| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFgAp7hG8k7Qrtor0O_CKb8tH3yNso-m2AjWDmvOtbRE4056JA@mail.gmail.com>
Date: Sun, 9 Nov 2025 01:00:01 +0900
From: くさあさ <pioooooooooip@...il.com>
To: Namjae Jeon <linkinjeon@...nel.org>
Cc: Steve French <smfrench@...il.com>, linux-cifs@...r.kernel.org,
linux-kernel@...r.kernel.org, Zhitong Liu <liuzhitong1993@...il.com>
Subject: Re: [PATCH] ksmbd: vfs: fix truncate lock-range check for shrink/grow
and avoid size==0 underflow
Thanks for the guidance — I’ve sent v2 patch.
Best regards,
Qianchang
On Sat, Nov 8, 2025 at 11:46 PM Namjae Jeon <linkinjeon@...nel.org> wrote:
>
> On Sat, Nov 8, 2025 at 9:36 PM Qianchang Zhao <pioooooooooip@...il.com> wrote:
> >
> > ksmbd_vfs_truncate() uses check_lock_range() with arguments that are
> > incorrect for shrink, and can underflow when size==0:
> >
> > - For shrink, the code passed [inode->i_size, size-1], which is reversed.
> > - When size==0, "size-1" underflows to -1, so the range becomes
> > [old_size, -1], effectively skipping the intended [0, old_size-1].
> >
> > Fix by:
> > - Rejecting negative size with -EINVAL.
> > - For shrink (size < old): check [size, old-1].
> > - For grow (size > old): check [old, size-1].
> > - Skip lock check when size == old.
> > - Keep the return value on conflict as -EAGAIN (no noisy pr_err()).
> >
> > This avoids the size==0 underflow and uses the correct range order,
> > preserving byte-range lock semantics.
> >
> > Reported-by: Qianchang Zhao <pioooooooooip@...il.com>
> > Reported-by: Zhitong Liu <liuzhitong1993@...il.com>
> > Cc: stable@...r.kernel.org
> > Signed-off-by: Qianchang Zhao <pioooooooooip@...il.com>
> > ---
> > fs/smb/server/vfs.c | 28 +++++++++++++++++++---------
> > 1 file changed, 19 insertions(+), 9 deletions(-)
> >
> > diff --git a/fs/smb/server/vfs.c b/fs/smb/server/vfs.c
> > index 891ed2dc2..e7843ec9b 100644
> > --- a/fs/smb/server/vfs.c
> > +++ b/fs/smb/server/vfs.c
> > @@ -825,17 +825,27 @@ int ksmbd_vfs_truncate(struct ksmbd_work *work,
> > if (!work->tcon->posix_extensions) {
> > struct inode *inode = file_inode(filp);
> >
> > - if (size < inode->i_size) {
> > - err = check_lock_range(filp, size,
> > - inode->i_size - 1, WRITE);
> > - } else {
> > - err = check_lock_range(filp, inode->i_size,
> > - size - 1, WRITE);
> > + loff_t old = i_size_read(inode);
> > + loff_t start = 0, end = -1;
> > + bool need_check = false;
> > +
> > + if (size < 0)
> > + return -EINVAL;
> There is no case where size variable is negative.
>
> > +
> > + if (size < old) {
> > + start = size;
> > + end = old - 1;
> > + need_check = true;
> > + } else if (size > old) {
> > + start = old;
> > + end = size - 1;
> > + need_check = true;
> > }
> >
> > - if (err) {
> > - pr_err("failed due to lock\n");
> > - return -EAGAIN;
> > + if (need_check) {
> > + err = check_lock_range(filp, start, end, WRITE);
> > + if (err)
> > + return -EAGAIN;
> > }
> > }
> Can't you just change it like this?
>
> diff --git a/fs/smb/server/vfs.c b/fs/smb/server/vfs.c
> index 891ed2dc2b73..f96f27c60301 100644
> --- a/fs/smb/server/vfs.c
> +++ b/fs/smb/server/vfs.c
> @@ -828,7 +828,7 @@ int ksmbd_vfs_truncate(struct ksmbd_work *work,
> if (size < inode->i_size) {
> err = check_lock_range(filp, size,
> inode->i_size - 1, WRITE);
> - } else {
> + } else if (size > inode->i_size) {
> err = check_lock_range(filp, inode->i_size,
> size - 1, WRITE);
> }
>
> Thanks.
> > --
> > 2.34.1
> >
Powered by blists - more mailing lists