git: 5d42c8813976 - main - fusefs: fix page fault triggered by async notification when unmounted
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 26 Oct 2025 16:45:08 UTC
The branch main has been updated by asomers:
URL: https://cgit.FreeBSD.org/src/commit/?id=5d42c8813976af484fd3e9a896c7839ba27ca764
commit 5d42c8813976af484fd3e9a896c7839ba27ca764
Author: Alan Somers <asomers@FreeBSD.org>
AuthorDate: 2025-10-26 00:37:02 +0000
Commit: Alan Somers <asomers@FreeBSD.org>
CommitDate: 2025-10-26 16:44:27 +0000
fusefs: fix page fault triggered by async notification when unmounted
A FUSE daemon can send asynchronous notification to the kernel in order
to, for example, invalidate an inode's cache. Fix a page fault that can
happen if the file system isn't yet mounted, or is already unmounted,
when that notification arrives.
PR: 290519
MFC after: 1 week
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D53356
---
sys/fs/fuse/fuse_device.c | 7 ++++++
tests/sys/fs/fusefs/mockfs.cc | 4 +++-
tests/sys/fs/fusefs/mockfs.hh | 4 +++-
tests/sys/fs/fusefs/notify.cc | 56 +++++++++++++++++++++++++++++++++++++++++++
4 files changed, 69 insertions(+), 2 deletions(-)
diff --git a/sys/fs/fuse/fuse_device.c b/sys/fs/fuse/fuse_device.c
index 75bc0357571f..cee477865c42 100644
--- a/sys/fs/fuse/fuse_device.c
+++ b/sys/fs/fuse/fuse_device.c
@@ -550,6 +550,13 @@ fuse_device_write(struct cdev *dev, struct uio *uio, int ioflag)
} else if (ohead.unique == 0){
/* unique == 0 means asynchronous notification */
SDT_PROBE1(fusefs, , device, fuse_device_write_notify, &ohead);
+ if (data->mp == NULL) {
+ SDT_PROBE2(fusefs, , device, trace, 1,
+ "asynchronous notification before mount"
+ " or after unmount");
+ return (EXTERROR(ENODEV,
+ "This FUSE session is not mounted"));
+ }
mp = data->mp;
vfs_ref(mp);
err = vfs_busy(mp, 0);
diff --git a/tests/sys/fs/fusefs/mockfs.cc b/tests/sys/fs/fusefs/mockfs.cc
index e8081dea9604..55c191716629 100644
--- a/tests/sys/fs/fusefs/mockfs.cc
+++ b/tests/sys/fs/fusefs/mockfs.cc
@@ -827,10 +827,12 @@ void MockFS::loop() {
}
}
-int MockFS::notify_inval_entry(ino_t parent, const char *name, size_t namelen)
+int MockFS::notify_inval_entry(ino_t parent, const char *name, size_t namelen,
+ int expected_errno)
{
std::unique_ptr<mockfs_buf_out> out(new mockfs_buf_out);
+ out->expected_errno = expected_errno;
out->header.unique = 0; /* 0 means asynchronous notification */
out->header.error = FUSE_NOTIFY_INVAL_ENTRY;
out->body.inval_entry.parent = parent;
diff --git a/tests/sys/fs/fusefs/mockfs.hh b/tests/sys/fs/fusefs/mockfs.hh
index ba6f7fded9d0..4b0628d34dd7 100644
--- a/tests/sys/fs/fusefs/mockfs.hh
+++ b/tests/sys/fs/fusefs/mockfs.hh
@@ -390,8 +390,10 @@ class MockFS {
* @param parent Parent directory's inode number
* @param name name of dirent to invalidate
* @param namelen size of name, including the NUL
+ * @param expected_errno The error that write() should return
*/
- int notify_inval_entry(ino_t parent, const char *name, size_t namelen);
+ int notify_inval_entry(ino_t parent, const char *name, size_t namelen,
+ int expected_errno = 0);
/*
* Send an asynchronous notification to invalidate an inode's cached
diff --git a/tests/sys/fs/fusefs/notify.cc b/tests/sys/fs/fusefs/notify.cc
index 1e22bde13db7..d370a1e6e706 100644
--- a/tests/sys/fs/fusefs/notify.cc
+++ b/tests/sys/fs/fusefs/notify.cc
@@ -385,6 +385,27 @@ TEST_F(Notify, inval_inode_with_clean_cache)
leak(fd);
}
+/*
+ * Attempting to invalidate an entry or inode after unmounting should fail, but
+ * nothing bad should happen.
+ * https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290519
+ */
+TEST_F(Notify, notify_after_unmount)
+{
+ const static char *name = "foo";
+ struct inval_entry_args iea;
+
+ expect_destroy(0);
+
+ m_mock->unmount();
+
+ iea.mock = m_mock;
+ iea.parent = FUSE_ROOT_ID;
+ iea.name = name;
+ iea.namelen = strlen(name);
+ iea.mock->notify_inval_entry(iea.parent, iea.name, iea.namelen, ENODEV);
+}
+
/* FUSE_NOTIFY_STORE with a file that's not in the entry cache */
/* disabled because FUSE_NOTIFY_STORE is not yet implemented */
TEST_F(Notify, DISABLED_store_nonexistent)
@@ -544,3 +565,38 @@ TEST_F(NotifyWriteback, inval_inode_attrs_only)
leak(fd);
}
+
+/*
+ * Attempting asynchronous invalidation of an Entry before mounting the file
+ * system should fail, but nothing bad should happen.
+ *
+ * Note that invalidating an inode before mount goes through the same path, and
+ * is not separately tested.
+ *
+ * https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290519
+ */
+TEST(PreMount, inval_entry_before_mount)
+{
+ const static char name[] = "foo";
+ size_t namelen = strlen(name);
+ struct mockfs_buf_out *out;
+ int r;
+ int fuse_fd;
+
+ fuse_fd = open("/dev/fuse", O_CLOEXEC | O_RDWR);
+ ASSERT_GE(fuse_fd, 0) << strerror(errno);
+
+ out = new mockfs_buf_out;
+ out->header.unique = 0; /* 0 means asynchronous notification */
+ out->header.error = FUSE_NOTIFY_INVAL_ENTRY;
+ out->body.inval_entry.parent = FUSE_ROOT_ID;
+ out->body.inval_entry.namelen = namelen;
+ strlcpy((char*)&out->body.bytes + sizeof(out->body.inval_entry),
+ name, sizeof(out->body.bytes) - sizeof(out->body.inval_entry));
+ out->header.len = sizeof(out->header) + sizeof(out->body.inval_entry) +
+ namelen;
+ r = write(fuse_fd, out, out->header.len);
+ EXPECT_EQ(-1, r);
+ EXPECT_EQ(ENODEV, errno);
+ delete out;
+}