linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Miklos Szeredi <mszeredi@redhat.com>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org, Avi Kivity <avi@scylladb.com>,
	Giuseppe Scrivano <gscrivan@redhat.com>,
	stable@vger.kernel.org
Subject: [PATCH 02/12] aio: fix async fsync creds
Date: Tue,  5 May 2020 11:59:05 +0200	[thread overview]
Message-ID: <20200505095915.11275-3-mszeredi@redhat.com> (raw)
In-Reply-To: <20200505095915.11275-1-mszeredi@redhat.com>

Avi Kivity reports that on fuse filesystems running in a user namespace
asyncronous fsync fails with EOVERFLOW.

The reason is that f_ops->fsync() is called with the creds of the kthread
performing aio work instead of the creds of the process originally
submitting IOCB_CMD_FSYNC.

Fuse sends the creds of the caller in the request header and it needs to
translate the uid and gid into the server's user namespace.  Since the
kthread is running in init_user_ns, the translation will fail and the
operation returns an error.

It can be argued that fsync doesn't actually need any creds, but just
zeroing out those fields in the header (as with requests that currently
don't take creds) is a backward compatibility risk.

Instead of working around this issue in fuse, solve the core of the problem
by calling the filesystem with the proper creds.

Reported-by: Avi Kivity <avi@scylladb.com>
Tested-by: Giuseppe Scrivano <gscrivan@redhat.com>
Fixes: c9582eb0ff7d ("fuse: Fail all requests with invalid uids or gids")
Cc: stable@vger.kernel.org  # 4.18+
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
---
 fs/aio.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/aio.c b/fs/aio.c
index 5f3d3d814928..6483f9274d5e 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -176,6 +176,7 @@ struct fsync_iocb {
 	struct file		*file;
 	struct work_struct	work;
 	bool			datasync;
+	struct cred		*creds;
 };
 
 struct poll_iocb {
@@ -1589,8 +1590,11 @@ static int aio_write(struct kiocb *req, const struct iocb *iocb,
 static void aio_fsync_work(struct work_struct *work)
 {
 	struct aio_kiocb *iocb = container_of(work, struct aio_kiocb, fsync.work);
+	const struct cred *old_cred = override_creds(iocb->fsync.creds);
 
 	iocb->ki_res.res = vfs_fsync(iocb->fsync.file, iocb->fsync.datasync);
+	revert_creds(old_cred);
+	put_cred(iocb->fsync.creds);
 	iocb_put(iocb);
 }
 
@@ -1604,6 +1608,10 @@ static int aio_fsync(struct fsync_iocb *req, const struct iocb *iocb,
 	if (unlikely(!req->file->f_op->fsync))
 		return -EINVAL;
 
+	req->creds = prepare_creds();
+	if (!req->creds)
+		return -ENOMEM;
+
 	req->datasync = datasync;
 	INIT_WORK(&req->work, aio_fsync_work);
 	schedule_work(&req->work);
-- 
2.21.1


  parent reply	other threads:[~2020-05-05  9:59 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-05  9:59 [PATCH 00/12] vfs patch queue Miklos Szeredi
2020-05-05  9:59 ` [PATCH 01/12] vfs: allow unprivileged whiteout creation Miklos Szeredi
2020-05-13 19:12   ` Al Viro
2020-05-05  9:59 ` Miklos Szeredi [this message]
2020-05-13 10:01   ` [PATCH 02/12] aio: fix async fsync creds Christoph Hellwig
2020-05-05  9:59 ` [PATCH 03/12] proc/mounts: add cursor Miklos Szeredi
2020-05-13 19:33   ` Al Viro
2020-05-05  9:59 ` [PATCH 04/12] utimensat: AT_EMPTY_PATH support Miklos Szeredi
2020-05-13 10:02   ` Christoph Hellwig
2020-05-05  9:59 ` [PATCH 05/12] f*xattr: allow O_PATH descriptors Miklos Szeredi
2020-05-13 10:04   ` Christoph Hellwig
2020-05-14  8:02     ` Miklos Szeredi
2020-05-14 13:01       ` Miklos Szeredi
2020-05-05  9:59 ` [PATCH 06/12] uapi: deprecate STATX_ALL Miklos Szeredi
2020-05-13 10:04   ` Christoph Hellwig
2020-05-05  9:59 ` [PATCH 07/12] statx: don't clear STATX_ATIME on SB_RDONLY Miklos Szeredi
2020-05-13 10:04   ` Christoph Hellwig
2020-05-05  9:59 ` [PATCH 08/12] statx: add mount ID Miklos Szeredi
2020-05-13 10:05   ` Christoph Hellwig
2020-05-05  9:59 ` [PATCH 09/12] statx: add mount_root Miklos Szeredi
2020-05-05 14:24   ` J . Bruce Fields
2020-05-13 10:05   ` Christoph Hellwig
2020-05-05  9:59 ` [PATCH 10/12] vfs: don't parse forbidden flags Miklos Szeredi
2020-05-13 10:06   ` Christoph Hellwig
2020-05-05  9:59 ` [PATCH 11/12] vfs: don't parse "posixacl" option Miklos Szeredi
2020-05-13 10:07   ` Christoph Hellwig
2020-05-05  9:59 ` [PATCH 12/12] vfs: don't parse "silent" option Miklos Szeredi
2020-05-13 10:07   ` Christoph Hellwig
2020-05-13  7:45 ` [13/12 PATCH] vfs: add faccessat2 syscall Miklos Szeredi
2020-05-13 10:09   ` Christoph Hellwig
2020-05-13  7:47 ` [PATCH 00/12] vfs patch queue Miklos Szeredi
2020-05-13 19:48   ` Al Viro
2020-05-14 11:46     ` Miklos Szeredi
2020-05-14 14:55     ` Miklos Szeredi
2020-05-14 15:10       ` Al Viro

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200505095915.11275-3-mszeredi@redhat.com \
    --to=mszeredi@redhat.com \
    --cc=avi@scylladb.com \
    --cc=gscrivan@redhat.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=viro@ZenIV.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).