On Thu, Dec 5, 2024 at 4:43 PM Jeff Layton <jlayton@xxxxxxxxxxxxxxx> wrote: > > On Thu, 2024-11-14 at 11:13 -0800, Joanne Koong wrote: > > Introduce two new sysctls, "default_request_timeout" and > > "max_request_timeout". These control how long (in minutes) a server can > > take to reply to a request. If the server does not reply by the timeout, > > then the connection will be aborted. > > > > Is this patch really needed? You have a per-mount limit already, do we > need a global default and max? Yes, I do think this patch would be useful. Since fuse servers can run unprivileged, I think giving system admins some way to enforce a default and max limit that applies automatically to all fuse servers would help protect against malicious or buggy servers on the system. > > Also, ditto here wrt seconds vs. minutes. If these *are* needed, then > having them expressed in seconds would be more intuitive for most > admins. Noted. I'll change this to seconds in the next iteration of this patchset. > > > > "default_request_timeout" sets the default timeout if no timeout is > > specified by the fuse server on mount. 0 (default) indicates no default > > timeout should be enforced. If the server did specify a timeout, then > > default_request_timeout will be ignored. > > > > "max_request_timeout" sets the max amount of time the server may take to > > reply to a request. 0 (default) indicates no maximum timeout. If > > max_request_timeout is set and the fuse server attempts to set a > > timeout greater than max_request_timeout, the system will use > > max_request_timeout as the timeout. Similarly, if default_request_timeout > > is greater than max_request_timeout, the system will use > > max_request_timeout as the timeout. If the server does not request a > > timeout and default_request_timeout is set to 0 but max_request_timeout > > is set, then the timeout will be max_request_timeout. > > > > Please note that these timeouts are not 100% precise. The request may > > take an extra FUSE_TIMEOUT_TIMER_FREQ seconds beyond the set max timeout > > due to how it's internally implemented. > > > > $ sysctl -a | grep fuse.default_request_timeout > > fs.fuse.default_request_timeout = 0 > > > > $ echo 65536 | sudo tee /proc/sys/fs/fuse/default_request_timeout > > tee: /proc/sys/fs/fuse/default_request_timeout: Invalid argument > > > > $ echo 65535 | sudo tee /proc/sys/fs/fuse/default_request_timeout > > 65535 > > > > $ sysctl -a | grep fuse.default_request_timeout > > fs.fuse.default_request_timeout = 65535 > > > > $ echo 0 | sudo tee /proc/sys/fs/fuse/default_request_timeout > > 0 > > > > $ sysctl -a | grep fuse.default_request_timeout > > fs.fuse.default_request_timeout = 0 > > > > Signed-off-by: Joanne Koong <joannelkoong@xxxxxxxxx> > > Reviewed-by: Bernd Schubert <bschubert@xxxxxxx> > > --- > > Documentation/admin-guide/sysctl/fs.rst | 27 +++++++++++++++++++++++++ > > fs/fuse/fuse_i.h | 10 +++++++++ > > fs/fuse/inode.c | 16 +++++++++++++-- > > fs/fuse/sysctl.c | 20 ++++++++++++++++++ > > 4 files changed, 71 insertions(+), 2 deletions(-) > > > > diff --git a/Documentation/admin-guide/sysctl/fs.rst b/Documentation/admin-guide/sysctl/fs.rst > > index fa25d7e718b3..790a34291467 100644 > > --- a/Documentation/admin-guide/sysctl/fs.rst > > +++ b/Documentation/admin-guide/sysctl/fs.rst > > @@ -342,3 +342,30 @@ filesystems: > > ``/proc/sys/fs/fuse/max_pages_limit`` is a read/write file for > > setting/getting the maximum number of pages that can be used for servicing > > requests in FUSE. > > + > > +``/proc/sys/fs/fuse/default_request_timeout`` is a read/write file for > > +setting/getting the default timeout (in minutes) for a fuse server to > > +reply to a kernel-issued request in the event where the server did not > > +specify a timeout at mount. If the server set a timeout, > > +then default_request_timeout will be ignored. The default > > +"default_request_timeout" is set to 0. 0 indicates a no-op (eg > > +requests will not have a default request timeout set if no timeout was > > +specified by the server). > > + > > +``/proc/sys/fs/fuse/max_request_timeout`` is a read/write file for > > +setting/getting the maximum timeout (in minutes) for a fuse server to > > +reply to a kernel-issued request. A value greater than 0 automatically opts > > +the server into a timeout that will be at most "max_request_timeout", even if > > +the server did not specify a timeout and default_request_timeout is set to 0. > > +If max_request_timeout is greater than 0 and the server set a timeout greater > > +than max_request_timeout or default_request_timeout is set to a value greater > > +than max_request_timeout, the system will use max_request_timeout as the > > +timeout. 0 indicates a no-op (eg requests will not have an upper bound on the > > +timeout and if the server did not request a timeout and default_request_timeout > > +was not set, there will be no timeout). > > + > > +Please note that for the timeout options, if the server does not respond to > > +the request by the time the timeout elapses, then the connection to the fuse > > +server will be aborted. Please also note that the timeouts are not 100% > > +precise (eg you may set 10 minutes but the timeout may kick in after 11 > > +minutes). > > diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h > > index 9092201c4e0b..e82ddff8d752 100644 > > --- a/fs/fuse/fuse_i.h > > +++ b/fs/fuse/fuse_i.h > > @@ -46,6 +46,16 @@ > > > > /** Maximum of max_pages received in init_out */ > > extern unsigned int fuse_max_pages_limit; > > +/* > > + * Default timeout (in minutes) for the server to reply to a request > > + * before the connection is aborted, if no timeout was specified on mount. > > + */ > > +extern unsigned int fuse_default_req_timeout; > > +/* > > + * Max timeout (in minutes) for the server to reply to a request before > > + * the connection is aborted. > > + */ > > +extern unsigned int fuse_max_req_timeout; > > > > /** List of active connections */ > > extern struct list_head fuse_conn_list; > > diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c > > index ee006f09cd04..1e7cc6509e42 100644 > > --- a/fs/fuse/inode.c > > +++ b/fs/fuse/inode.c > > @@ -36,6 +36,9 @@ DEFINE_MUTEX(fuse_mutex); > > static int set_global_limit(const char *val, const struct kernel_param *kp); > > > > unsigned int fuse_max_pages_limit = 256; > > +/* default is no timeout */ > > +unsigned int fuse_default_req_timeout = 0; > > +unsigned int fuse_max_req_timeout = 0; > > > > unsigned max_user_bgreq; > > module_param_call(max_user_bgreq, set_global_limit, param_get_uint, > > @@ -1701,8 +1704,17 @@ EXPORT_SYMBOL_GPL(fuse_init_fs_context_submount); > > > > static void fuse_init_fc_timeout(struct fuse_conn *fc, struct fuse_fs_context *ctx) > > { > > - if (ctx->req_timeout) { > > - if (check_mul_overflow(ctx->req_timeout * 60, HZ, &fc->timeout.req_timeout)) > > + unsigned int timeout = ctx->req_timeout ?: fuse_default_req_timeout; > > + > > + if (fuse_max_req_timeout) { > > + if (!timeout) > > + timeout = fuse_max_req_timeout; > > + else > > + timeout = min(timeout, fuse_max_req_timeout); > > + } > > + > > + if (timeout) { > > + if (check_mul_overflow(timeout * 60, HZ, &fc->timeout.req_timeout)) > > fc->timeout.req_timeout = ULONG_MAX; > > timer_setup(&fc->timeout.timer, fuse_check_timeout, 0); > > mod_timer(&fc->timeout.timer, jiffies + FUSE_TIMEOUT_TIMER_FREQ); > > diff --git a/fs/fuse/sysctl.c b/fs/fuse/sysctl.c > > index b272bb333005..6a9094e17950 100644 > > --- a/fs/fuse/sysctl.c > > +++ b/fs/fuse/sysctl.c > > @@ -13,6 +13,8 @@ static struct ctl_table_header *fuse_table_header; > > /* Bound by fuse_init_out max_pages, which is a u16 */ > > static unsigned int sysctl_fuse_max_pages_limit = 65535; > > > > +static unsigned int sysctl_fuse_max_req_timeout_limit = U16_MAX; > > + > > static struct ctl_table fuse_sysctl_table[] = { > > { > > .procname = "max_pages_limit", > > @@ -23,6 +25,24 @@ static struct ctl_table fuse_sysctl_table[] = { > > .extra1 = SYSCTL_ONE, > > .extra2 = &sysctl_fuse_max_pages_limit, > > }, > > + { > > + .procname = "default_request_timeout", > > + .data = &fuse_default_req_timeout, > > + .maxlen = sizeof(fuse_default_req_timeout), > > + .mode = 0644, > > + .proc_handler = proc_douintvec_minmax, > > + .extra1 = SYSCTL_ZERO, > > + .extra2 = &sysctl_fuse_max_req_timeout_limit, > > + }, > > + { > > + .procname = "max_request_timeout", > > + .data = &fuse_max_req_timeout, > > + .maxlen = sizeof(fuse_max_req_timeout), > > + .mode = 0644, > > + .proc_handler = proc_douintvec_minmax, > > + .extra1 = SYSCTL_ZERO, > > + .extra2 = &sysctl_fuse_max_req_timeout_limit, > > + }, > > }; > > > > int fuse_sysctl_register(void) > > -- > Jeff Layton <jlayton@xxxxxxxxxxxxxxx>