Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 710c33ad authored by Miklos Szeredi's avatar Miklos Szeredi Committed by Greg Kroah-Hartman
Browse files

fuse: verify attributes 



commit eb59bd17d2fa6e5e84fba61a5ebdea984222e6d5 upstream.

If a filesystem returns negative inode sizes, future reads on the file were
causing the cpu to spin on truncate_pagecache.

Create a helper to validate the attributes.  This now does two things:

 - check the file mode
 - check if the file size fits in i_size without overflowing

Reported-by: default avatarArijit Banerjee <arijit@rubrik.com>
Fixes: d8a5ba45 ("[PATCH] FUSE - core")
Cc: <stable@vger.kernel.org> # v2.6.14
Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 9f435a5e

fs/fuse/dir.c

+17 −7
Original line number Diff line number Diff line
@@ -234,7 +234,8 @@ static int fuse_dentry_revalidate(struct dentry *entry, unsigned int flags) 
		kfree(forget);

		if (ret == -ENOMEM)

			goto out;

		if (ret || (outarg.attr.mode ^ inode->i_mode) & S_IFMT)

		if (ret || fuse_invalid_attr(&outarg.attr) ||

		    (outarg.attr.mode ^ inode->i_mode) & S_IFMT)

			goto invalid;



		forget_all_cached_acls(inode);
@@ -297,6 +298,12 @@ int fuse_valid_type(int m) 
		S_ISBLK(m) || S_ISFIFO(m) || S_ISSOCK(m);

}



bool fuse_invalid_attr(struct fuse_attr *attr)

{

	return !fuse_valid_type(attr->mode) ||

		attr->size > LLONG_MAX;

}



int fuse_lookup_name(struct super_block *sb, u64 nodeid, const struct qstr *name,

		     struct fuse_entry_out *outarg, struct inode **inode)

{
@@ -328,7 +335,7 @@ int fuse_lookup_name(struct super_block *sb, u64 nodeid, const struct qstr *name 
	err = -EIO;

	if (!outarg->nodeid)

		goto out_put_forget;

	if (!fuse_valid_type(outarg->attr.mode))

	if (fuse_invalid_attr(&outarg->attr))

		goto out_put_forget;



	*inode = fuse_iget(sb, outarg->nodeid, outarg->generation,
@@ -451,7 +458,8 @@ static int fuse_create_open(struct inode *dir, struct dentry *entry, 
		goto out_free_ff;



	err = -EIO;

	if (!S_ISREG(outentry.attr.mode) || invalid_nodeid(outentry.nodeid))

	if (!S_ISREG(outentry.attr.mode) || invalid_nodeid(outentry.nodeid) ||

	    fuse_invalid_attr(&outentry.attr))

		goto out_free_ff;



	ff->fh = outopen.fh;
@@ -558,7 +566,7 @@ static int create_new_entry(struct fuse_conn *fc, struct fuse_args *args, 
		goto out_put_forget_req;



	err = -EIO;

	if (invalid_nodeid(outarg.nodeid))

	if (invalid_nodeid(outarg.nodeid) || fuse_invalid_attr(&outarg.attr))

		goto out_put_forget_req;



	if ((outarg.attr.mode ^ mode) & S_IFMT)
@@ -918,7 +926,8 @@ static int fuse_do_getattr(struct inode *inode, struct kstat *stat, 
	args.out.args[0].value = &outarg;

	err = fuse_simple_request(fc, &args);

	if (!err) {

		if ((inode->i_mode ^ outarg.attr.mode) & S_IFMT) {

		if (fuse_invalid_attr(&outarg.attr) ||

		    (inode->i_mode ^ outarg.attr.mode) & S_IFMT) {

			make_bad_inode(inode);

			err = -EIO;

		} else {
@@ -1230,7 +1239,7 @@ static int fuse_direntplus_link(struct file *file, 


	if (invalid_nodeid(o->nodeid))

		return -EIO;

	if (!fuse_valid_type(o->attr.mode))

	if (fuse_invalid_attr(&o->attr))

		return -EIO;



	fc = get_fuse_conn(dir);
@@ -1707,7 +1716,8 @@ int fuse_do_setattr(struct dentry *dentry, struct iattr *attr, 
		goto error;

	}



	if ((inode->i_mode ^ outarg.attr.mode) & S_IFMT) {

	if (fuse_invalid_attr(&outarg.attr) ||

	    (inode->i_mode ^ outarg.attr.mode) & S_IFMT) {

		make_bad_inode(inode);

		err = -EIO;

		goto error;

fs/fuse/fuse_i.h

+2 −0
Original line number Diff line number Diff line
@@ -909,6 +909,8 @@ void fuse_ctl_remove_conn(struct fuse_conn *fc); 
 */

int fuse_valid_type(int m);



bool fuse_invalid_attr(struct fuse_attr *attr);



/**

 * Is current process allowed to perform filesystem operation?

 */