<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/git/stable/linux-stable.git/fs/fuse/dev.c, branch linux-4.19.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<id>https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/atom?h=linux-4.19.y</id>
<link rel='self' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/atom?h=linux-4.19.y'/>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/'/>
<updated>2024-09-04T11:12:58+00:00</updated>
<entry>
<title>fuse: Initialize beyond-EOF page contents before setting uptodate</title>
<updated>2024-09-04T11:12:58+00:00</updated>
<author>
<name>Jann Horn</name>
<email>jannh@google.com</email>
</author>
<published>2024-08-06T19:51:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=49934861514d36d0995be8e81bb3312a499d8d9a'/>
<id>urn:sha1:49934861514d36d0995be8e81bb3312a499d8d9a</id>
<content type='text'>
commit 3c0da3d163eb32f1f91891efaade027fa9b245b9 upstream.

fuse_notify_store(), unlike fuse_do_readpage(), does not enable page
zeroing (because it can be used to change partial page contents).

So fuse_notify_store() must be more careful to fully initialize page
contents (including parts of the page that are beyond end-of-file)
before marking the page uptodate.

The current code can leave beyond-EOF page contents uninitialized, which
makes these uninitialized page contents visible to userspace via mmap().

This is an information leak, but only affects systems which do not
enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the
corresponding kernel command line parameter).

Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=2574
Cc: stable@kernel.org
Fixes: a1d75f258230 ("fuse: add store request")
Signed-off-by: Jann Horn &lt;jannh@google.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>fuse: fix pipe buffer lifetime for direct_io</title>
<updated>2022-04-15T12:14:37+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@redhat.com</email>
</author>
<published>2022-03-07T15:30:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=99db28212be68030c1db3a525f6bbdce39b039e9'/>
<id>urn:sha1:99db28212be68030c1db3a525f6bbdce39b039e9</id>
<content type='text'>
commit 0c4bcfdecb1ac0967619ee7ff44871d93c08c909 upstream.

In FOPEN_DIRECT_IO mode, fuse_file_write_iter() calls
fuse_direct_write_iter(), which normally calls fuse_direct_io(), which then
imports the write buffer with fuse_get_user_pages(), which uses
iov_iter_get_pages() to grab references to userspace pages instead of
actually copying memory.

On the filesystem device side, these pages can then either be read to
userspace (via fuse_dev_read()), or splice()d over into a pipe using
fuse_dev_splice_read() as pipe buffers with &amp;nosteal_pipe_buf_ops.

This is wrong because after fuse_dev_do_read() unlocks the FUSE request,
the userspace filesystem can mark the request as completed, causing write()
to return. At that point, the userspace filesystem should no longer have
access to the pipe buffer.

Fix by copying pages coming from the user address space to new pipe
buffers.

Reported-by: Jann Horn &lt;jannh@google.com&gt;
Fixes: c3021629a0d8 ("fuse: support splice() reading from fuse device")
Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Signed-off-by: Zach O'Keefe &lt;zokeefe@google.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>fuse: release pipe buf after last use</title>
<updated>2021-12-01T08:27:44+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@redhat.com</email>
</author>
<published>2021-11-25T13:05:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=22b814fdce55caf8db1cb550a32a64159e5b83a8'/>
<id>urn:sha1:22b814fdce55caf8db1cb550a32a64159e5b83a8</id>
<content type='text'>
commit 473441720c8616dfaf4451f9c7ea14f0eb5e5d65 upstream.

Checking buf-&gt;flags should be done before the pipe_buf_release() is called
on the pipe buffer, since releasing the buffer might modify the flags.

This is exactly what page_cache_pipe_buf_release() does, and which results
in the same VM_BUG_ON_PAGE(PageLRU(page)) that the original patch was
trying to fix.

Reported-by: Justin Forbes &lt;jmforbes@linuxtx.org&gt;
Fixes: 712a951025c0 ("fuse: fix page stealing")
Cc: &lt;stable@vger.kernel.org&gt; # v2.6.35
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>fuse: fix page stealing</title>
<updated>2021-12-01T08:27:39+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@redhat.com</email>
</author>
<published>2021-11-02T10:10:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=65f1f3eb09a3907c5f5edaff6c473b99e49e6020'/>
<id>urn:sha1:65f1f3eb09a3907c5f5edaff6c473b99e49e6020</id>
<content type='text'>
commit 712a951025c0667ff00b25afc360f74e639dfabe upstream.

It is possible to trigger a crash by splicing anon pipe bufs to the fuse
device.

The reason for this is that anon_pipe_buf_release() will reuse buf-&gt;page if
the refcount is 1, but that page might have already been stolen and its
flags modified (e.g. PG_lru added).

This happens in the unlikely case of fuse_dev_splice_write() getting around
to calling pipe_buf_release() after a page has been stolen, added to the
page cache and removed from the page cache.

Fix by calling pipe_buf_release() right after the page was inserted into
the page cache.  In this case the page has an elevated refcount so any
release function will know that the page isn't reusable.

Reported-by: Frank Dinoff &lt;fdinoff@google.com&gt;
Link: https://lore.kernel.org/r/CAAmZXrsGg2xsP1CK+cbuEMumtrqdvD-NKnWzhNcvn71RV3c1yw@mail.gmail.com/
Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
Cc: &lt;stable@vger.kernel.org&gt; # v2.6.35
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>fuse: reject internal errno</title>
<updated>2021-07-20T14:16:03+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@redhat.com</email>
</author>
<published>2021-06-22T07:15:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=e7779b7470ef229b895c45e19d299cfa4902157b'/>
<id>urn:sha1:e7779b7470ef229b895c45e19d299cfa4902157b</id>
<content type='text'>
commit 49221cf86d18bb66fe95d3338cb33bd4b9880ca5 upstream.

Don't allow userspace to report errors that could be kernel-internal.

Reported-by: Anatoly Trosinenko &lt;anatoly.trosinenko@gmail.com&gt;
Fixes: 334f485df85a ("[PATCH] FUSE - device functions")
Cc: &lt;stable@vger.kernel.org&gt; # v2.6.14
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>fuse: check connected before queueing on fpq-&gt;io</title>
<updated>2021-07-20T14:15:42+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@redhat.com</email>
</author>
<published>2021-06-22T07:15:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=1c37784a00edfb88be67b24f7e776cda9eb803fd'/>
<id>urn:sha1:1c37784a00edfb88be67b24f7e776cda9eb803fd</id>
<content type='text'>
commit 80ef08670d4c28a06a3de954bd350368780bcfef upstream.

A request could end up on the fpq-&gt;io list after fuse_abort_conn() has
reset fpq-&gt;connected and aborted requests on that list:

Thread-1			  Thread-2
========			  ========
-&gt;fuse_simple_request()           -&gt;shutdown
  -&gt;__fuse_request_send()
    -&gt;queue_request()		-&gt;fuse_abort_conn()
-&gt;fuse_dev_do_read()                -&gt;acquire(fpq-&gt;lock)
  -&gt;wait_for(fpq-&gt;lock) 	  -&gt;set err to all req's in fpq-&gt;io
				  -&gt;release(fpq-&gt;lock)
  -&gt;acquire(fpq-&gt;lock)
  -&gt;add req to fpq-&gt;io

After the userspace copy is done the request will be ended, but
req-&gt;out.h.error will remain uninitialized.  Also the copy might block
despite being already aborted.

Fix both issues by not allowing the request to be queued on the fpq-&gt;io
list after fuse_abort_conn() has processed this list.

Reported-by: Pradeep P V K &lt;pragalla@codeaurora.org&gt;
Fixes: fd22d62ed0c3 ("fuse: no fc-&gt;lock for iqueue parts")
Cc: &lt;stable@vger.kernel.org&gt; # v4.2
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>fuse: fix page dereference after free</title>
<updated>2020-11-05T10:08:34+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@redhat.com</email>
</author>
<published>2020-09-18T08:36:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=6ef82327906270f66adb4b13517e818d3a20448e'/>
<id>urn:sha1:6ef82327906270f66adb4b13517e818d3a20448e</id>
<content type='text'>
commit d78092e4937de9ce55edcb4ee4c5e3c707be0190 upstream.

After unlock_request() pages from the ap-&gt;pages[] array may be put (e.g. by
aborting the connection) and the pages can be freed.

Prevent use after free by grabbing a reference to the page before calling
unlock_request().

The original patch was created by Pradeep P V K.

Reported-by: Pradeep P V K &lt;ppvk@codeaurora.org&gt;
Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>fuse: don't check refcount after stealing page</title>
<updated>2020-10-01T11:14:44+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@redhat.com</email>
</author>
<published>2020-05-19T12:50:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=59da76a1713f7fd82d9c18ec72be99085b557027'/>
<id>urn:sha1:59da76a1713f7fd82d9c18ec72be99085b557027</id>
<content type='text'>
[ Upstream commit 32f98877c57bee6bc27f443a96f49678a2cd6a50 ]

page_count() is unstable.  Unless there has been an RCU grace period
between when the page was removed from the page cache and now, a
speculative reference may exist from the page cache.

Reported-by: Matthew Wilcox &lt;willy@infradead.org&gt;
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
</entry>
<entry>
<title>fuse: fix weird page warning</title>
<updated>2020-07-29T08:16:46+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@redhat.com</email>
</author>
<published>2020-07-21T18:54:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=02c4ddf1896324e1ad50e72ad2d467d2c85cf75c'/>
<id>urn:sha1:02c4ddf1896324e1ad50e72ad2d467d2c85cf75c</id>
<content type='text'>
commit a5005c3cda6eeb6b95645e6cc32f58dafeffc976 upstream.

When PageWaiters was added, updating this check was missed.

Reported-by: Nikolaus Rath &lt;Nikolaus@rath.org&gt;
Reported-by: Hugh Dickins &lt;hughd@google.com&gt;
Fixes: 62906027091f ("mm: add PageWaiters indicating tasks are waiting for a page bit")
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Signed-off-by: André Almeida &lt;andrealmeid@collabora.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
</entry>
<entry>
<title>fuse: fix deadlock with aio poll and fuse_iqueue::waitq.lock</title>
<updated>2019-10-05T11:10:13+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@google.com</email>
</author>
<published>2019-09-09T03:15:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=5bead06b3443c784637d454c5c64a3bd05752cf4'/>
<id>urn:sha1:5bead06b3443c784637d454c5c64a3bd05752cf4</id>
<content type='text'>
[ Upstream commit 76e43c8ccaa35c30d5df853013561145a0f750a5 ]

When IOCB_CMD_POLL is used on the FUSE device, aio_poll() disables IRQs
and takes kioctx::ctx_lock, then fuse_iqueue::waitq.lock.

This may have to wait for fuse_iqueue::waitq.lock to be released by one
of many places that take it with IRQs enabled.  Since the IRQ handler
may take kioctx::ctx_lock, lockdep reports that a deadlock is possible.

Fix it by protecting the state of struct fuse_iqueue with a separate
spinlock, and only accessing fuse_iqueue::waitq using the versions of
the waitqueue functions which do IRQ-safe locking internally.

Reproducer:

	#include &lt;fcntl.h&gt;
	#include &lt;stdio.h&gt;
	#include &lt;sys/mount.h&gt;
	#include &lt;sys/stat.h&gt;
	#include &lt;sys/syscall.h&gt;
	#include &lt;unistd.h&gt;
	#include &lt;linux/aio_abi.h&gt;

	int main()
	{
		char opts[128];
		int fd = open("/dev/fuse", O_RDWR);
		aio_context_t ctx = 0;
		struct iocb cb = { .aio_lio_opcode = IOCB_CMD_POLL, .aio_fildes = fd };
		struct iocb *cbp = &amp;cb;

		sprintf(opts, "fd=%d,rootmode=040000,user_id=0,group_id=0", fd);
		mkdir("mnt", 0700);
		mount("foo",  "mnt", "fuse", 0, opts);
		syscall(__NR_io_setup, 1, &amp;ctx);
		syscall(__NR_io_submit, ctx, 1, &amp;cbp);
	}

Beginning of lockdep output:

	=====================================================
	WARNING: SOFTIRQ-safe -&gt; SOFTIRQ-unsafe lock order detected
	5.3.0-rc5 #9 Not tainted
	-----------------------------------------------------
	syz_fuse/135 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
	000000003590ceda (&amp;fiq-&gt;waitq){+.+.}, at: spin_lock include/linux/spinlock.h:338 [inline]
	000000003590ceda (&amp;fiq-&gt;waitq){+.+.}, at: aio_poll fs/aio.c:1751 [inline]
	000000003590ceda (&amp;fiq-&gt;waitq){+.+.}, at: __io_submit_one.constprop.0+0x203/0x5b0 fs/aio.c:1825

	and this task is already holding:
	0000000075037284 (&amp;(&amp;ctx-&gt;ctx_lock)-&gt;rlock){..-.}, at: spin_lock_irq include/linux/spinlock.h:363 [inline]
	0000000075037284 (&amp;(&amp;ctx-&gt;ctx_lock)-&gt;rlock){..-.}, at: aio_poll fs/aio.c:1749 [inline]
	0000000075037284 (&amp;(&amp;ctx-&gt;ctx_lock)-&gt;rlock){..-.}, at: __io_submit_one.constprop.0+0x1f4/0x5b0 fs/aio.c:1825
	which would create a new lock dependency:
	 (&amp;(&amp;ctx-&gt;ctx_lock)-&gt;rlock){..-.} -&gt; (&amp;fiq-&gt;waitq){+.+.}

	but this new dependency connects a SOFTIRQ-irq-safe lock:
	 (&amp;(&amp;ctx-&gt;ctx_lock)-&gt;rlock){..-.}

	[...]

Reported-by: syzbot+af05535bb79520f95431@syzkaller.appspotmail.com
Reported-by: syzbot+d86c4426a01f60feddc7@syzkaller.appspotmail.com
Fixes: bfe4037e722e ("aio: implement IOCB_CMD_POLL")
Cc: &lt;stable@vger.kernel.org&gt; # v4.19+
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Eric Biggers &lt;ebiggers@google.com&gt;
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
</feed>
