From: Miklos Szeredi <miklos@szeredi.hu>
To: Tycho Andersen <tycho@tycho.pizza>
Cc: Eric Biederman <ebiederm@xmission.com>,
Christian Brauner <brauner@kernel.org>,
fuse-devel <fuse-devel@lists.sourceforge.net>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: strange interaction between fuse + pidns
Date: Mon, 11 Jul 2022 15:59:15 +0200 [thread overview]
Message-ID: <CAJfpegurW7==LEp2yXWMYdBYXTZN4HCMMVJPu-f8yvHVbu79xQ@mail.gmail.com> (raw)
In-Reply-To: <CAJfpegvH1EMS_469yOyUP9f=eCAEqzhyngm7h=YLRExeRdPEaw@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 210 bytes --]
On Mon, 11 Jul 2022 at 12:35, Miklos Szeredi <miklos@szeredi.hu> wrote:
>
> Can you try the attached untested patch?
Updated patch to avoid use after free on req->args.
Still mostly untested.
Thanks,
Miklos
[-- Attachment #2: fuse-allow-flush-to-be-killed-v2.patch --]
[-- Type: text/x-patch, Size: 2789 bytes --]
---
fs/fuse/dev.c | 23 +++++++++++++++++------
fs/fuse/file.c | 1 +
fs/fuse/fuse_i.h | 3 +++
3 files changed, 21 insertions(+), 6 deletions(-)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -397,6 +397,12 @@ static void request_wait_answer(struct f
req->out.h.error = -EINTR;
return;
}
+ if (req->args->killable) {
+ req->out.h.error = -EINTR;
+ /* fuse_request_end() will drop final ref */
+ spin_unlock(&fiq->lock);
+ return;
+ }
spin_unlock(&fiq->lock);
}
@@ -478,6 +484,8 @@ static void fuse_args_to_req(struct fuse
req->args = args;
if (args->end)
__set_bit(FR_ASYNC, &req->flags);
+ if (!args->out_numargs)
+ __set_bit(FR_NOOUTARG, &req->flags);
}
ssize_t fuse_simple_request(struct fuse_mount *fm, struct fuse_args *args)
@@ -486,6 +494,8 @@ ssize_t fuse_simple_request(struct fuse_
struct fuse_req *req;
ssize_t ret;
+ WARN_ON(args->killable && args->out_numargs);
+
if (args->force) {
atomic_inc(&fc->num_waiting);
req = fuse_request_alloc(fm, GFP_KERNEL | __GFP_NOFAIL);
@@ -494,7 +504,8 @@ ssize_t fuse_simple_request(struct fuse_
fuse_force_creds(req);
__set_bit(FR_WAITING, &req->flags);
- __set_bit(FR_FORCE, &req->flags);
+ if (!args->killable)
+ __set_bit(FR_FORCE, &req->flags);
} else {
WARN_ON(args->nocreds);
req = fuse_get_req(fm, false);
@@ -1913,13 +1924,13 @@ static ssize_t fuse_dev_do_write(struct
set_bit(FR_LOCKED, &req->flags);
spin_unlock(&fpq->lock);
cs->req = req;
- if (!req->args->page_replace)
- cs->move_pages = 0;
-
- if (oh.error)
+ if (oh.error || test_bit(FR_NOOUTARG, &req->flags)) {
err = nbytes != sizeof(oh) ? -EINVAL : 0;
- else
+ } else {
+ if (!req->args->page_replace)
+ cs->move_pages = 0;
err = copy_out_args(cs, req->args, nbytes);
+ }
fuse_copy_finish(cs);
spin_lock(&fpq->lock);
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -504,6 +504,7 @@ static int fuse_flush(struct file *file,
args.in_args[0].size = sizeof(inarg);
args.in_args[0].value = &inarg;
args.force = true;
+ args.killable = true;
err = fuse_simple_request(fm, &args);
if (err == -ENOSYS) {
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -261,6 +261,7 @@ struct fuse_args {
bool page_zeroing:1;
bool page_replace:1;
bool may_block:1;
+ bool killable:1;
struct fuse_in_arg in_args[3];
struct fuse_arg out_args[2];
void (*end)(struct fuse_mount *fm, struct fuse_args *args, int error);
@@ -314,6 +315,7 @@ struct fuse_io_priv {
* FR_FINISHED: request is finished
* FR_PRIVATE: request is on private list
* FR_ASYNC: request is asynchronous
+ * FR_NOOUTARG: reply is only header
*/
enum fuse_req_flag {
FR_ISREPLY,
@@ -328,6 +330,7 @@ enum fuse_req_flag {
FR_FINISHED,
FR_PRIVATE,
FR_ASYNC,
+ FR_NOOUTARG,
};
/**
next prev parent reply other threads:[~2022-07-11 13:59 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-23 17:21 strange interaction between fuse + pidns Tycho Andersen
2022-06-23 21:55 ` Vivek Goyal
2022-06-23 23:41 ` Tycho Andersen
2022-06-24 17:36 ` Vivek Goyal
2022-07-11 10:35 ` Miklos Szeredi
2022-07-11 13:59 ` Miklos Szeredi [this message]
2022-07-11 20:25 ` Tycho Andersen
2022-07-11 21:37 ` Eric W. Biederman
2022-07-11 22:53 ` Tycho Andersen
2022-07-11 23:06 ` Eric W. Biederman
2022-07-12 13:43 ` Tycho Andersen
2022-07-12 14:34 ` Eric W. Biederman
2022-07-12 15:14 ` Tycho Andersen
2022-07-13 17:53 ` [PATCH] sched: __fatal_signal_pending() should also check PF_EXITING Tycho Andersen
2022-07-20 15:03 ` Serge E. Hallyn
2022-07-20 20:58 ` Tycho Andersen
2022-07-21 1:54 ` Serge E. Hallyn
2022-07-27 15:44 ` Tycho Andersen
2022-07-27 16:32 ` Eric W. Biederman
2022-07-27 17:55 ` Tycho Andersen
2022-07-28 18:48 ` Eric W. Biederman
2022-07-27 17:55 ` Oleg Nesterov
2022-07-27 18:18 ` Tycho Andersen
2022-07-27 19:19 ` Oleg Nesterov
2022-07-27 19:40 ` Tycho Andersen
2022-07-28 9:12 ` Oleg Nesterov
2022-07-28 21:20 ` Tycho Andersen
2022-07-29 5:04 ` Eric W. Biederman
2022-07-29 13:50 ` Tycho Andersen
2022-07-29 16:15 ` Eric W. Biederman
2022-07-29 16:48 ` Tycho Andersen
2022-07-29 17:40 ` [RFC][PATCH] fuse: In fuse_flush only wait if someone wants the return code Eric W. Biederman
2022-07-29 20:47 ` Oleg Nesterov
2022-07-30 0:15 ` Al Viro
2022-07-30 5:10 ` [RFC][PATCH v2] " Eric W. Biederman
2022-08-01 15:16 ` Tycho Andersen
2022-08-02 12:50 ` Miklos Szeredi
2022-08-15 13:59 ` Tycho Andersen
2022-08-15 17:55 ` Serge E. Hallyn
2022-09-01 14:06 ` [PATCH] " Tycho Andersen
2022-09-19 15:03 ` Tycho Andersen
2022-09-20 18:02 ` Serge E. Hallyn
2022-09-26 14:17 ` Tycho Andersen
2022-09-27 9:46 ` Miklos Szeredi
2022-09-29 14:05 ` [fuse-devel] " Stef Bon
2022-09-29 16:39 ` [PATCH v2] " Tycho Andersen
2022-09-30 13:35 ` Miklos Szeredi
2022-09-30 14:01 ` Tycho Andersen
2022-09-30 14:41 ` Miklos Szeredi
2022-09-30 16:09 ` Tycho Andersen
2022-10-26 9:01 ` Miklos Szeredi
2022-11-14 16:02 ` [PATCH v3] " Tycho Andersen
2022-11-28 15:00 ` Tycho Andersen
2022-12-08 14:26 ` Miklos Szeredi
2022-12-08 17:49 ` Tycho Andersen
2022-12-19 19:16 ` Tycho Andersen
2023-01-03 14:51 ` Tycho Andersen
2023-01-05 15:15 ` Serge E. Hallyn
2023-01-26 14:12 ` Miklos Szeredi
2022-09-30 19:47 ` [PATCH] " Serge E. Hallyn
2022-09-19 15:46 ` [RFC][PATCH v2] " Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJfpegurW7==LEp2yXWMYdBYXTZN4HCMMVJPu-f8yvHVbu79xQ@mail.gmail.com' \
--to=miklos@szeredi.hu \
--cc=brauner@kernel.org \
--cc=ebiederm@xmission.com \
--cc=fuse-devel@lists.sourceforge.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tycho@tycho.pizza \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.