LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Amir Goldstein <amir73il@gmail.com>,
	Miklos Szeredi <mszeredi@redhat.com>
Subject: [PATCH 5.10 28/29] fuse: fix illegal access to inode with reused nodeid
Date: Mon,  6 Sep 2021 14:55:43 +0200	[thread overview]
Message-ID: <20210906125450.717001154@linuxfoundation.org> (raw)
In-Reply-To: <20210906125449.756437409@linuxfoundation.org>

From: Amir Goldstein <amir73il@gmail.com>

commit 15db16837a35d8007cb8563358787412213db25e upstream.

Server responds to LOOKUP and other ops (READDIRPLUS/CREATE/MKNOD/...)
with ourarg containing nodeid and generation.

If a fuse inode is found in inode cache with the same nodeid but different
generation, the existing fuse inode should be unhashed and marked "bad" and
a new inode with the new generation should be hashed instead.

This can happen, for example, with passhrough fuse filesystem that returns
the real filesystem ino/generation on lookup and where real inode numbers
can get recycled due to real files being unlinked not via the fuse
passthrough filesystem.

With current code, this situation will not be detected and an old fuse
dentry that used to point to an older generation real inode, can be used to
access a completely new inode, which should be accessed only via the new
dentry.

Note that because the FORGET message carries the nodeid w/o generation, the
server should wait to get FORGET counts for the nlookup counts of the old
and reused inodes combined, before it can free the resources associated to
that nodeid.

Stable backport notes:
* This is not a regression. The bug has been in fuse forever, but only
  a certain class of low level fuse filesystems can trigger this bug
* Because there is no way to check if this fix is applied in runtime,
  libfuse test_examples.py tests this fix with hardcoded check for
  kernel version >= 5.14
* After backport to stable kernel(s), the libfuse test can be updated
  to also check minimal stable kernel version(s)
* Depends on "fuse: fix bad inode" which is already applied to stable
  kernels v5.4.y and v5.10.y
* Required backporting helper inode_wrong_type()

Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/linux-fsdevel/CAOQ4uxi8DymG=JO_sAU+wS8akFdzh+PuXwW3Ebgahd2Nwnh7zA@mail.gmail.com/
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dir.c     |    2 +-
 fs/fuse/fuse_i.h  |    7 +++++++
 fs/fuse/inode.c   |    4 ++--
 fs/fuse/readdir.c |    7 +++++--
 4 files changed, 15 insertions(+), 5 deletions(-)

--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -252,7 +252,7 @@ static int fuse_dentry_revalidate(struct
 		if (ret == -ENOMEM)
 			goto out;
 		if (ret || fuse_invalid_attr(&outarg.attr) ||
-		    inode_wrong_type(inode, outarg.attr.mode))
+		    fuse_stale_inode(inode, outarg.generation, &outarg.attr))
 			goto invalid;
 
 		forget_all_cached_acls(inode);
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -860,6 +860,13 @@ static inline u64 fuse_get_attr_version(
 	return atomic64_read(&fc->attr_version);
 }
 
+static inline bool fuse_stale_inode(const struct inode *inode, int generation,
+				    struct fuse_attr *attr)
+{
+	return inode->i_generation != generation ||
+		inode_wrong_type(inode, attr->mode);
+}
+
 static inline void fuse_make_bad(struct inode *inode)
 {
 	remove_inode_hash(inode);
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -340,8 +340,8 @@ retry:
 		inode->i_generation = generation;
 		fuse_init_inode(inode, attr);
 		unlock_new_inode(inode);
-	} else if (inode_wrong_type(inode, attr->mode)) {
-		/* Inode has changed type, any I/O on the old should fail */
+	} else if (fuse_stale_inode(inode, generation, attr)) {
+		/* nodeid was reused, any I/O on the old inode should fail */
 		fuse_make_bad(inode);
 		iput(inode);
 		goto retry;
--- a/fs/fuse/readdir.c
+++ b/fs/fuse/readdir.c
@@ -200,9 +200,12 @@ retry:
 	if (!d_in_lookup(dentry)) {
 		struct fuse_inode *fi;
 		inode = d_inode(dentry);
+		if (inode && get_node_id(inode) != o->nodeid)
+			inode = NULL;
 		if (!inode ||
-		    get_node_id(inode) != o->nodeid ||
-		    inode_wrong_type(inode, o->attr.mode)) {
+		    fuse_stale_inode(inode, o->generation, &o->attr)) {
+			if (inode)
+				fuse_make_bad(inode);
 			d_invalidate(dentry);
 			dput(dentry);
 			goto retry;



  parent reply	other threads:[~2021-09-06 12:57 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-06 12:55 [PATCH 5.10 00/29] 5.10.63-rc1 review Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 01/29] ext4: fix race writing to an inline_data file while its xattrs are changing Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 02/29] fscrypt: add fscrypt_symlink_getattr() for computing st_size Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 03/29] ext4: report correct st_size for encrypted symlinks Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 04/29] f2fs: " Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 05/29] ubifs: " Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 06/29] Revert "ucounts: Increase ucounts reference counter before the security hook" Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 07/29] Revert "cred: add missing return error code when set_cred_ucounts() failed" Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 08/29] Revert "Add a reference to ucounts for each cred" Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 09/29] static_call: Fix unused variable warn w/o MODULE Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 10/29] xtensa: fix kconfig unmet dependency warning for HAVE_FUTEX_CMPXCHG Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 11/29] ARM: OMAP1: ams-delta: remove unused function ams_delta_camera_power Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 12/29] gpu: ipu-v3: Fix i.MX IPU-v3 offset calculations for (semi)planar U/V formats Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 13/29] reset: reset-zynqmp: Fixed the argument data type Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 14/29] qed: Fix the VF msix vectors flow Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 15/29] net: macb: Add a NULL check on desc_ptp Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 16/29] qede: Fix memset corruption Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 17/29] perf/x86/intel/pt: Fix mask of num_address_ranges Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 18/29] ceph: fix possible null-pointer dereference in ceph_mdsmap_decode() Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 19/29] perf/x86/amd/ibs: Work around erratum #1197 Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 20/29] perf/x86/amd/power: Assign pmu.module Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 21/29] cryptoloop: add a deprecation warning Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 22/29] ALSA: hda/realtek: Quirk for HP Spectre x360 14 amp setup Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 23/29] ALSA: hda/realtek: Workaround for conflicting SSID on ASUS ROG Strix G17 Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 24/29] ALSA: pcm: fix divide error in snd_pcm_lib_ioctl Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 25/29] serial: 8250: 8250_omap: Fix possible array out of bounds access Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 26/29] spi: Switch to signed types for *_native_cs SPI controller fields Greg Kroah-Hartman
2021-09-06 12:55 ` [PATCH 5.10 27/29] new helper: inode_wrong_type() Greg Kroah-Hartman
2021-09-06 12:55 ` Greg Kroah-Hartman [this message]
2021-09-06 12:55 ` [PATCH 5.10 29/29] media: stkwebcam: fix memory leak in stk_camera_probe Greg Kroah-Hartman
2021-09-06 19:58 ` [PATCH 5.10 00/29] 5.10.63-rc1 review Pavel Machek
2021-09-06 19:58 ` Fox Chen
2021-09-07  7:10 ` Naresh Kamboju
2021-09-07  7:11 ` Samuel Zou
2021-09-07 13:12 ` Sudip Mukherjee
2021-09-07 18:34 ` Florian Fainelli
2021-09-07 20:07 ` Shuah Khan
2021-09-08  1:19 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210906125450.717001154@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=amir73il@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mszeredi@redhat.com \
    --cc=stable@vger.kernel.org \
    --subject='Re: [PATCH 5.10 28/29] fuse: fix illegal access to inode with reused nodeid' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).