lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250807124909.781-1-luochunsheng@ustc.edu>
Date: Thu,  7 Aug 2025 20:49:01 +0800
From: Chunsheng Luo <luochunsheng@...c.edu>
To: luis@...lia.com
Cc: linux-fsdevel@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	luochunsheng@...c.edu,
	miklos@...redi.hu,
	bernd@...ernd.com
Subject: Re: [PATCH] fuse: Move same-superblock check to fuse_copy_file_range

On Thu, Aug 07 2025,  Luis Henriques wrote:

>> The copy_file_range COPY_FILE_SPLICE capability allows filesystems to
>> handle cross-superblock copy. However, in the current fuse implementation,
>> __fuse_copy_file_range accesses src_file->private_data under the assumption
>> that it points to a fuse_file structure. When the source file belongs to a
>> non-FUSE filesystem, it will leads to kernel panics.
>
> I wonder if you have actually seen this kernel panic happening.  It seems
> like the code you're moving into fuse_copy_file_range() shouldn't be
> needed as the same check is already done in generic_copy_file_checks()
> (which is called from vfs_copy_file_range()).
> 
> Either way, I think your change to fuse_copy_file_range() could be
> simplified with something like:
> 
> 	ssize_t ret = -EXDEV;
> 
> 	if (file_inode(src_file)->i_sb == file_inode(dst_file)->i_sb)
> 		ret = __fuse_copy_file_range(src_file, src_off, dst_file, dst_off,
> 					     len, flags);
> 
> 	if (ret == -EOPNOTSUPP || ret == -EXDEV)
> 		ret = splice_copy_file_range(src_file, src_off, dst_file,
> 					     dst_off, len);
> 
> But again, my understanding is that this should never happen in practice
> and that the superblock check could even be removed from
> __fuse_copy_file_range().
> 
> Cheers,
> -- 
> Luís
>

Yes, now copy_file_range won't crash.

generic_copy_file_checks:
	/*
	 * We allow some filesystems to handle cross sb copy, but passing
	 * a file of the wrong filesystem type to filesystem driver can result
	 * in an attempt to dereference the wrong type of ->private_data, so
	 * avoid doing that until we really have a good reason.
	 *
	 * nfs and cifs define several different file_system_type structures
	 * and several different sets of file_operations, but they all end up
	 * using the same ->copy_file_range() function pointer.
	 */
	if (flags & COPY_FILE_SPLICE) {
		/* cross sb splice is allowed */
	} else if (file_out->f_op->copy_file_range) {
		if (file_in->f_op->copy_file_range !=
		    file_out->f_op->copy_file_range)
			return -EXDEV;
	} else if (file_inode(file_in)->i_sb != file_inode(file_out)->i_sb) {
		return -EXDEV;
	}

generic_copy_file_checks mentions that now allows some filesystems to handle cross-sb copy.

code: 
	} else if (file_out->f_op->copy_file_range) {
		if (file_in->f_op->copy_file_range !=
		    file_out->f_op->copy_file_range)
			return -EXDEV;
			
If the same filesystem is satisfied but the sb is not same, it will go to fuse_copy_file_range,
so fuse_copy_file_range needs to handle this situation.

Sorry, there is an mistake with my patch log description. __fuse_copy_file_range does not exist that
the source file is a NON-Fuse filesystem, so It can safely use ->private_data.

Therefore, this patch does not need.

Thanks
Chunsheng Luo

>>
>> To resolve this, move the same-superblock check from __fuse_copy_file_range
>> to fuse_copy_file_range to ensure both files belong to the same fuse
>> superblock before accessing private_data.
>>
>> Signed-off-by: Chunsheng Luo <luochunsheng@...c.edu>
>> ---
>>  fs/fuse/file.c | 8 ++++----
>>  1 file changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/fs/fuse/file.c b/fs/fuse/file.c
>> index 95275a1e2f54..a29f1b84f11b 100644
>> --- a/fs/fuse/file.c
>> +++ b/fs/fuse/file.c
>> @@ -2984,9 +2984,6 @@ static ssize_t __fuse_copy_file_range(struct file *file_in, loff_t pos_in,
>>  	if (fc->no_copy_file_range)
>>  		return -EOPNOTSUPP;
>>  
>> -	if (file_inode(file_in)->i_sb != file_inode(file_out)->i_sb)
>> -		return -EXDEV;
>> -
>>  	inode_lock(inode_in);
>>  	err = fuse_writeback_range(inode_in, pos_in, pos_in + len - 1);
>>  	inode_unlock(inode_in);
>> @@ -3066,9 +3063,12 @@ static ssize_t fuse_copy_file_range(struct file *src_file, loff_t src_off,
>>  {
>>  	ssize_t ret;
>>  
>> +	if (file_inode(src_file)->i_sb != file_inode(dst_file)->i_sb)
>> +		return splice_copy_file_range(src_file, src_off, dst_file,
>> +					     dst_off, len);
>> +
>>  	ret = __fuse_copy_file_range(src_file, src_off, dst_file, dst_off,
>>  				     len, flags);
>> -
>>  	if (ret == -EOPNOTSUPP || ret == -EXDEV)
>>  		ret = splice_copy_file_range(src_file, src_off, dst_file,
>>  					     dst_off, len);
>> -- 
>> 2.43.0
>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ