mirror of
https://github.com/torvalds/linux.git
synced 2024-11-25 13:41:51 +00:00
5d069dbe8a
Jan Kara's analysis of the syzbot report (edited): The reproducer opens a directory on FUSE filesystem, it then attaches dnotify mark to the open directory. After that a fuse_do_getattr() call finds that attributes returned by the server are inconsistent, and calls make_bad_inode() which, among other things does: inode->i_mode = S_IFREG; This then confuses dnotify which doesn't tear down its structures properly and eventually crashes. Avoid calling make_bad_inode() on a live inode: switch to a private flag on the fuse inode. Also add the test to ops which the bad_inode_ops would have caught. This bug goes back to the initial merge of fuse in 2.6.14... Reported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Tested-by: Jan Kara <jack@suse.cz> Cc: <stable@vger.kernel.org>
264 lines
6.1 KiB
C
264 lines
6.1 KiB
C
/*
|
|
* FUSE: Filesystem in Userspace
|
|
* Copyright (C) 2001-2016 Miklos Szeredi <miklos@szeredi.hu>
|
|
*
|
|
* This program can be distributed under the terms of the GNU GPL.
|
|
* See the file COPYING.
|
|
*/
|
|
|
|
#include "fuse_i.h"
|
|
|
|
#include <linux/xattr.h>
|
|
#include <linux/posix_acl_xattr.h>
|
|
|
|
int fuse_setxattr(struct inode *inode, const char *name, const void *value,
|
|
size_t size, int flags)
|
|
{
|
|
struct fuse_mount *fm = get_fuse_mount(inode);
|
|
FUSE_ARGS(args);
|
|
struct fuse_setxattr_in inarg;
|
|
int err;
|
|
|
|
if (fm->fc->no_setxattr)
|
|
return -EOPNOTSUPP;
|
|
|
|
memset(&inarg, 0, sizeof(inarg));
|
|
inarg.size = size;
|
|
inarg.flags = flags;
|
|
args.opcode = FUSE_SETXATTR;
|
|
args.nodeid = get_node_id(inode);
|
|
args.in_numargs = 3;
|
|
args.in_args[0].size = sizeof(inarg);
|
|
args.in_args[0].value = &inarg;
|
|
args.in_args[1].size = strlen(name) + 1;
|
|
args.in_args[1].value = name;
|
|
args.in_args[2].size = size;
|
|
args.in_args[2].value = value;
|
|
err = fuse_simple_request(fm, &args);
|
|
if (err == -ENOSYS) {
|
|
fm->fc->no_setxattr = 1;
|
|
err = -EOPNOTSUPP;
|
|
}
|
|
if (!err) {
|
|
fuse_invalidate_attr(inode);
|
|
fuse_update_ctime(inode);
|
|
}
|
|
return err;
|
|
}
|
|
|
|
ssize_t fuse_getxattr(struct inode *inode, const char *name, void *value,
|
|
size_t size)
|
|
{
|
|
struct fuse_mount *fm = get_fuse_mount(inode);
|
|
FUSE_ARGS(args);
|
|
struct fuse_getxattr_in inarg;
|
|
struct fuse_getxattr_out outarg;
|
|
ssize_t ret;
|
|
|
|
if (fm->fc->no_getxattr)
|
|
return -EOPNOTSUPP;
|
|
|
|
memset(&inarg, 0, sizeof(inarg));
|
|
inarg.size = size;
|
|
args.opcode = FUSE_GETXATTR;
|
|
args.nodeid = get_node_id(inode);
|
|
args.in_numargs = 2;
|
|
args.in_args[0].size = sizeof(inarg);
|
|
args.in_args[0].value = &inarg;
|
|
args.in_args[1].size = strlen(name) + 1;
|
|
args.in_args[1].value = name;
|
|
/* This is really two different operations rolled into one */
|
|
args.out_numargs = 1;
|
|
if (size) {
|
|
args.out_argvar = true;
|
|
args.out_args[0].size = size;
|
|
args.out_args[0].value = value;
|
|
} else {
|
|
args.out_args[0].size = sizeof(outarg);
|
|
args.out_args[0].value = &outarg;
|
|
}
|
|
ret = fuse_simple_request(fm, &args);
|
|
if (!ret && !size)
|
|
ret = min_t(ssize_t, outarg.size, XATTR_SIZE_MAX);
|
|
if (ret == -ENOSYS) {
|
|
fm->fc->no_getxattr = 1;
|
|
ret = -EOPNOTSUPP;
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
static int fuse_verify_xattr_list(char *list, size_t size)
|
|
{
|
|
size_t origsize = size;
|
|
|
|
while (size) {
|
|
size_t thislen = strnlen(list, size);
|
|
|
|
if (!thislen || thislen == size)
|
|
return -EIO;
|
|
|
|
size -= thislen + 1;
|
|
list += thislen + 1;
|
|
}
|
|
|
|
return origsize;
|
|
}
|
|
|
|
ssize_t fuse_listxattr(struct dentry *entry, char *list, size_t size)
|
|
{
|
|
struct inode *inode = d_inode(entry);
|
|
struct fuse_mount *fm = get_fuse_mount(inode);
|
|
FUSE_ARGS(args);
|
|
struct fuse_getxattr_in inarg;
|
|
struct fuse_getxattr_out outarg;
|
|
ssize_t ret;
|
|
|
|
if (fuse_is_bad(inode))
|
|
return -EIO;
|
|
|
|
if (!fuse_allow_current_process(fm->fc))
|
|
return -EACCES;
|
|
|
|
if (fm->fc->no_listxattr)
|
|
return -EOPNOTSUPP;
|
|
|
|
memset(&inarg, 0, sizeof(inarg));
|
|
inarg.size = size;
|
|
args.opcode = FUSE_LISTXATTR;
|
|
args.nodeid = get_node_id(inode);
|
|
args.in_numargs = 1;
|
|
args.in_args[0].size = sizeof(inarg);
|
|
args.in_args[0].value = &inarg;
|
|
/* This is really two different operations rolled into one */
|
|
args.out_numargs = 1;
|
|
if (size) {
|
|
args.out_argvar = true;
|
|
args.out_args[0].size = size;
|
|
args.out_args[0].value = list;
|
|
} else {
|
|
args.out_args[0].size = sizeof(outarg);
|
|
args.out_args[0].value = &outarg;
|
|
}
|
|
ret = fuse_simple_request(fm, &args);
|
|
if (!ret && !size)
|
|
ret = min_t(ssize_t, outarg.size, XATTR_LIST_MAX);
|
|
if (ret > 0 && size)
|
|
ret = fuse_verify_xattr_list(list, ret);
|
|
if (ret == -ENOSYS) {
|
|
fm->fc->no_listxattr = 1;
|
|
ret = -EOPNOTSUPP;
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
int fuse_removexattr(struct inode *inode, const char *name)
|
|
{
|
|
struct fuse_mount *fm = get_fuse_mount(inode);
|
|
FUSE_ARGS(args);
|
|
int err;
|
|
|
|
if (fm->fc->no_removexattr)
|
|
return -EOPNOTSUPP;
|
|
|
|
args.opcode = FUSE_REMOVEXATTR;
|
|
args.nodeid = get_node_id(inode);
|
|
args.in_numargs = 1;
|
|
args.in_args[0].size = strlen(name) + 1;
|
|
args.in_args[0].value = name;
|
|
err = fuse_simple_request(fm, &args);
|
|
if (err == -ENOSYS) {
|
|
fm->fc->no_removexattr = 1;
|
|
err = -EOPNOTSUPP;
|
|
}
|
|
if (!err) {
|
|
fuse_invalidate_attr(inode);
|
|
fuse_update_ctime(inode);
|
|
}
|
|
return err;
|
|
}
|
|
|
|
static int fuse_xattr_get(const struct xattr_handler *handler,
|
|
struct dentry *dentry, struct inode *inode,
|
|
const char *name, void *value, size_t size)
|
|
{
|
|
if (fuse_is_bad(inode))
|
|
return -EIO;
|
|
|
|
return fuse_getxattr(inode, name, value, size);
|
|
}
|
|
|
|
static int fuse_xattr_set(const struct xattr_handler *handler,
|
|
struct dentry *dentry, struct inode *inode,
|
|
const char *name, const void *value, size_t size,
|
|
int flags)
|
|
{
|
|
if (fuse_is_bad(inode))
|
|
return -EIO;
|
|
|
|
if (!value)
|
|
return fuse_removexattr(inode, name);
|
|
|
|
return fuse_setxattr(inode, name, value, size, flags);
|
|
}
|
|
|
|
static bool no_xattr_list(struct dentry *dentry)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
static int no_xattr_get(const struct xattr_handler *handler,
|
|
struct dentry *dentry, struct inode *inode,
|
|
const char *name, void *value, size_t size)
|
|
{
|
|
return -EOPNOTSUPP;
|
|
}
|
|
|
|
static int no_xattr_set(const struct xattr_handler *handler,
|
|
struct dentry *dentry, struct inode *nodee,
|
|
const char *name, const void *value,
|
|
size_t size, int flags)
|
|
{
|
|
return -EOPNOTSUPP;
|
|
}
|
|
|
|
static const struct xattr_handler fuse_xattr_handler = {
|
|
.prefix = "",
|
|
.get = fuse_xattr_get,
|
|
.set = fuse_xattr_set,
|
|
};
|
|
|
|
const struct xattr_handler *fuse_xattr_handlers[] = {
|
|
&fuse_xattr_handler,
|
|
NULL
|
|
};
|
|
|
|
const struct xattr_handler *fuse_acl_xattr_handlers[] = {
|
|
&posix_acl_access_xattr_handler,
|
|
&posix_acl_default_xattr_handler,
|
|
&fuse_xattr_handler,
|
|
NULL
|
|
};
|
|
|
|
static const struct xattr_handler fuse_no_acl_access_xattr_handler = {
|
|
.name = XATTR_NAME_POSIX_ACL_ACCESS,
|
|
.flags = ACL_TYPE_ACCESS,
|
|
.list = no_xattr_list,
|
|
.get = no_xattr_get,
|
|
.set = no_xattr_set,
|
|
};
|
|
|
|
static const struct xattr_handler fuse_no_acl_default_xattr_handler = {
|
|
.name = XATTR_NAME_POSIX_ACL_DEFAULT,
|
|
.flags = ACL_TYPE_ACCESS,
|
|
.list = no_xattr_list,
|
|
.get = no_xattr_get,
|
|
.set = no_xattr_set,
|
|
};
|
|
|
|
const struct xattr_handler *fuse_no_acl_xattr_handlers[] = {
|
|
&fuse_no_acl_access_xattr_handler,
|
|
&fuse_no_acl_default_xattr_handler,
|
|
&fuse_xattr_handler,
|
|
NULL
|
|
};
|