On Thu, 2024-11-14 at 11:13 -0800, Joanne Koong wrote: > Introduce two new sysctls, "default_request_timeout" and > "max_request_timeout". These control how long (in minutes) a server can > take to reply to a request. If the server does not reply by the timeout, > then the connection will be aborted. > Is this patch really needed? You have a per-mount limit already, do we need a global default and max? Also, ditto here wrt seconds vs. minutes. If these *are* needed, then having them expressed in seconds would be more intuitive for most admins. > "default_request_timeout" sets the default timeout if no timeout is > specified by the fuse server on mount. 0 (default) indicates no default > timeout should be enforced. If the server did specify a timeout, then > default_request_timeout will be ignored. > > "max_request_timeout" sets the max amount of time the server may take to > reply to a request. 0 (default) indicates no maximum timeout. If > max_request_timeout is set and the fuse server attempts to set a > timeout greater than max_request_timeout, the system will use > max_request_timeout as the timeout. Similarly, if default_request_timeout > is greater than max_request_timeout, the system will use > max_request_timeout as the timeout. If the server does not request a > timeout and default_request_timeout is set to 0 but max_request_timeout > is set, then the timeout will be max_request_timeout. > > Please note that these timeouts are not 100% precise. The request may > take an extra FUSE_TIMEOUT_TIMER_FREQ seconds beyond the set max timeout > due to how it's internally implemented. > > $ sysctl -a | grep fuse.default_request_timeout > fs.fuse.default_request_timeout = 0 > > $ echo 65536 | sudo tee /proc/sys/fs/fuse/default_request_timeout > tee: /proc/sys/fs/fuse/default_request_timeout: Invalid argument > > $ echo 65535 | sudo tee /proc/sys/fs/fuse/default_request_timeout > 65535 > > $ sysctl -a | grep fuse.default_request_timeout > fs.fuse.default_request_timeout = 65535 > > $ echo 0 | sudo tee /proc/sys/fs/fuse/default_request_timeout > 0 > > $ sysctl -a | grep fuse.default_request_timeout > fs.fuse.default_request_timeout = 0 > > Signed-off-by: Joanne Koong <joannelkoong@xxxxxxxxx> > Reviewed-by: Bernd Schubert <bschubert@xxxxxxx> > --- > Documentation/admin-guide/sysctl/fs.rst | 27 +++++++++++++++++++++++++ > fs/fuse/fuse_i.h | 10 +++++++++ > fs/fuse/inode.c | 16 +++++++++++++-- > fs/fuse/sysctl.c | 20 ++++++++++++++++++ > 4 files changed, 71 insertions(+), 2 deletions(-) > > diff --git a/Documentation/admin-guide/sysctl/fs.rst b/Documentation/admin-guide/sysctl/fs.rst > index fa25d7e718b3..790a34291467 100644 > --- a/Documentation/admin-guide/sysctl/fs.rst > +++ b/Documentation/admin-guide/sysctl/fs.rst > @@ -342,3 +342,30 @@ filesystems: > ``/proc/sys/fs/fuse/max_pages_limit`` is a read/write file for > setting/getting the maximum number of pages that can be used for servicing > requests in FUSE. > + > +``/proc/sys/fs/fuse/default_request_timeout`` is a read/write file for > +setting/getting the default timeout (in minutes) for a fuse server to > +reply to a kernel-issued request in the event where the server did not > +specify a timeout at mount. If the server set a timeout, > +then default_request_timeout will be ignored. The default > +"default_request_timeout" is set to 0. 0 indicates a no-op (eg > +requests will not have a default request timeout set if no timeout was > +specified by the server). > + > +``/proc/sys/fs/fuse/max_request_timeout`` is a read/write file for > +setting/getting the maximum timeout (in minutes) for a fuse server to > +reply to a kernel-issued request. A value greater than 0 automatically opts > +the server into a timeout that will be at most "max_request_timeout", even if > +the server did not specify a timeout and default_request_timeout is set to 0. > +If max_request_timeout is greater than 0 and the server set a timeout greater > +than max_request_timeout or default_request_timeout is set to a value greater > +than max_request_timeout, the system will use max_request_timeout as the > +timeout. 0 indicates a no-op (eg requests will not have an upper bound on the > +timeout and if the server did not request a timeout and default_request_timeout > +was not set, there will be no timeout). > + > +Please note that for the timeout options, if the server does not respond to > +the request by the time the timeout elapses, then the connection to the fuse > +server will be aborted. Please also note that the timeouts are not 100% > +precise (eg you may set 10 minutes but the timeout may kick in after 11 > +minutes). > diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h > index 9092201c4e0b..e82ddff8d752 100644 > --- a/fs/fuse/fuse_i.h > +++ b/fs/fuse/fuse_i.h > @@ -46,6 +46,16 @@ > > /** Maximum of max_pages received in init_out */ > extern unsigned int fuse_max_pages_limit; > +/* > + * Default timeout (in minutes) for the server to reply to a request > + * before the connection is aborted, if no timeout was specified on mount. > + */ > +extern unsigned int fuse_default_req_timeout; > +/* > + * Max timeout (in minutes) for the server to reply to a request before > + * the connection is aborted. > + */ > +extern unsigned int fuse_max_req_timeout; > > /** List of active connections */ > extern struct list_head fuse_conn_list; > diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c > index ee006f09cd04..1e7cc6509e42 100644 > --- a/fs/fuse/inode.c > +++ b/fs/fuse/inode.c > @@ -36,6 +36,9 @@ DEFINE_MUTEX(fuse_mutex); > static int set_global_limit(const char *val, const struct kernel_param *kp); > > unsigned int fuse_max_pages_limit = 256; > +/* default is no timeout */ > +unsigned int fuse_default_req_timeout = 0; > +unsigned int fuse_max_req_timeout = 0; > > unsigned max_user_bgreq; > module_param_call(max_user_bgreq, set_global_limit, param_get_uint, > @@ -1701,8 +1704,17 @@ EXPORT_SYMBOL_GPL(fuse_init_fs_context_submount); > > static void fuse_init_fc_timeout(struct fuse_conn *fc, struct fuse_fs_context *ctx) > { > - if (ctx->req_timeout) { > - if (check_mul_overflow(ctx->req_timeout * 60, HZ, &fc->timeout.req_timeout)) > + unsigned int timeout = ctx->req_timeout ?: fuse_default_req_timeout; > + > + if (fuse_max_req_timeout) { > + if (!timeout) > + timeout = fuse_max_req_timeout; > + else > + timeout = min(timeout, fuse_max_req_timeout); > + } > + > + if (timeout) { > + if (check_mul_overflow(timeout * 60, HZ, &fc->timeout.req_timeout)) > fc->timeout.req_timeout = ULONG_MAX; > timer_setup(&fc->timeout.timer, fuse_check_timeout, 0); > mod_timer(&fc->timeout.timer, jiffies + FUSE_TIMEOUT_TIMER_FREQ); > diff --git a/fs/fuse/sysctl.c b/fs/fuse/sysctl.c > index b272bb333005..6a9094e17950 100644 > --- a/fs/fuse/sysctl.c > +++ b/fs/fuse/sysctl.c > @@ -13,6 +13,8 @@ static struct ctl_table_header *fuse_table_header; > /* Bound by fuse_init_out max_pages, which is a u16 */ > static unsigned int sysctl_fuse_max_pages_limit = 65535; > > +static unsigned int sysctl_fuse_max_req_timeout_limit = U16_MAX; > + > static struct ctl_table fuse_sysctl_table[] = { > { > .procname = "max_pages_limit", > @@ -23,6 +25,24 @@ static struct ctl_table fuse_sysctl_table[] = { > .extra1 = SYSCTL_ONE, > .extra2 = &sysctl_fuse_max_pages_limit, > }, > + { > + .procname = "default_request_timeout", > + .data = &fuse_default_req_timeout, > + .maxlen = sizeof(fuse_default_req_timeout), > + .mode = 0644, > + .proc_handler = proc_douintvec_minmax, > + .extra1 = SYSCTL_ZERO, > + .extra2 = &sysctl_fuse_max_req_timeout_limit, > + }, > + { > + .procname = "max_request_timeout", > + .data = &fuse_max_req_timeout, > + .maxlen = sizeof(fuse_max_req_timeout), > + .mode = 0644, > + .proc_handler = proc_douintvec_minmax, > + .extra1 = SYSCTL_ZERO, > + .extra2 = &sysctl_fuse_max_req_timeout_limit, > + }, > }; > > int fuse_sysctl_register(void) -- Jeff Layton <jlayton@xxxxxxxxxxxxxxx>