries. To fix, ensure that direntries stored in a fuse_dh always have either FUSE_UNKNOWN_INO or an intentionally-set st_ino. This bug was triggered if all the following conditions were met: * High-level FS is readdirplus-capable, and does not set use_ino or readdir_ino. * FS does not use offsets in readdir. * FS passes to the dir filler the FUSE_FILL_DIR_PLUS flag, and a non-NULL struct stat with st_ino == 0. * A directory is large enough to need multiple readdir calls. * Adaptive readdirplus causes a readdirplus to be followed by a regular readdir. When this occurred, the fuse_dh was filled with entries with st_ino == 0. On the initial readdirplus we were calling do_lookup() to convert these to synthetic inode numbers, but on the subsequent regular readdirs we were returning the zero inode numbers verbatim. Historically, d_ino == 0 indicated that a direntry should be skipped. Several tools have treated it this way, including Glibc before 2022 (or 2024 for readdir64_r), and current versions of Go. This has caused a number of bugs: * libfuse#1338 * golang/go#76428 * restic/restic#5607 * https://gitlab.gnome.org/World/deja-dup/-/issues/623 When libfuse receives st_ino == 0 in readdir, we should therefore treat it as the FS having no opinion about the inode number. We should only truly trust that it wants a zero inode if use_ino or readdir_ino is true. In addition to the fix, this commit adds a mode to passthrough to return st_ino == 0 from readdir, and uses that to test libfuse's behavior in test_examples.py. Signed-off-by: Dave Vasilevsky <dave@vasilevsky.ca>
The docs previously said that FUSE_FILL_DIR_PLUS makes "all file attributes" valid, but also that use_ino controls whether the st_ino field is honored. These docs conflict! Since it doesn't make sense for getattr() and readdir() to have different behavior for st_ino, it's best to decide that use_ino will always take priority. This should not break any filesystems, as use of non-zero st_ino with use_ino false already had weird and broken behavior before this PR. Signed-off-by: Dave Vasilevsky <dave@vasilevsky.ca>
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.0 to 6.0.1. - [Release notes](https://github.com/actions/checkout/releases) - [Commits](actions/checkout@v6...v6.0.1) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.6 to 4.31.7. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@fe4161a...cf1bb45) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Add WEKAFS to FS whitelist Signed-off-by: WekaJosh <80121792+WekaJosh@users.noreply.github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.7 to 4.31.8. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@cf1bb45...1b168cd) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.8 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Especially FUSE_IO_URING_CMD_REGISTER can easily get -EAGAIN - if it arrives in kernel before FUSE_INIT was finally handled. Easiest solution is to send it again. I'm not sure if FUSE_IO_URING_CMD_COMMIT_AND_FETCH might fail with -EINTR or -EGAIN - not from fuse client/kernel point of view, but possibly by io-uring. Better if we handle that as well. Signed-off-by: Bernd Schubert <bschubert@ddn.com>
The better name is fuse_uring_register_queue() and it also splits out registering the entries into a separate function for readability. Signed-off-by: Bernd Schubert <bschubert@ddn.com>
This was forgotten before. Signed-off-by: Bernd Schubert <bschubert@ddn.com>
…d_wait There were two issues 1) If the application used an async thread outside of the ring thread to submit results, the ring thread might have submitted via io_uring_submit_and_wait() SQEs that were not ready yet. I.e. in fuse_uring_commit_sqe() it might have already called sqe = io_uring_get_sqe(&queue->ring); but then fuse_uring_sqe_prepare() and fuse_uring_sqe_prepare() might not have been run yet. 2) If run from a single thread only and without any corouting / reactor feature (only available in my private branch right now) the function fuse_uring_commit_sqe() didn't need to call io_uring_submit() at all. I.e. before this commit there were one system call per request too much. Signed-off-by: Bernd Schubert <bschubert@ddn.com>
Signed-off-by: Bernd Schubert <bernd@bsbernd.com> (cherry picked from commit 8c8a62b)
Update AUTHORS and ChangeLog.rst, added signify/fuse-3.19.pub. Signed-off-by: Bernd Schubert <bschubert@ddn.com>
Forgot meson.build and also some updates to make_release_tarball.sh Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Several functions like fuse_set_feature_flag had been introduced some time ago in master (3.18-rc0) first and then backported to 3.17.3. In order to handle the backport a new section FUSE_3.17.3 was introduced in fuse_version_script. The master branch kept these symbols in the 3.18 section, which now causes an ABI issue with the 3.18 release. This commit attempts to fix that and creates the 3.17.3 section in the master and 3.18.x branch. Closes: libfuse#1397 Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
The 3.18.0 ABI issue came up as we didn't have an ABI check to the last previous release. The supressions file needs to compare to the previous version is also used for the existing ABI check - will reduce false positives. This will fail ABI checks against libfuse-3.18.0, as some symbols in 3.18.0 were marked as the wrong version. Signed-off-by: Bernd Schubert <bernd@bsbernd.com> (cherry picked from commit fef7822)
Two bugs in fuse_uring_init_queue(): 1. numa_alloc_local() return values are not checked. On allocation failure the code proceeds with NULL pointers, causing a NULL pointer dereference when the SQE registration subsequently accesses the header/payload buffers. 2. When fuse_uring_register_queue() fails, the function falls through to return queue->ring.ring_fd (success) instead of propagating the error. The NUMA allocations are then leaked, and the caller uses a broken queue for I/O. Fix by returning -ENOMEM on allocation failure and returning the error from fuse_uring_register_queue() on registration failure. In both cases, cleanup (including NUMA frees and eventfd close) is delegated to fuse_session_destruct_uring() via the fuse_uring_start() error path — which is the intended cleanup owner for this subsystem. Fixes CVE-2026-33179 Signed-off-by: Abhinav Agarwal <abhinav.agarwal@rubrik.com>
In fuse_uring_start(), the error path called fuse_session_destruct_uring() which frees fuse_ring, then stored the freed pointer in se->uring.pool. On session shutdown, the session loop cleanup checks if (se->uring.pool) and calls fuse_uring_stop() — dereferencing the freed memory (use-after-free). Fix by setting se->uring.pool = NULL in the error path so the cleanup check is skipped. Also add a NULL guard before the destruct call to handle the case where fuse_create_ring() itself returns NULL, which would cause a NULL pointer dereference at fuse_ring->nr_queues. Fixes CVE-2026-33150 Signed-off-by: Abhinav Agarwal <abhinav.agarwal@rubrik.com>
# Conflicts: # .github/workflows/abicheck.yml # .github/workflows/checkpatch.yml # .github/workflows/codeql.yml # .github/workflows/codespell.yml # .github/workflows/iwyi-check.yml # .github/workflows/pr-ci.yml # AUTHORS # ChangeLog.rst # example/meson.build # example/passthrough.c # example/passthrough_hp.cc # include/fuse_common.h # lib/fuse.c # lib/fuse_i.h # lib/fuse_loop_mt.c # lib/fuse_lowlevel.c # lib/fuse_versionscript # lib/meson.build # lib/mount.c # lib/mount_bsd.c # lib/util.c # lib/util.h # meson.build # test/ci-build.sh # test/hello.c # test/meson.build # test/test_syscalls.c # test/test_write_cache.c # util/fusermount.c
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.