From patchwork Mon Dec 2 22:10:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bernd Schubert X-Patchwork-Id: 13891409 Received: from outbound-ip191a.ess.barracuda.com (outbound-ip191a.ess.barracuda.com [209.222.82.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A621B1DED42 for ; Mon, 2 Dec 2024 22:10:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=209.222.82.58 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733177448; cv=fail; b=PGff8UO9NkMGiLsYQGEy6bIkmdt2iM2I9GxOVokngkmKGnU4zB8unUk9mq25x50qrGT/2FA6QFW0MFgu4tXY1RvMa5GoN/7hEimk1Z/IAh0MI97gKNdXGKh4p1rYDoCuIZzbqz6A9qieFXg9/ea85BxW7idoEI19il+xqXaylOo= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733177448; c=relaxed/simple; bh=Z5mtiWkfpkA7aWpGXZXw2on78KP4nqX4rR5cWBImsho=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=g8ZXgu/JnlKsR9toz+seqaR8eCs+n7G2rd6pHT6fMnNZYyb2RPBseUiPUa+6mmgu05lXA2mqWvJah+6UtmCCkilRZsZ03b+HvObc2XDcvBglGt6wW7X8CYg5/uMeaJvDpniNsN/TeYp1Bg9Vj2oLF4xGFiX1Y0WvohB0lo/NFxU= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=ddn.com; spf=pass smtp.mailfrom=ddn.com; dkim=pass (1024-bit key) header.d=ddn.com header.i=@ddn.com header.b=f+KOoC45; arc=fail smtp.client-ip=209.222.82.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=ddn.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ddn.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=ddn.com header.i=@ddn.com header.b="f+KOoC45" Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2048.outbound.protection.outlook.com [104.47.58.48]) by mx-outbound10-174.us-east-2a.ess.aws.cudaops.com (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 02 Dec 2024 22:10:33 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=blEQDKB/9E5LPf47b3+p/vu+vPyRouusXgsyqAShUaO0DJSNz9JoJu1mWsHSiCUeMJuRjlIG+0EIeuD5JdBwVo84bTLhd95DdWuIhfhaHz8+x7UBD0lCXsDLIzayHGC/6F3drSmLLgMaDh/52s8+Xfvzs1QYC6NIp8V74NDePcfyoGT2tSjwJKhk/tF4Ma1b2oowpB9GBstvfMne/EjfzbVdbm8nFhoxmtsPYmf5HqiwFUB2DjwJKJpndge0SukZVNDefqBW74t/uSYyLUqrO9wPnOqK1VRRNohFBK6k7VH6CPgDe+BXLXzm9xY/mbG6qM8IoetcKnl11g6xnoU79A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/T8kZyeI/Taw4gtP43n5ZETOxMVoi0lpL2Is4PAUH9U=; b=c21tHInpt0F1BslqQDpRZUcV/aq4Ua3lWg2vHL1fkV25tkeej2K9pyGlSgye3tNJniTodk2EJ0bBQJlHP5FQH+eHK42hcFn52O1TTaF+pdk66flyPkFAKKv6HZBrSHa8vxlN25wH8S/aZWuiPlVaD2ubWuZXM5qohqsQrNvBMck/m4sCui1Q/3mZX4O7RiPGXbFrFZ7T4g9bu/wdQPM2FalI7vSUWYj2v4PkGq5M79X7bVSXiZi78B9OFWageXFdNRIS6vzUiAC6JcJCHci30dEzWhDfSAZQ5NQZrmkRqAQ2IoGktdTlkh1xWG09PBRAKOjxBXDU2SaJRpEb4ZIHSw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 50.222.100.11) smtp.rcpttodomain=ddn.com smtp.mailfrom=ddn.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=ddn.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ddn.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/T8kZyeI/Taw4gtP43n5ZETOxMVoi0lpL2Is4PAUH9U=; b=f+KOoC45NYrHQR4oOaA+SPUezWVHETQ4NTNk+BImyD0nqMPbCw2pxRnKS3aJp7norvEdI1ddj5Liz7M81bvYwxpUg4sQZMN936WXRbbCeRdjtW2JbLAbgws1Jh4BCxGRxAXgSNT6D7oYt3SKzjS4pe7Qr6QDMUJby/V+XnbCs88= Received: from CH0P221CA0023.NAMP221.PROD.OUTLOOK.COM (2603:10b6:610:11c::24) by BLAPR19MB4452.namprd19.prod.outlook.com (2603:10b6:208:286::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8207.19; Mon, 2 Dec 2024 22:10:31 +0000 Received: from CH1PEPF0000AD7E.namprd04.prod.outlook.com (2603:10b6:610:11c:cafe::75) by CH0P221CA0023.outlook.office365.com (2603:10b6:610:11c::24) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8207.18 via Frontend Transport; Mon, 2 Dec 2024 22:10:31 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 50.222.100.11) smtp.mailfrom=ddn.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=ddn.com; Received-SPF: Pass (protection.outlook.com: domain of ddn.com designates 50.222.100.11 as permitted sender) receiver=protection.outlook.com; client-ip=50.222.100.11; helo=uww-mrp-01.datadirectnet.com; pr=C Received: from uww-mrp-01.datadirectnet.com (50.222.100.11) by CH1PEPF0000AD7E.mail.protection.outlook.com (10.167.244.87) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8230.7 via Frontend Transport; Mon, 2 Dec 2024 22:10:31 +0000 Received: from localhost (unknown [10.68.0.8]) by uww-mrp-01.datadirectnet.com (Postfix) with ESMTP id 49D6E2D; Mon, 2 Dec 2024 22:10:30 +0000 (UTC) From: Bernd Schubert Date: Mon, 02 Dec 2024 23:10:29 +0100 Subject: [PATCH] fuse: Set *nbytesp=0 in fuse_get_user_pages on allocation failure Precedence: bulk X-Mailing-List: linux-fsdevel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20241202-fix-fuse_get_user_pages-v1-1-8b5cccaf5bbe@ddn.com> X-B4-Tracking: v=1; b=H4sIAFQwTmcC/x2MUQqAIBBErxL7naAiUV0lQqxW2x8LtyKI7t7Sz wwP3swDjIWQoa8eKHgR05YFTF3BvIacUNEiDFZbZyRUpFvFk9EnPLx08XtIyKoJndXzpJ1pHch 6Lyjq/zyM7/sB6tAjo2kAAAA= X-Change-ID: 20241202-fix-fuse_get_user_pages-6a920cb04184 To: Miklos Szeredi , Joanne Koong , Josef Bacik Cc: Nihar Chaithanya , Miklos Szeredi , linux-fsdevel@vger.kernel.org, syzbot+87b8e6ed25dbc41759f7@syzkaller.appspotmail.com, Bernd Schubert X-Mailer: b4 0.15-dev-2a633 X-Developer-Signature: v=1; a=ed25519-sha256; t=1733177429; l=2285; i=bschubert@ddn.com; s=20240529; h=from:subject:message-id; bh=Z5mtiWkfpkA7aWpGXZXw2on78KP4nqX4rR5cWBImsho=; b=i9CTbGsIRkS3rDnWceb0DEeu5ZzX08u+/y++LnphhOWm/HWzSYzB7LUCX0lZbQrJzuG88ZPVg 7TCSq1/rsK3DYgrpOrMEWHNFVRI9DR0k11gxcVBuNIygy4bSJygOG37 X-Developer-Key: i=bschubert@ddn.com; a=ed25519; pk=EZVU4bq64+flgoWFCVQoj0URAs3Urjno+1fIq9ZJx8Y= X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH1PEPF0000AD7E:EE_|BLAPR19MB4452:EE_ X-MS-Office365-Filtering-Correlation-Id: e89aa2aa-d98c-4aef-adbf-08dd131e22e3 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700013|82310400026|1800799024|376014; X-Microsoft-Antispam-Message-Info: =?utf-8?q?bR4l6xtwHcJtYuUYdf/Xk/QdT44rBpe?= =?utf-8?q?2oDJTxUdWQ02CpXafI2FdJyvFxBCEXzIA3ONS743ql2KeAoYXlCnpIus8iC1mEwvr?= =?utf-8?q?vARd+/XBa94kTjtu9oHCv34GeQLO1DDVTf7EDDt+aiybFRt/nnzi8v/s9drtPWGka?= =?utf-8?q?ZcMdV1qTJsEBY86LOULW9I8vdb+OBcOTISSRThkGEM4WT9Jc1//fBQ4XizyvVAdf6?= =?utf-8?q?6clj8ecEoR9QRzmfRlCRdsm+oXS1GCuOnoE62fiPuLXiZydMpfOmFlmDPRoIyA5EE?= =?utf-8?q?pOXNpJiHLmud5Iz96VRi8XOq/oKd3zaGZhxMlSPlbEw8QndQ8x5rQ1+DuToawRPF5?= =?utf-8?q?vGRZXry7Wrq8QRJUsAsmUCLlrBn4GsEi9GFHA2LZ5Z8qtHDpd8rhhwnwH5smqn6Mj?= =?utf-8?q?2PofYrz34Ml1vk6Oam/RIiOqIu1smEOebZ85+JSnYMOpnhnrNSjj/g2y5IQcICmvY?= =?utf-8?q?jvxnpbwukHCZGbRvt4g58OX89Pwh1cRyYuqWb+HXIon3Vn8j1OaYLsdLyxeYLOE/C?= =?utf-8?q?5RfipglmC62Aj9xSvS/RXcweuwknhixvBkZnFZ7G9E5t1dPbLvXqMivD03/pYz6Pj?= =?utf-8?q?4sQl85mIfNouehCWSrAKxBPRnuExo+YNzR7ldaKsNOkjfpcFMTAn+pPd1gsuDlkkP?= =?utf-8?q?4Ifi/zUumpWDmKY2KCrRDZIs9CNazK6nAG9XRwou6cruAg5JfyzrHymnZG50CjuZo?= =?utf-8?q?uXC9fzZThS04Vf6Sxd0acFmH0a0wYTmAKZoK++LYTQZppQ/tleMuJa0QWC9kCLgvg?= =?utf-8?q?uVfyTlg+OOhD1u32l6G8cS7leMXWCU7qwOnUU8iHNY/hmw7Ir2rvFqP5lJDjLFZIJ?= =?utf-8?q?u877hsZ2wrCIAGatXQE0VhuO8toD7CGkoAzYCCu8oWsOKGjwlv8kN87H4YjNWPrkF?= =?utf-8?q?odRIUtOzB1VBTMbCi7SmTEig4tJVL9wlKaLyX1DfA68BqQpEjFUVTxI5CTVVTG4/L?= =?utf-8?q?FZiJBvB7APtFTrH++7HpLQPIEzqq/8EM9hSSW0ohmr3vMTc2QOu9WFF+IHYXWXObr?= =?utf-8?q?khmNd6U9UKiYHs2eDrv1wdtHgqZavATIzLiB54Nnp+/fJHypLZOam+hLcF4/SYe2E?= =?utf-8?q?/tD62ZNkbiGnHIfdZQThkuqNyrTuYYYVWYKOzRTugq/Mb1xpbzVvTJnrr1bPU7jcW?= =?utf-8?q?Y3JBS88karYAaRQtPioW2L2e1WLLbiJiJpb2oE+3wZkvimsUqcgRy6L75mS+dbilW?= =?utf-8?q?FSlKLgaMxluwbBMUwVBM/W1dgxqYey+3bL+1PnLEGYVRZVek81UJgztTXeeBWprUp?= =?utf-8?q?YGOFyf1CeO41fz7K9vB08tJcjY7WoX/IJUhW2q2r599SMMC32L1RAhWIu6l3QRdAE?= =?utf-8?q?6lHdLQJc2jFbjlT1/SJASxSoke5OcLQcfg=3D=3D?= X-Forefront-Antispam-Report: CIP:50.222.100.11;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:uww-mrp-01.datadirectnet.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(36860700013)(82310400026)(1800799024)(376014);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: ls7BCzPSDSoNcweZxXDQhn9s9p6MLECKvkOALNNKVr9r7L2EYl3LbJeNG0Jezin3TCes1pYZegMs0PNS8/6U6WDjnByvhyzdOff0E5weWGNOhsVxlqIf2JAGK8Vu9rkU9J6B5/3gvLDf/uDbsc+0V996ix66DXvQSD13NxvfXWHns4zyg3ftkyIiYv6vPtbpedAAEzCJCodckgpXPlqLVOttqt+2psgwzwVURXEsHIF59isaSVcbMjXT3ms27cuzj7PDTnP7I3giWfivSkTv1Qs2MVEj3aqJENtq+6mPSAzmNv1yGQtjzdljcxX/8HguoLmeIbiJrDA9C5m+ZDvkcDHRn6EIc1HctBmYa0EltLcdc3COAWgeW1yF13nnH2tpJBMkFRD4o9nShjsqO7nayGaBz7bYHqMYb5Izq1JUmXDIi+4JHEeC10IWecz/8oso68wenK4BUfGlKMaHiPkxGb7gPXY+y/N1wNkbrNc1Pi/PgUyA8Iz8z+9gevjq90MYGf75ffeF1P8zm0O8iVaxgasXCT8hAMFsCXV2bSjrRpWO2810QYO8aMNNDGmxZ18CN6P2wVJk1D1HQGn/PTp+TO2c+drPb6enJp7eS8VUvS0rYuxeytZmwqVb9LsYOsY5/3yHMLcG+pIcbYVdyxn6zw== X-OriginatorOrg: ddn.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Dec 2024 22:10:31.0677 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: e89aa2aa-d98c-4aef-adbf-08dd131e22e3 X-MS-Exchange-CrossTenant-Id: 753b6e26-6fd3-43e6-8248-3f1735d59bb4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=753b6e26-6fd3-43e6-8248-3f1735d59bb4;Ip=[50.222.100.11];Helo=[uww-mrp-01.datadirectnet.com] X-MS-Exchange-CrossTenant-AuthSource: CH1PEPF0000AD7E.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR19MB4452 X-BESS-ID: 1733177433-102734-13463-29013-1 X-BESS-VER: 2019.1_20241126.2220 X-BESS-Apparent-Source-IP: 104.47.58.48 X-BESS-Parts: H4sIAAAAAAACA4uuVkqtKFGyUioBkjpK+cVKVkZGRoZAVgZQ0DLJzNTMJDkxNT k1zdgs2Twp1cDYyNwkOc3YxDjZyNhAqTYWAJXPbbNBAAAA X-BESS-Outbound-Spam-Score: 0.00 X-BESS-Outbound-Spam-Report: Code version 3.2, rules version 3.2.2.260845 [from cloudscan13-66.us-east-2a.ess.aws.cudaops.com] Rule breakdown below pts rule name description ---- ---------------------- -------------------------------- 0.00 BSF_BESS_OUTBOUND META: BESS Outbound X-BESS-Outbound-Spam-Status: SCORE=0.00 using account:ESS124931 scores of KILL_LEVEL=7.0 tests=BSF_BESS_OUTBOUND X-BESS-BRTS-Status: 1 In fuse_get_user_pages(), set *nbytesp to 0 when struct page **pages allocation fails. This prevents the caller (fuse_direct_io) from making incorrect assumptions that could lead to NULL pointer dereferences when processing the request reply. Previously, *nbytesp was left unmodified on allocation failure, which could cause issues if the caller assumed pages had been added to ap->descs[] when they hadn't. Reported-by: syzbot+87b8e6ed25dbc41759f7@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=87b8e6ed25dbc41759f7 Fixes: 3b97c3652d91 ("fuse: convert direct io to use folios") Signed-off-by: Bernd Schubert Reviewed-by: Joanne Koong --- fs/fuse/dev.c | 3 +++ fs/fuse/file.c | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) --- base-commit: e70140ba0d2b1a30467d4af6bcfe761327b9ec95 change-id: 20241202-fix-fuse_get_user_pages-6a920cb04184 Best regards, diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c index 27ccae63495d14ea339aa6c8da63d0ac44fc8885..2b506493d235e171336f737ba7a380fe16c9f825 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -803,6 +803,9 @@ static int fuse_copy_do(struct fuse_copy_state *cs, void **val, unsigned *size) void *pgaddr = kmap_local_page(cs->pg); void *buf = pgaddr + cs->offset; + if (WARN_ON_ONCE(!*val)) + return -EIO; + if (cs->write) memcpy(buf, *val, ncpy); else diff --git a/fs/fuse/file.c b/fs/fuse/file.c index 88d0946b5bc98705e0d895bc798aa4d9df080c3c..a8960a2908014250a81e1651d8a611b6936848e2 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -1539,10 +1539,11 @@ static int fuse_get_user_pages(struct fuse_args_pages *ap, struct iov_iter *ii, * manually extract pages using iov_iter_extract_pages() and then * copy that to a folios array. */ + ret = -ENOMEM; struct page **pages = kzalloc(max_pages * sizeof(struct page *), GFP_KERNEL); if (!pages) - return -ENOMEM; + goto out; while (nbytes < *nbytesp && nr_pages < max_pages) { unsigned nfolios, i; @@ -1584,6 +1585,7 @@ static int fuse_get_user_pages(struct fuse_args_pages *ap, struct iov_iter *ii, else ap->args.out_pages = true; +out: *nbytesp = nbytes; return ret < 0 ? ret : 0;