lxcfs: handle NULL path in lxcfs_releasedir/lxcfs_release

[deleriux]

This fixes SEGV in lxcfs_release/releasedir when path=NULL.
Avoid the use of paths doing the release and prefer to inspect the type file_info struct.
Print an error in the case no valid type can be detected.

[deleriux]

This is the method I've approached this problem with we discussed yesterday.
I fleshed out the file type checks with some simple defines, then created a inline function to inspect the file type internally.

The release/releasedir code now primarily uses this mechanism to release files back to memory. It spits an error in the event it doesn't know what to do.

Flush is a noop so no work was required.

Might be a nice-to-have to extend the same checks into other callbacks as its a little quicker than a strcmp(), but that isn't the concern of this fix.

This still needs testing properly somewhere, I'll roll it out onto my own test systems tomorrow and check its not blowing up massively or leaking memory somehow.

[mihalicyn]

it makes no sense to add this here, as we discussed before, cfg is always initialized by zeroes. If you want to add this just to make the code more explicit, then we need to explicitly initialize all other options from cfg structure, IMHO.

[deleriux]

Dropped this change, agree its unnecessary and implies a cause where none exists.

[mihalicyn]

extra spaces after ;

[deleriux]

Fixed

[mihalicyn]

This commit cb5f18a looks strange because later you are removing files from it 27f2cfd

Hint: you can use git rebase -i HEAD~N_commits to edit particular commits, and also you can use git add -i (interactive staging) simplify splitting changes between commits. Then git push -f for PR update.

[deleriux]

Thanks. Whilst I'm fairly proficient in C my git-etiquette is not unfortunately that great! I'll try to clean up my commits and remove the bits that are unnecessary.

As you can tell I took an indirect approach at first (to preserve the dlopen() consistency) but in the end I dont think it is necessary, extends the API without offering much to the end user and the extra runtime linker steps make it a slower constant approach than the strcmp() method.

I felt going to the effort of doing type-checks should at least potentially result in a slightly faster overall runtime experience.

[mihalicyn]

I'm not sure that it's safe to change the start value of this enum. Cause we support live lxc library reload after this change LXC_TYPE_CGDIR becomes 1 instead of 0. These values getting placed in the memory and kept between library reloads. So, let's not change this enum declaration at all. You can just place a comment inside enum definition which attracts developer attention to the macros LXCFS_TYPE_CGROUP, LXCFS_TYPE_PROC, LXCFS_TYPE_SYS.

[deleriux]

I agree here, totally didn't think of the case of reloading.

Generally we restart the service and rebind the mounts in the containers - there is a neat way to do this without restarting the containers, I'm still developing the software but am happy to share it later down the line.

[mihalicyn]

I agree here, totally didn't think of the case of reloading.

Generally we restart the service and rebind the mounts in the containers - there is a neat way to do this without restarting the containers, I'm still developing the software but am happy to share it later down the line.

great! I'm working on a way to recover the lxcfs from crashes another way. With preserving fuse connection between userspace and kernel. It's also not ready yet :)

[brauner]

I'm not sure that it's safe to change the start value of this enum. Cause we support live lxc library reload after this change LXC_TYPE_CGDIR becomes 1 instead of 0. These values getting placed in the memory and kept between library reloads. So, let's not change this enum declaration at all.

I think we should explictly number it though. That's what I do nowadays for all enums I add becuase it eliminates a whole bunch of subtle bugs if you force the numbering.

[mihalicyn]

#define LXCFS_TYPE_OK(type) (type > LXC_TYPE_START && type < LXC_TYPE_END), correct?

But anyway, I think we don't need to have this separate values LXC_TYPE_START and LXC_TYPE_END.

#define LXCFS_TYPE_OK(type) (type >= LXC_TYPE_CGDIR && type <= LXC_TYPE_SYS_DEVICES_SYSTEM_CPU_ONLINE) looks sufficient

[deleriux]

I saw and fixed this one earlier (the range checks being incorrect) might be best practice to keep the LXC_TYPE_END, it prevents needing to adjust LXCFS_TYPE_OK macro later on in the future and its pretty obvious to anyone going forwards not to add to the end of it.

[mihalicyn]

agree with you :)

[mihalicyn]

you don't need extra \n as lxcfs_error prints a new line automatically

[deleriux]

Fixed in latest commit.

[mihalicyn]

\n is excess

[deleriux]

And again.

[deleriux]

I've made the changes and cleaned up the commit history somewhat. I'll test the deployment out and see how it fares today.

[mihalicyn]

#define LXCFS_TYPE_OK(type) (type >= LXC_TYPE_CGDIR && type < LXC_TYPE_END)?

[deleriux]

Spotted and fixed myself already. Thanks.

[mihalicyn]

lxcfs_error already prints the function name from where it's called ;)

[deleriux]

Fixed

[mihalicyn]

function name is already printed inside the lxcfs_error

[deleriux]

Fixed

[mihalicyn]

Thanks @deleriux for working on that. I think it's also important to mention in the commit message and PR description that you are trying to fix SEGV with this patch :) Because right now, at first glance, it looks just like an improvement. But in fact, this is a bugfix. Let's rename PR too to reflect the reason why you are doing all of that :)

[mihalicyn]

Let's call other reviewers :)

cc @tych0

[mihalicyn]

the first line in the commit message should be like lxcfs: handle NULL path in lxcfs_releasedir/lxcfs_release.

And please rename PR accordingly.

[deleriux]

../src/lxcfs.c: 813: lxcfs_releasedir: unknown file type: path=/proc, type=-1
Looks like there is more work here to do to handle base paths in /proc which aren't typically designated with a type themselves.

[deleriux]

Fixed the latest minor niggle. There is no need to check for this in lxcfs_release since the inode is always a directory.
I also changed the commit message as reflected.

[mihalicyn]

you don't need this check at all then. Cause for /proc directory we don't fill fi with any info in lxcfs_opendir:

static int lxcfs_opendir(const char *path, struct fuse_file_info *fi)
{
	int ret;

	if (strcmp(path, "/") == 0)
		return 0; // don't touch "fi"

	if (strncmp(path, "/cgroup", 7) == 0) {
		up_users();
		ret = do_cg_opendir(path, fi); // << fills "fi" with something
		down_users();
		return ret;
	}

	if (strcmp(path, "/proc") == 0)
		return 0; // don't touch "fi"

	if (strncmp(path, "/sys", 4) == 0) {
		up_users();
		ret = do_sys_opendir(path, fi); // << fills "fi" with something
		down_users();
		return ret;
	}

	return -ENOENT;
}

[deleriux]

Excellent point. I should try to extend my head-logic a bit further ;). Updated.

[mihalicyn]

LGTM

Thanks!

[mihalicyn]

And yes, one small suggestion. We can replace lxcfs_error("unknown file type: path=%s, type=%d", path, type); to lxcfs_error("unknown file type: path=%s, type=%d, fi->fh=%" PRIu64, path, type, fi->fh);

[deleriux]

Fixed to include the pointer address. I assume you really only care if its a 0 or close to it though...

[mihalicyn]

Fixed to include the pointer address. I assume you really only care if its a 0 or close to it though...

in fact yes. But if we will have a coredump in a particular case this address may help to debug.

[mihalicyn]

type= to fi->fh=

[deleriux]

oof.. thanks.

[brauner]

Traditionally, we've suffixed things like that with MAX so I'd prefer LXC_TYPE_MAX.

[deleriux]

Changed style from END to MAX.

[deleriux]

Added the requested comment also.

[brauner]

This is error prone as it depends on ordering in the enum. The ordering isn't enforced however. So there needs to be at least a comment on top of the enum explaining this. Also, we should explicitly number the enum. This also makes it harder to accidently break ordering requirements.

[mihalicyn]

I thought about that too, after we extend this enum with new possible values it will be needed to fix these macros like that:
#define LXCFS_TYPE_PROC(type) ((type >= LXC_TYPE_PROC_MEMINFO && type <= LXC_TYPE_PROC_SLABINFO) || type == LXC_TYPE_PROC_SOMETHING). Not so fancy, but...

[mihalicyn]

Technically, right now it's also not correct to add new values in between the enum. Cause we can perform reloading of liblxcfs in between open and close of the file descriptor. Then because enum values shift, some condition checks may become incorrect. For example https://github.com/lxc/lxcfs/blob/master/src/sysfs_fuse.c#L372

[deleriux]

I also did give this some thought beforehand. I thought some ways to do this could be..

1. re-order the enum numbering explicitly granting space for future files. IE

enum lxcfs_virt_t { 
  LXC_TYPE_CGROUP_BASE = 0x00000,
...
  LXC_TYPE_CGROUP_MAX,

  LXC_TYPE_PROC_BASE = 0x10000,
...
  LXC_TYPE_PROC_MAX,

  LXC_TYPE_SYS_BASE = 0x20000,
...
  LXC_TYPE_SYS_MAX,
}

2. extend file_info to include a 'class' parameter, ditch the defines, remove file_info_type in favour of file_info_class.

For 2. Obviously you'd basically have to go through every file type already configured and put them in the right class, but at that point ordering no longer matters as you're relying on a different set of metadata to work out what goes where..

Also you could hijack the unused file_info.buf pointer and change it to a unsigned char abi_version[sizeof(char *)] that you could check going forwards. This would let you conditionally and smartly extend the runtime ABI yet be able to deal with previous versions of the ABI changing.
This is of course assuming *buf is zeroed on initialization currently (version 0 implictly).
This also felt like a whole load of architectural work for what is essentially a bugfix!

For 1. Its much simpler to implement and prevents in the future having to make a headache again. That however breaks the ABI in a manner which would not survive a reload so didn't imagine that would get any traction..

[deleriux]

Just also thought you could actually do LXC_TYPE_BASE = 0x00000, copy all the file types as-is, then have new namespaces for each type and defines for which you use going forwards. That gives you both the means to maintain reload compatibility by checking if the type is in a 'base' namespace or the given correct namespace.

Its a little janky but probably simpler than doing some abi extension.

[brauner]

For now just leaving a comment is fine. We just want to fix the immediate bug. Reworking it to something better should be a separate step. But feel free to follow this up with a series.

[deleriux]

Added the requested comment above the enum indicating only appending to the bottom (above LXC_TYPE_MAX).

[tych0]

Can you talk about what case the path would be null? At first glance this seems like a weird call for libfuse to make.

[mihalicyn]

Can you talk about what case the path would be null? At first glance this seems like a weird call for libfuse to make.

#575 (comment)

[tych0]

So I guess it's really the kernel, not libfuse, that's triggering these, given that they're just passthroughs from libfuse? I still don't understand why, but maybe it's a mystery for the ages...

[mihalicyn]

So I guess it's really the kernel, not libfuse, that's triggering these, given that they're just passthroughs from libfuse? I still don't understand why, but maybe it's a mystery for the ages...

As far as I know, the kernel doesn't know anything about the path, or, speaking more correctly, the kernel gives the path from open*() syscalls to fuse daemon only for the first time through a FUSE_LOOKUP [1] request, then userspace should provide the kernel with inode number for this file descriptor. The later kernel will only send this number as file identification [2]. So, libfuse handles this path resolve for our convenience. I feel that we have some bugs in libfuse, we have to add some workaround in our code to prevent crashes at least, IMHO.

[1] https://github.com/torvalds/linux/blob/764822972d64e7f3e6792278ecc7a3b3c81087cd/fs/fuse/dir.c#L190
[2] https://github.com/torvalds/linux/blob/764822972d64e7f3e6792278ecc7a3b3c81087cd/fs/fuse/file.c#L40

[tych0]

Yeah, that's what I was wondering about. Makes sense, thanks. Patch LGTM.