From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jann Horn <jannh@google.com>,
Miklos Szeredi <mszeredi@redhat.com>
Subject: [PATCH 5.4 30/43] fuse: fix pipe buffer lifetime for direct_io
Date: Mon, 14 Mar 2022 12:53:41 +0100 [thread overview]
Message-ID: <20220314112735.266119159@linuxfoundation.org> (raw)
In-Reply-To: <20220314112734.415677317@linuxfoundation.org>
From: Miklos Szeredi <mszeredi@redhat.com>
commit 0c4bcfdecb1ac0967619ee7ff44871d93c08c909 upstream.
In FOPEN_DIRECT_IO mode, fuse_file_write_iter() calls
fuse_direct_write_iter(), which normally calls fuse_direct_io(), which then
imports the write buffer with fuse_get_user_pages(), which uses
iov_iter_get_pages() to grab references to userspace pages instead of
actually copying memory.
On the filesystem device side, these pages can then either be read to
userspace (via fuse_dev_read()), or splice()d over into a pipe using
fuse_dev_splice_read() as pipe buffers with &nosteal_pipe_buf_ops.
This is wrong because after fuse_dev_do_read() unlocks the FUSE request,
the userspace filesystem can mark the request as completed, causing write()
to return. At that point, the userspace filesystem should no longer have
access to the pipe buffer.
Fix by copying pages coming from the user address space to new pipe
buffers.
Reported-by: Jann Horn <jannh@google.com>
Fixes: c3021629a0d8 ("fuse: support splice() reading from fuse device")
Cc: <stable@vger.kernel.org>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev.c | 12 +++++++++++-
fs/fuse/file.c | 1 +
fs/fuse/fuse_i.h | 1 +
3 files changed, 13 insertions(+), 1 deletion(-)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -933,7 +933,17 @@ static int fuse_copy_page(struct fuse_co
while (count) {
if (cs->write && cs->pipebufs && page) {
- return fuse_ref_page(cs, page, offset, count);
+ /*
+ * Can't control lifetime of pipe buffers, so always
+ * copy user pages.
+ */
+ if (cs->req->args->user_pages) {
+ err = fuse_copy_fill(cs);
+ if (err)
+ return err;
+ } else {
+ return fuse_ref_page(cs, page, offset, count);
+ }
} else if (!cs->len) {
if (cs->move_pages && page &&
offset == 0 && count == PAGE_SIZE) {
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1433,6 +1433,7 @@ static int fuse_get_user_pages(struct fu
(PAGE_SIZE - ret) & (PAGE_SIZE - 1);
}
+ ap->args.user_pages = true;
if (write)
ap->args.in_pages = 1;
else
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -248,6 +248,7 @@ struct fuse_args {
bool nocreds:1;
bool in_pages:1;
bool out_pages:1;
+ bool user_pages:1;
bool out_argvar:1;
bool page_zeroing:1;
bool page_replace:1;
next prev parent reply other threads:[~2022-03-14 11:58 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-14 11:53 [PATCH 5.4 00/43] 5.4.185-rc1 review Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 01/43] clk: qcom: gdsc: Add support to update GDSC transition delay Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 02/43] arm64: dts: armada-3720-turris-mox: Add missing ethernet0 alias Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 03/43] virtio-blk: Dont use MAX_DISCARD_SEGMENTS if max_discard_seg is zero Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 04/43] net: qlogic: check the return value of dma_alloc_coherent() in qed_vf_hw_prepare() Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 05/43] qed: return status of qed_iov_get_link Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 06/43] drm/sun4i: mixer: Fix P010 and P210 format numbers Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 07/43] ARM: dts: aspeed: Fix AST2600 quad spi group Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 08/43] ethernet: Fix error handling in xemaclite_of_probe Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 09/43] net: ethernet: ti: cpts: Handle error for clk_enable Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 10/43] net: ethernet: lpc_eth: " Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 11/43] ax25: Fix NULL pointer dereference in ax25_kill_by_device Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 12/43] net/mlx5: Fix size field in bufferx_reg struct Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 13/43] net/mlx5: Fix a race on command flush flow Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 14/43] NFC: port100: fix use-after-free in port100_send_complete Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 15/43] selftests: pmtu.sh: Kill tcpdump processes launched by subshell Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 16/43] gpio: ts4900: Do not set DAT and OE together Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 17/43] gianfar: ethtool: Fix refcount leak in gfar_get_ts_info Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 18/43] net: phy: DP83822: clear MISR2 register to disable interrupts Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 19/43] sctp: fix kernel-infoleak for SCTP sockets Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 20/43] net: bcmgenet: Dont claim WOL when its not available Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 21/43] selftests/bpf: Add test for bpf_timer overwriting crash Greg Kroah-Hartman
2022-03-18 7:27 ` Rantala, Tommi T. (Nokia - FI/Espoo)
2022-03-21 12:46 ` gregkh
2022-03-14 11:53 ` [PATCH 5.4 22/43] net-sysfs: add check for netdevice being present to speed_show Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 23/43] Revert "xen-netback: remove hotplug-status once it has served its purpose" Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 24/43] Revert "xen-netback: Check for hotplug-status existence before watching" Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 25/43] ipv6: prevent a possible race condition with lifetimes Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 26/43] tracing: Ensure trace buffer is at least 4096 bytes large Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 27/43] selftest/vm: fix map_fixed_noreplace test failure Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 28/43] selftests/memfd: clean up mapping in mfd_fail_write Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 29/43] ARM: Spectre-BHB: provide empty stub for non-config Greg Kroah-Hartman
2022-03-14 11:53 ` Greg Kroah-Hartman
2022-03-14 11:53 ` Greg Kroah-Hartman [this message]
2022-03-14 11:53 ` [PATCH 5.4 31/43] staging: gdm724x: fix use after free in gdm_lte_rx() Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 32/43] net: macb: Fix lost RX packet wakeup race in NAPI receive Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 33/43] mmc: meson: Fix usage of meson_mmc_post_req() Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 34/43] riscv: Fix auipc+jalr relocation range checks Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 35/43] arm64: dts: marvell: armada-37xx: Remap IO space to bus address 0x0 Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 36/43] virtio: unexport virtio_finalize_features Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 37/43] virtio: acknowledge all features before access Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 38/43] ARM: fix Thumb2 regression with Spectre BHB Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 39/43] ext4: add check to prevent attempting to resize an fs with sparse_super2 Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 40/43] x86/cpufeatures: Mark two free bits in word 3 Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 41/43] x86/cpu: Add hardware-enforced cache coherency as a CPUID feature Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 42/43] x86/mm/pat: Dont flush cache if hardware enforces cache coherency across encryption domnains Greg Kroah-Hartman
2022-03-14 11:53 ` [PATCH 5.4 43/43] KVM: SVM: Dont flush cache if hardware enforces cache coherency across encryption domains Greg Kroah-Hartman
2022-03-14 21:11 ` [PATCH 5.4 00/43] 5.4.185-rc1 review Florian Fainelli
2022-03-15 0:52 ` Guenter Roeck
2022-03-15 9:04 ` Jon Hunter
2022-03-15 9:41 ` Naresh Kamboju
2022-03-15 12:29 ` Sudip Mukherjee
2022-03-16 0:54 ` Samuel Zou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220314112735.266119159@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mszeredi@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.