tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'fuse-update-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse

Pull fuse update from Miklos Szeredi:

- Fix possible hang in virtiofs when cleaning up a DAX inode (Sergio
Lopez)

- Fix a warning when using large folio as the source of SPLICE_F_MOVE
on the fuse device (Bernd)

- Fix uninitialized value found by KMSAN (Luis Henriques)

- Fix synchronous INIT hang (Miklos)

- Fix race between inode initialization and FUSE_NOTIFY_INVAL_INODE
(Horst)

- Allow fd to be closed after passing fuse device fd to
fsconfig(..., "fd", ...) (Miklos)

- Support FSCONFIG_SET_FD for "fd" option (Miklos)

- Misc fixes and cleanups

* tag 'fuse-update-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse: (21 commits)
fuse: support FSCONFIG_SET_FD for "fd" option
fuse: clean up device cloning
fuse: don't require /dev/fuse fd to be kept open during mount
fuse: add refcount to fuse_dev
fuse: create fuse_dev on /dev/fuse open instead of mount
fuse: check connection state on notification
fuse: fuse_dev_ioctl_clone() should wait for device file to be initialized
fuse: fix inode initialization race
fuse: abort on fatal signal during sync init
fuse: fix uninit-value in fuse_dentry_revalidate()
fuse: use offset_in_page() for page offset calculations
fuse: use DIV_ROUND_UP() for page count calculations
fuse: simplify logic in fuse_notify_store() and fuse_retrieve()
fuse: validate outarg offset and size in notify store/retrieve
fuse: Check for large folio with SPLICE_F_MOVE
fuse: quiet down complaints in fuse_conn_limit_write
fuse: drop unnecessary argument from fuse_lookup_init()
fuse: fix premature writetrhough request for large folio
fuse: refactor duplicate queue teardown operation
virtiofs: add FUSE protocol validation
...

Linus Torvalds acf6c670 9e1e9d66

+263 -197
+2 -2
fs/fuse/control.c
··· 121 121 const char __user *buf, 122 122 size_t count, loff_t *ppos) 123 123 { 124 - unsigned val; 124 + unsigned int val = 0; 125 125 ssize_t ret; 126 126 127 127 ret = fuse_conn_limit_write(file, buf, count, ppos, &val, ··· 163 163 const char __user *buf, 164 164 size_t count, loff_t *ppos) 165 165 { 166 - unsigned val; 166 + unsigned int val = 0; 167 167 struct fuse_conn *fc; 168 168 ssize_t ret; 169 169
+1 -1
fs/fuse/cuse.c
··· 527 527 cc->fc.initialized = 1; 528 528 rc = cuse_send_init(cc); 529 529 if (rc) { 530 - fuse_dev_free(fud); 530 + fuse_dev_put(fud); 531 531 return rc; 532 532 } 533 533 file->private_data = fud;
+78 -78
fs/fuse/dev.c
··· 570 570 if (!err) 571 571 return; 572 572 573 + if (req->args->abort_on_kill) { 574 + fuse_abort_conn(fc); 575 + return; 576 + } 577 + 573 578 if (test_bit(FR_URING, &req->flags)) 574 579 removed = fuse_uring_remove_pending_req(req); 575 580 else ··· 681 676 fuse_force_creds(req); 682 677 683 678 __set_bit(FR_WAITING, &req->flags); 684 - __set_bit(FR_FORCE, &req->flags); 679 + if (!args->abort_on_kill) 680 + __set_bit(FR_FORCE, &req->flags); 685 681 } else { 686 682 WARN_ON(args->nocreds); 687 683 req = fuse_get_req(idmap, fm, false); ··· 1016 1010 1017 1011 folio_clear_uptodate(newfolio); 1018 1012 folio_clear_mappedtodisk(newfolio); 1013 + 1014 + if (folio_test_large(newfolio)) 1015 + goto out_fallback_unlock; 1019 1016 1020 1017 if (fuse_check_folio(newfolio) != 0) 1021 1018 goto out_fallback_unlock; ··· 1548 1539 1549 1540 static int fuse_dev_open(struct inode *inode, struct file *file) 1550 1541 { 1551 - /* 1552 - * The fuse device's file's private_data is used to hold 1553 - * the fuse_conn(ection) when it is mounted, and is used to 1554 - * keep track of whether the file has been mounted already. 1555 - */ 1556 - file->private_data = NULL; 1542 + struct fuse_dev *fud = fuse_dev_alloc(); 1543 + 1544 + if (!fud) 1545 + return -ENOMEM; 1546 + 1547 + file->private_data = fud; 1557 1548 return 0; 1558 1549 } 1559 1550 1560 1551 struct fuse_dev *fuse_get_dev(struct file *file) 1561 1552 { 1562 - struct fuse_dev *fud = __fuse_get_dev(file); 1553 + struct fuse_dev *fud = fuse_file_to_fud(file); 1563 1554 int err; 1564 1555 1565 - if (likely(fud)) 1566 - return fud; 1567 - 1568 - err = wait_event_interruptible(fuse_dev_waitq, 1569 - READ_ONCE(file->private_data) != FUSE_DEV_SYNC_INIT); 1556 + err = wait_event_interruptible(fuse_dev_waitq, fuse_dev_fc_get(fud) != NULL); 1570 1557 if (err) 1571 1558 return ERR_PTR(err); 1572 - 1573 - fud = __fuse_get_dev(file); 1574 - if (!fud) 1575 - return ERR_PTR(-EPERM); 1576 1559 1577 1560 return fud; 1578 1561 } ··· 1765 1764 struct address_space *mapping; 1766 1765 u64 nodeid; 1767 1766 int err; 1768 - pgoff_t index; 1769 - unsigned int offset; 1770 1767 unsigned int num; 1771 1768 loff_t file_size; 1769 + loff_t pos; 1772 1770 loff_t end; 1773 1771 1774 1772 if (size < sizeof(outarg)) ··· 1780 1780 if (size - sizeof(outarg) != outarg.size) 1781 1781 return -EINVAL; 1782 1782 1783 + if (outarg.offset >= MAX_LFS_FILESIZE) 1784 + return -EINVAL; 1785 + 1783 1786 nodeid = outarg.nodeid; 1787 + pos = outarg.offset; 1788 + num = min(outarg.size, MAX_LFS_FILESIZE - pos); 1784 1789 1785 1790 down_read(&fc->killsb); 1786 1791 ··· 1795 1790 goto out_up_killsb; 1796 1791 1797 1792 mapping = inode->i_mapping; 1798 - index = outarg.offset >> PAGE_SHIFT; 1799 - offset = outarg.offset & ~PAGE_MASK; 1800 1793 file_size = i_size_read(inode); 1801 - end = outarg.offset + outarg.size; 1794 + end = pos + num; 1802 1795 if (end > file_size) { 1803 1796 file_size = end; 1804 - fuse_write_update_attr(inode, file_size, outarg.size); 1797 + fuse_write_update_attr(inode, file_size, num); 1805 1798 } 1806 1799 1807 - num = outarg.size; 1808 1800 while (num) { 1809 1801 struct folio *folio; 1810 1802 unsigned int folio_offset; 1811 1803 unsigned int nr_bytes; 1812 - unsigned int nr_pages; 1804 + pgoff_t index = pos >> PAGE_SHIFT; 1813 1805 1814 1806 folio = filemap_grab_folio(mapping, index); 1815 1807 err = PTR_ERR(folio); 1816 1808 if (IS_ERR(folio)) 1817 1809 goto out_iput; 1818 1810 1819 - folio_offset = ((index - folio->index) << PAGE_SHIFT) + offset; 1811 + folio_offset = offset_in_folio(folio, pos); 1820 1812 nr_bytes = min(num, folio_size(folio) - folio_offset); 1821 - nr_pages = (offset + nr_bytes + PAGE_SIZE - 1) >> PAGE_SHIFT; 1822 1813 1823 1814 err = fuse_copy_folio(cs, &folio, folio_offset, nr_bytes, 0); 1824 - if (!folio_test_uptodate(folio) && !err && offset == 0 && 1815 + if (!folio_test_uptodate(folio) && !err && folio_offset == 0 && 1825 1816 (nr_bytes == folio_size(folio) || file_size == end)) { 1826 1817 folio_zero_segment(folio, nr_bytes, folio_size(folio)); 1827 1818 folio_mark_uptodate(folio); ··· 1828 1827 if (err) 1829 1828 goto out_iput; 1830 1829 1830 + pos += nr_bytes; 1831 1831 num -= nr_bytes; 1832 - offset = 0; 1833 - index += nr_pages; 1834 1832 } 1835 1833 1836 1834 err = 0; ··· 1861 1861 { 1862 1862 int err; 1863 1863 struct address_space *mapping = inode->i_mapping; 1864 - pgoff_t index; 1865 1864 loff_t file_size; 1866 1865 unsigned int num; 1867 1866 unsigned int offset; ··· 1871 1872 size_t args_size = sizeof(*ra); 1872 1873 struct fuse_args_pages *ap; 1873 1874 struct fuse_args *args; 1875 + loff_t pos = outarg->offset; 1874 1876 1875 - offset = outarg->offset & ~PAGE_MASK; 1877 + offset = offset_in_page(pos); 1876 1878 file_size = i_size_read(inode); 1877 1879 1878 1880 num = min(outarg->size, fc->max_write); 1879 - if (outarg->offset > file_size) 1881 + if (pos > file_size) 1880 1882 num = 0; 1881 - else if (outarg->offset + num > file_size) 1882 - num = file_size - outarg->offset; 1883 + else if (num > file_size - pos) 1884 + num = file_size - pos; 1883 1885 1884 - num_pages = (num + offset + PAGE_SIZE - 1) >> PAGE_SHIFT; 1886 + num_pages = DIV_ROUND_UP(num + offset, PAGE_SIZE); 1885 1887 num_pages = min(num_pages, fc->max_pages); 1886 1888 num = min(num, num_pages << PAGE_SHIFT); 1887 1889 ··· 1903 1903 args->in_pages = true; 1904 1904 args->end = fuse_retrieve_end; 1905 1905 1906 - index = outarg->offset >> PAGE_SHIFT; 1907 - 1908 1906 while (num && ap->num_folios < num_pages) { 1909 1907 struct folio *folio; 1910 1908 unsigned int folio_offset; 1911 1909 unsigned int nr_bytes; 1912 - unsigned int nr_pages; 1910 + pgoff_t index = pos >> PAGE_SHIFT; 1913 1911 1914 1912 folio = filemap_get_folio(mapping, index); 1915 1913 if (IS_ERR(folio)) 1916 1914 break; 1917 1915 1918 - folio_offset = ((index - folio->index) << PAGE_SHIFT) + offset; 1916 + folio_offset = offset_in_folio(folio, pos); 1919 1917 nr_bytes = min(folio_size(folio) - folio_offset, num); 1920 - nr_pages = (offset + nr_bytes + PAGE_SIZE - 1) >> PAGE_SHIFT; 1921 1918 1922 1919 ap->folios[ap->num_folios] = folio; 1923 1920 ap->descs[ap->num_folios].offset = folio_offset; 1924 1921 ap->descs[ap->num_folios].length = nr_bytes; 1925 1922 ap->num_folios++; 1926 1923 1927 - offset = 0; 1924 + pos += nr_bytes; 1928 1925 num -= nr_bytes; 1929 1926 total_len += nr_bytes; 1930 - index += nr_pages; 1931 1927 } 1932 1928 ra->inarg.offset = outarg->offset; 1933 1929 ra->inarg.size = total_len; ··· 1956 1960 return err; 1957 1961 1958 1962 fuse_copy_finish(cs); 1963 + 1964 + if (outarg.offset >= MAX_LFS_FILESIZE) 1965 + return -EINVAL; 1959 1966 1960 1967 down_read(&fc->killsb); 1961 1968 err = -ENOENT; ··· 2090 2091 static int fuse_notify(struct fuse_conn *fc, enum fuse_notify_code code, 2091 2092 unsigned int size, struct fuse_copy_state *cs) 2092 2093 { 2094 + /* 2095 + * Only allow notifications during while the connection is in an 2096 + * initialized and connected state 2097 + */ 2098 + if (!fc->initialized || !fc->connected) 2099 + return -EINVAL; 2100 + 2093 2101 /* Don't try to move folios (yet) */ 2094 2102 cs->move_folios = false; 2095 2103 ··· 2539 2533 2540 2534 int fuse_dev_release(struct inode *inode, struct file *file) 2541 2535 { 2542 - struct fuse_dev *fud = __fuse_get_dev(file); 2536 + struct fuse_dev *fud = fuse_file_to_fud(file); 2537 + /* Pairs with cmpxchg() in fuse_dev_install() */ 2538 + struct fuse_conn *fc = xchg(&fud->fc, FUSE_DEV_FC_DISCONNECTED); 2543 2539 2544 - if (fud) { 2545 - struct fuse_conn *fc = fud->fc; 2540 + if (fc) { 2546 2541 struct fuse_pqueue *fpq = &fud->pq; 2547 2542 LIST_HEAD(to_end); 2548 2543 unsigned int i; 2544 + bool last; 2549 2545 2550 2546 spin_lock(&fpq->lock); 2551 2547 WARN_ON(!list_empty(&fpq->io)); ··· 2557 2549 2558 2550 fuse_dev_end_requests(&to_end); 2559 2551 2552 + spin_lock(&fc->lock); 2553 + list_del(&fud->entry); 2560 2554 /* Are we the last open device? */ 2561 - if (atomic_dec_and_test(&fc->dev_count)) { 2555 + last = list_empty(&fc->devices); 2556 + spin_unlock(&fc->lock); 2557 + 2558 + if (last) { 2562 2559 WARN_ON(fc->iq.fasync != NULL); 2563 2560 fuse_abort_conn(fc); 2564 2561 } 2565 - fuse_dev_free(fud); 2562 + fuse_conn_put(fc); 2566 2563 } 2564 + fuse_dev_put(fud); 2567 2565 return 0; 2568 2566 } 2569 2567 EXPORT_SYMBOL_GPL(fuse_dev_release); ··· 2585 2571 return fasync_helper(fd, file, on, &fud->fc->iq.fasync); 2586 2572 } 2587 2573 2588 - static int fuse_device_clone(struct fuse_conn *fc, struct file *new) 2589 - { 2590 - struct fuse_dev *fud; 2591 - 2592 - if (__fuse_get_dev(new)) 2593 - return -EINVAL; 2594 - 2595 - fud = fuse_dev_alloc_install(fc); 2596 - if (!fud) 2597 - return -ENOMEM; 2598 - 2599 - new->private_data = fud; 2600 - atomic_inc(&fc->dev_count); 2601 - 2602 - return 0; 2603 - } 2604 - 2605 2574 static long fuse_dev_ioctl_clone(struct file *file, __u32 __user *argp) 2606 2575 { 2607 - int res; 2608 2576 int oldfd; 2609 - struct fuse_dev *fud = NULL; 2577 + struct fuse_dev *fud, *new_fud; 2610 2578 2611 2579 if (get_user(oldfd, argp)) 2612 2580 return -EFAULT; ··· 2601 2605 * Check against file->f_op because CUSE 2602 2606 * uses the same ioctl handler. 2603 2607 */ 2604 - if (fd_file(f)->f_op == file->f_op) 2605 - fud = __fuse_get_dev(fd_file(f)); 2608 + if (fd_file(f)->f_op != file->f_op) 2609 + return -EINVAL; 2606 2610 2607 - res = -EINVAL; 2608 - if (fud) { 2609 - mutex_lock(&fuse_mutex); 2610 - res = fuse_device_clone(fud->fc, file); 2611 - mutex_unlock(&fuse_mutex); 2612 - } 2611 + fud = fuse_get_dev(fd_file(f)); 2612 + if (IS_ERR(fud)) 2613 + return PTR_ERR(fud); 2613 2614 2614 - return res; 2615 + new_fud = fuse_file_to_fud(file); 2616 + if (fuse_dev_fc_get(new_fud)) 2617 + return -EINVAL; 2618 + 2619 + fuse_dev_install(new_fud, fud->fc); 2620 + 2621 + return 0; 2615 2622 } 2616 2623 2617 2624 static long fuse_dev_ioctl_backing_open(struct file *file, ··· 2655 2656 static long fuse_dev_ioctl_sync_init(struct file *file) 2656 2657 { 2657 2658 int err = -EINVAL; 2659 + struct fuse_dev *fud = fuse_file_to_fud(file); 2658 2660 2659 2661 mutex_lock(&fuse_mutex); 2660 - if (!__fuse_get_dev(file)) { 2661 - WRITE_ONCE(file->private_data, FUSE_DEV_SYNC_INIT); 2662 + if (!fuse_dev_fc_get(fud)) { 2663 + fud->sync_init = true; 2662 2664 err = 0; 2663 2665 } 2664 2666 mutex_unlock(&fuse_mutex);
+16 -20
fs/fuse/dev_uring.c
··· 397 397 FRRS_AVAILABLE); 398 398 } 399 399 400 + static void fuse_uring_teardown_all_queues(struct fuse_ring *ring) 401 + { 402 + int qid; 403 + 404 + for (qid = 0; qid < ring->nr_queues; qid++) { 405 + struct fuse_ring_queue *queue = READ_ONCE(ring->queues[qid]); 406 + 407 + if (!queue) 408 + continue; 409 + 410 + fuse_uring_teardown_entries(queue); 411 + } 412 + } 413 + 400 414 /* 401 415 * Log state debug info 402 416 */ ··· 445 431 446 432 static void fuse_uring_async_stop_queues(struct work_struct *work) 447 433 { 448 - int qid; 449 434 struct fuse_ring *ring = 450 435 container_of(work, struct fuse_ring, async_teardown_work.work); 451 436 452 - /* XXX code dup */ 453 - for (qid = 0; qid < ring->nr_queues; qid++) { 454 - struct fuse_ring_queue *queue = READ_ONCE(ring->queues[qid]); 455 - 456 - if (!queue) 457 - continue; 458 - 459 - fuse_uring_teardown_entries(queue); 460 - } 437 + fuse_uring_teardown_all_queues(ring); 461 438 462 439 /* 463 440 * Some ring entries might be in the middle of IO operations, ··· 474 469 */ 475 470 void fuse_uring_stop_queues(struct fuse_ring *ring) 476 471 { 477 - int qid; 478 - 479 - for (qid = 0; qid < ring->nr_queues; qid++) { 480 - struct fuse_ring_queue *queue = READ_ONCE(ring->queues[qid]); 481 - 482 - if (!queue) 483 - continue; 484 - 485 - fuse_uring_teardown_entries(queue); 486 - } 472 + fuse_uring_teardown_all_queues(ring); 487 473 488 474 if (atomic_read(&ring->queue_refs) > 0) { 489 475 ring->teardown_time = jiffies;
+9 -5
fs/fuse/dir.c
··· 354 354 fuse_invalidate_entry_cache(entry); 355 355 } 356 356 357 - static void fuse_lookup_init(struct fuse_conn *fc, struct fuse_args *args, 358 - u64 nodeid, const struct qstr *name, 357 + static void fuse_lookup_init(struct fuse_args *args, u64 nodeid, 358 + const struct qstr *name, 359 359 struct fuse_entry_out *outarg) 360 360 { 361 361 memset(outarg, 0, sizeof(struct fuse_entry_out)); ··· 421 421 422 422 attr_version = fuse_get_attr_version(fm->fc); 423 423 424 - fuse_lookup_init(fm->fc, &args, get_node_id(dir), 425 - name, &outarg); 424 + fuse_lookup_init(&args, get_node_id(dir), name, &outarg); 426 425 ret = fuse_simple_request(fm, &args); 427 426 /* Zero nodeid is same as -ENOENT */ 428 427 if (!ret && !outarg.nodeid) ··· 480 481 fd->dentry = dentry; 481 482 RB_CLEAR_NODE(&fd->node); 482 483 dentry->d_fsdata = fd; 484 + /* 485 + * Initialising d_time (epoch) to '0' ensures the dentry is invalid 486 + * if compared to fc->epoch, which is initialized to '1'. 487 + */ 488 + dentry->d_time = 0; 483 489 484 490 return 0; 485 491 } ··· 574 570 attr_version = fuse_get_attr_version(fm->fc); 575 571 evict_ctr = fuse_get_evict_ctr(fm->fc); 576 572 577 - fuse_lookup_init(fm->fc, &args, nodeid, name, outarg); 573 + fuse_lookup_init(&args, nodeid, name, outarg); 578 574 err = fuse_simple_request(fm, &args); 579 575 /* Zero nodeid is same as -ENOENT, but with valid timeout */ 580 576 if (err || !outarg->nodeid)
+11 -7
fs/fuse/file.c
··· 117 117 fuse_simple_request(ff->fm, args); 118 118 fuse_release_end(ff->fm, args, 0); 119 119 } else { 120 + /* 121 + * DAX inodes may need to issue a number of synchronous 122 + * request for clearing the mappings. 123 + */ 124 + if (ra && ra->inode && FUSE_IS_DAX(ra->inode)) 125 + args->may_block = true; 120 126 args->end = fuse_release_end; 121 127 if (fuse_simple_background(ff->fm, args, 122 128 GFP_KERNEL | __GFP_NOFAIL)) ··· 1249 1243 { 1250 1244 struct fuse_args_pages *ap = &ia->ap; 1251 1245 struct fuse_conn *fc = get_fuse_conn(mapping->host); 1252 - unsigned offset = pos & (PAGE_SIZE - 1); 1253 1246 size_t count = 0; 1254 1247 unsigned int num; 1255 1248 int err = 0; ··· 1275 1270 if (mapping_writably_mapped(mapping)) 1276 1271 flush_dcache_folio(folio); 1277 1272 1278 - folio_offset = ((index - folio->index) << PAGE_SHIFT) + offset; 1273 + folio_offset = offset_in_folio(folio, pos); 1279 1274 bytes = min(folio_size(folio) - folio_offset, num); 1280 1275 1281 1276 tmp = copy_folio_from_iter_atomic(folio, folio_offset, bytes, ii); ··· 1305 1300 count += tmp; 1306 1301 pos += tmp; 1307 1302 num -= tmp; 1308 - offset += tmp; 1309 - if (offset == folio_size(folio)) 1310 - offset = 0; 1311 1303 1312 1304 /* If we copied full folio, mark it uptodate */ 1313 1305 if (tmp == folio_size(folio)) ··· 1316 1314 ia->write.folio_locked = true; 1317 1315 break; 1318 1316 } 1319 - if (!fc->big_writes || offset != 0) 1317 + if (!fc->big_writes) 1318 + break; 1319 + if (folio_offset + tmp != folio_size(folio)) 1320 1320 break; 1321 1321 } 1322 1322 ··· 2177 2173 WARN_ON(!ap->num_folios); 2178 2174 2179 2175 /* Reached max pages */ 2180 - if ((bytes + PAGE_SIZE - 1) >> PAGE_SHIFT > fc->max_pages) 2176 + if (DIV_ROUND_UP(bytes, PAGE_SIZE) > fc->max_pages) 2181 2177 return true; 2182 2178 2183 2179 if (bytes > max_bytes)
+26 -8
fs/fuse/fuse_dev_i.h
··· 39 39 } ring; 40 40 }; 41 41 42 - #define FUSE_DEV_SYNC_INIT ((struct fuse_dev *) 1) 43 - #define FUSE_DEV_PTR_MASK (~1UL) 42 + /* fud->fc gets assigned to this value when /dev/fuse is closed */ 43 + #define FUSE_DEV_FC_DISCONNECTED ((struct fuse_conn *) 1) 44 + 45 + /* 46 + * Lockless access is OK, because fud->fc is set once during mount and is valid 47 + * until the file is released. 48 + * 49 + * fud->fc is set to FUSE_DEV_FC_DISCONNECTED only after the containing file is 50 + * released, so result is safe to dereference in most cases. Exceptions are: 51 + * fuse_dev_put() and fuse_fill_super_common(). 52 + */ 53 + static inline struct fuse_conn *fuse_dev_fc_get(struct fuse_dev *fud) 54 + { 55 + /* Pairs with xchg() in fuse_dev_install() */ 56 + return smp_load_acquire(&fud->fc); 57 + } 58 + 59 + static inline struct fuse_dev *fuse_file_to_fud(struct file *file) 60 + { 61 + return file->private_data; 62 + } 44 63 45 64 static inline struct fuse_dev *__fuse_get_dev(struct file *file) 46 65 { 47 - /* 48 - * Lockless access is OK, because file->private data is set 49 - * once during mount and is valid until the file is released. 50 - */ 51 - struct fuse_dev *fud = READ_ONCE(file->private_data); 66 + struct fuse_dev *fud = fuse_file_to_fud(file); 52 67 53 - return (typeof(fud)) ((unsigned long) fud & FUSE_DEV_PTR_MASK); 68 + if (!fuse_dev_fc_get(fud)) 69 + return NULL; 70 + 71 + return fud; 54 72 } 55 73 56 74 struct fuse_dev *fuse_get_dev(struct file *file);
+9 -10
fs/fuse/fuse_i.h
··· 345 345 bool is_ext:1; 346 346 bool is_pinned:1; 347 347 bool invalidate_vmap:1; 348 + bool abort_on_kill:1; 348 349 struct fuse_in_arg in_args[4]; 349 350 struct fuse_arg out_args[2]; 350 351 void (*end)(struct fuse_mount *fm, struct fuse_args *args, int error); ··· 577 576 * Fuse device instance 578 577 */ 579 578 struct fuse_dev { 579 + /** Reference count of this object */ 580 + refcount_t ref; 581 + 582 + /** Issue FUSE_INIT synchronously */ 583 + bool sync_init; 584 + 580 585 /** Fuse connection for this device */ 581 586 struct fuse_conn *fc; 582 587 ··· 606 599 } 607 600 608 601 struct fuse_fs_context { 609 - int fd; 610 - struct file *file; 602 + struct fuse_dev *fud; 611 603 unsigned int rootmode; 612 604 kuid_t user_id; 613 605 kgid_t group_id; 614 606 bool is_bdev:1; 615 - bool fd_present:1; 616 607 bool rootmode_present:1; 617 608 bool user_id_present:1; 618 609 bool group_id_present:1; ··· 627 622 628 623 /* DAX device, may be NULL */ 629 624 struct dax_device *dax_dev; 630 - 631 - /* fuse_dev pointer to fill in, should contain NULL on entry */ 632 - void **fudptr; 633 625 }; 634 626 635 627 struct fuse_sync_bucket { ··· 649 647 650 648 /** Refcount */ 651 649 refcount_t count; 652 - 653 - /** Number of fuse_dev's */ 654 - atomic_t dev_count; 655 650 656 651 /** Current epoch for up-to-date dentries */ 657 652 atomic_t epoch; ··· 1342 1343 struct fuse_dev *fuse_dev_alloc_install(struct fuse_conn *fc); 1343 1344 struct fuse_dev *fuse_dev_alloc(void); 1344 1345 void fuse_dev_install(struct fuse_dev *fud, struct fuse_conn *fc); 1345 - void fuse_dev_free(struct fuse_dev *fud); 1346 + void fuse_dev_put(struct fuse_dev *fud); 1346 1347 int fuse_send_init(struct fuse_mount *fm); 1347 1348 1348 1349 /**
+81 -55
fs/fuse/inode.c
··· 470 470 struct inode *inode; 471 471 struct fuse_inode *fi; 472 472 struct fuse_conn *fc = get_fuse_conn_super(sb); 473 + bool is_new_inode = false; 473 474 474 475 /* 475 476 * Auto mount points get their node id from the submount root, which is ··· 506 505 if (!inode) 507 506 return NULL; 508 507 509 - if ((inode_state_read_once(inode) & I_NEW)) { 508 + is_new_inode = inode_state_read_once(inode) & I_NEW; 509 + if (is_new_inode) { 510 510 inode->i_flags |= S_NOATIME; 511 511 if (!fc->writeback_cache || !S_ISREG(attr->mode)) 512 512 inode->i_flags |= S_NOCMTIME; 513 513 inode->i_generation = generation; 514 514 fuse_init_inode(inode, attr, fc); 515 - unlock_new_inode(inode); 516 515 } else if (fuse_stale_inode(inode, generation, attr)) { 517 516 /* nodeid was reused, any I/O on the old inode should fail */ 518 517 fuse_make_bad(inode); ··· 529 528 done: 530 529 fuse_change_attributes_i(inode, attr, NULL, attr_valid, attr_version, 531 530 evict_ctr); 531 + if (is_new_inode) 532 + unlock_new_inode(inode); 532 533 return inode; 533 534 } 534 535 ··· 791 788 792 789 static const struct fs_parameter_spec fuse_fs_parameters[] = { 793 790 fsparam_string ("source", OPT_SOURCE), 794 - fsparam_u32 ("fd", OPT_FD), 791 + fsparam_fd ("fd", OPT_FD), 795 792 fsparam_u32oct ("rootmode", OPT_ROOTMODE), 796 793 fsparam_uid ("user_id", OPT_USER_ID), 797 794 fsparam_gid ("group_id", OPT_GROUP_ID), ··· 802 799 fsparam_string ("subtype", OPT_SUBTYPE), 803 800 {} 804 801 }; 802 + 803 + static int fuse_opt_fd(struct fs_context *fsc, struct file *file) 804 + { 805 + struct fuse_fs_context *ctx = fsc->fs_private; 806 + 807 + if (file->f_op != &fuse_dev_operations) 808 + return invalfc(fsc, "fd is not a fuse device"); 809 + /* 810 + * Require mount to happen from the same user namespace which 811 + * opened /dev/fuse to prevent potential attacks. 812 + */ 813 + if (file->f_cred->user_ns != fsc->user_ns) 814 + return invalfc(fsc, "wrong user namespace for fuse device"); 815 + 816 + ctx->fud = file->private_data; 817 + refcount_inc(&ctx->fud->ref); 818 + 819 + return 0; 820 + } 805 821 806 822 static int fuse_parse_param(struct fs_context *fsc, struct fs_parameter *param) 807 823 { ··· 861 839 return 0; 862 840 863 841 case OPT_FD: 864 - ctx->fd = result.uint_32; 865 - ctx->fd_present = true; 866 - break; 842 + if (param->type == fs_value_is_file) { 843 + return fuse_opt_fd(fsc, param->file); 844 + } else { 845 + struct file *file __free(fput) = fget(result.uint_32); 846 + if (!file) 847 + return -EBADF; 848 + 849 + return fuse_opt_fd(fsc, file); 850 + } 867 851 868 852 case OPT_ROOTMODE: 869 853 if (!fuse_valid_type(result.uint_32)) ··· 932 904 struct fuse_fs_context *ctx = fsc->fs_private; 933 905 934 906 if (ctx) { 907 + if (ctx->fud) 908 + fuse_dev_put(ctx->fud); 935 909 kfree(ctx->subtype); 936 910 kfree(ctx); 937 911 } ··· 1005 975 spin_lock_init(&fc->bg_lock); 1006 976 init_rwsem(&fc->killsb); 1007 977 refcount_set(&fc->count, 1); 1008 - atomic_set(&fc->dev_count, 1); 1009 978 atomic_set(&fc->epoch, 1); 1010 979 INIT_WORK(&fc->epoch_work, fuse_epoch_work); 1011 980 init_waitqueue_head(&fc->blocked_waitq); ··· 1580 1551 int err; 1581 1552 1582 1553 if (fm->fc->sync_init) { 1554 + ia->args.abort_on_kill = true; 1583 1555 err = fuse_simple_request(fm, &ia->args); 1584 1556 /* Ignore size of init reply */ 1585 1557 if (err > 0) ··· 1652 1622 if (!fud) 1653 1623 return NULL; 1654 1624 1625 + refcount_set(&fud->ref, 1); 1655 1626 pq = kzalloc_objs(struct list_head, FUSE_PQ_HASH_SIZE); 1656 1627 if (!pq) { 1657 1628 kfree(fud); ··· 1668 1637 1669 1638 void fuse_dev_install(struct fuse_dev *fud, struct fuse_conn *fc) 1670 1639 { 1671 - fud->fc = fuse_conn_get(fc); 1640 + struct fuse_conn *old_fc; 1641 + 1672 1642 spin_lock(&fc->lock); 1673 - list_add_tail(&fud->entry, &fc->devices); 1643 + /* 1644 + * Pairs with: 1645 + * - xchg() in fuse_dev_release() 1646 + * - smp_load_acquire() in fuse_dev_fc_get() 1647 + */ 1648 + old_fc = cmpxchg(&fud->fc, NULL, fc); 1649 + if (old_fc) { 1650 + /* 1651 + * failed to set fud->fc because 1652 + * - it was already set to a different fc 1653 + * - it was set to disconneted 1654 + */ 1655 + fc->connected = 0; 1656 + } else { 1657 + list_add_tail(&fud->entry, &fc->devices); 1658 + fuse_conn_get(fc); 1659 + } 1674 1660 spin_unlock(&fc->lock); 1675 1661 } 1676 1662 EXPORT_SYMBOL_GPL(fuse_dev_install); ··· 1705 1657 } 1706 1658 EXPORT_SYMBOL_GPL(fuse_dev_alloc_install); 1707 1659 1708 - void fuse_dev_free(struct fuse_dev *fud) 1660 + void fuse_dev_put(struct fuse_dev *fud) 1709 1661 { 1710 - struct fuse_conn *fc = fud->fc; 1662 + struct fuse_conn *fc; 1711 1663 1712 - if (fc) { 1664 + if (!refcount_dec_and_test(&fud->ref)) 1665 + return; 1666 + 1667 + fc = fuse_dev_fc_get(fud); 1668 + if (fc && fc != FUSE_DEV_FC_DISCONNECTED) { 1669 + /* This is the virtiofs case (fuse_dev_release() not called) */ 1713 1670 spin_lock(&fc->lock); 1714 1671 list_del(&fud->entry); 1715 1672 spin_unlock(&fc->lock); ··· 1724 1671 kfree(fud->pq.processing); 1725 1672 kfree(fud); 1726 1673 } 1727 - EXPORT_SYMBOL_GPL(fuse_dev_free); 1674 + EXPORT_SYMBOL_GPL(fuse_dev_put); 1728 1675 1729 1676 static void fuse_fill_attr_from_inode(struct fuse_attr *attr, 1730 1677 const struct fuse_inode *fi) ··· 1876 1823 1877 1824 int fuse_fill_super_common(struct super_block *sb, struct fuse_fs_context *ctx) 1878 1825 { 1879 - struct fuse_dev *fud = NULL; 1826 + struct fuse_dev *fud = ctx->fud; 1880 1827 struct fuse_mount *fm = get_fuse_mount_super(sb); 1881 1828 struct fuse_conn *fc = fm->fc; 1882 1829 struct inode *root; ··· 1910 1857 goto err; 1911 1858 } 1912 1859 1913 - if (ctx->fudptr) { 1914 - err = -ENOMEM; 1915 - fud = fuse_dev_alloc_install(fc); 1916 - if (!fud) 1917 - goto err_free_dax; 1918 - } 1919 - 1920 1860 fc->dev = sb->s_dev; 1921 1861 fm->sb = sb; 1922 1862 err = fuse_bdi_init(fc, sb); 1923 1863 if (err) 1924 - goto err_dev_free; 1864 + goto err_free_dax; 1925 1865 1926 1866 /* Handle umasking inside the fuse code */ 1927 1867 if (sb->s_flags & SB_POSIXACL) ··· 1936 1890 set_default_d_op(sb, &fuse_dentry_operations); 1937 1891 root_dentry = d_make_root(root); 1938 1892 if (!root_dentry) 1939 - goto err_dev_free; 1893 + goto err_free_dax; 1940 1894 1941 1895 mutex_lock(&fuse_mutex); 1942 1896 err = -EINVAL; 1943 - if (ctx->fudptr && *ctx->fudptr) { 1944 - if (*ctx->fudptr == FUSE_DEV_SYNC_INIT) 1945 - fc->sync_init = 1; 1946 - else 1897 + if (fud) { 1898 + if (fuse_dev_fc_get(fud)) 1947 1899 goto err_unlock; 1900 + if (fud->sync_init) 1901 + fc->sync_init = 1; 1948 1902 } 1949 1903 1950 1904 err = fuse_ctl_add_conn(fc); ··· 1953 1907 1954 1908 list_add_tail(&fc->entry, &fuse_conn_list); 1955 1909 sb->s_root = root_dentry; 1956 - if (ctx->fudptr) { 1957 - *ctx->fudptr = fud; 1910 + if (fud) { 1911 + fuse_dev_install(fud, fc); 1958 1912 wake_up_all(&fuse_dev_waitq); 1959 1913 } 1960 1914 mutex_unlock(&fuse_mutex); ··· 1963 1917 err_unlock: 1964 1918 mutex_unlock(&fuse_mutex); 1965 1919 dput(root_dentry); 1966 - err_dev_free: 1967 - if (fud) 1968 - fuse_dev_free(fud); 1969 1920 err_free_dax: 1970 1921 if (IS_ENABLED(CONFIG_FUSE_DAX)) 1971 1922 fuse_dax_conn_free(fc); ··· 1977 1934 struct fuse_mount *fm; 1978 1935 int err; 1979 1936 1980 - if (!ctx->file || !ctx->rootmode_present || 1937 + if (!ctx->fud || !ctx->rootmode_present || 1981 1938 !ctx->user_id_present || !ctx->group_id_present) 1982 1939 return -EINVAL; 1983 - 1984 - /* 1985 - * Require mount to happen from the same user namespace which 1986 - * opened /dev/fuse to prevent potential attacks. 1987 - */ 1988 - if ((ctx->file->f_op != &fuse_dev_operations) || 1989 - (ctx->file->f_cred->user_ns != sb->s_user_ns)) 1990 - return -EINVAL; 1991 - ctx->fudptr = &ctx->file->private_data; 1992 1940 1993 1941 err = fuse_fill_super_common(sb, ctx); 1994 1942 if (err) 1995 1943 return err; 1996 - /* file->private_data shall be visible on all CPUs after this */ 1997 - smp_mb(); 1998 1944 1999 1945 fm = get_fuse_mount_super(sb); 2000 1946 ··· 2001 1969 2002 1970 static int fuse_test_super(struct super_block *sb, struct fs_context *fsc) 2003 1971 { 1972 + struct fuse_dev *fud = fsc->sget_key; 2004 1973 2005 - return fsc->sget_key == get_fuse_conn_super(sb); 1974 + return fuse_dev_fc_get(fud) == get_fuse_conn_super(sb); 2006 1975 } 2007 1976 2008 1977 static int fuse_get_tree(struct fs_context *fsc) 2009 1978 { 2010 1979 struct fuse_fs_context *ctx = fsc->fs_private; 2011 - struct fuse_dev *fud; 2012 1980 struct fuse_conn *fc; 2013 1981 struct fuse_mount *fm; 2014 1982 struct super_block *sb; ··· 2029 1997 2030 1998 fsc->s_fs_info = fm; 2031 1999 2032 - if (ctx->fd_present) 2033 - ctx->file = fget(ctx->fd); 2034 - 2035 2000 if (IS_ENABLED(CONFIG_BLOCK) && ctx->is_bdev) { 2036 2001 err = get_tree_bdev(fsc, fuse_fill_super); 2037 2002 goto out; ··· 2038 2009 * (found by device name), normal fuse mounts can't 2039 2010 */ 2040 2011 err = -EINVAL; 2041 - if (!ctx->file) 2012 + if (!ctx->fud) 2042 2013 goto out; 2043 2014 2044 2015 /* 2045 2016 * Allow creating a fuse mount with an already initialized fuse 2046 2017 * connection 2047 2018 */ 2048 - fud = __fuse_get_dev(ctx->file); 2049 - if (ctx->file->f_op == &fuse_dev_operations && fud) { 2050 - fsc->sget_key = fud->fc; 2019 + if (fuse_dev_fc_get(ctx->fud)) { 2020 + fsc->sget_key = ctx->fud; 2051 2021 sb = sget_fc(fsc, fuse_test_super, fuse_set_no_super); 2052 2022 err = PTR_ERR_OR_ZERO(sb); 2053 2023 if (!IS_ERR(sb)) ··· 2057 2029 out: 2058 2030 if (fsc->s_fs_info) 2059 2031 fuse_mount_destroy(fm); 2060 - if (ctx->file) 2061 - fput(ctx->file); 2062 2032 return err; 2063 2033 } 2064 2034
+4 -4
fs/fuse/readdir.c
··· 52 52 } 53 53 version = fi->rdc.version; 54 54 size = fi->rdc.size; 55 - offset = size & ~PAGE_MASK; 55 + offset = offset_in_page(size); 56 56 index = size >> PAGE_SHIFT; 57 57 /* Dirent doesn't fit in current page? Jump to next page. */ 58 58 if (offset + reclen > PAGE_SIZE) { ··· 392 392 void *addr, unsigned int size, 393 393 struct dir_context *ctx) 394 394 { 395 - unsigned int offset = ff->readdir.cache_off & ~PAGE_MASK; 395 + unsigned int offset = offset_in_page(ff->readdir.cache_off); 396 396 enum fuse_parse_result res = FOUND_NONE; 397 397 398 398 WARN_ON(offset >= size); ··· 518 518 index = ff->readdir.cache_off >> PAGE_SHIFT; 519 519 520 520 if (index == (fi->rdc.size >> PAGE_SHIFT)) 521 - size = fi->rdc.size & ~PAGE_MASK; 521 + size = offset_in_page(fi->rdc.size); 522 522 else 523 523 size = PAGE_SIZE; 524 524 spin_unlock(&fi->rdc.lock); 525 525 526 526 /* EOF? */ 527 - if ((ff->readdir.cache_off & ~PAGE_MASK) == size) 527 + if (offset_in_page(ff->readdir.cache_off) == size) 528 528 return 0; 529 529 530 530 page = find_get_page_flags(file->f_mapping, index,
+26 -7
fs/fuse/virtio_fs.c
··· 486 486 if (!fsvq->fud) 487 487 continue; 488 488 489 - fuse_dev_free(fsvq->fud); 489 + fuse_dev_put(fsvq->fud); 490 490 fsvq->fud = NULL; 491 491 } 492 492 } ··· 758 758 req->argbuf = NULL; 759 759 } 760 760 761 + /* Verify that the server properly follows the FUSE protocol */ 762 + static bool virtio_fs_verify_response(struct fuse_req *req, unsigned int len) 763 + { 764 + struct fuse_out_header *oh = &req->out.h; 765 + 766 + if (len < sizeof(*oh)) { 767 + pr_warn("virtio-fs: response too short (%u)\n", len); 768 + return false; 769 + } 770 + if (oh->len != len) { 771 + pr_warn("virtio-fs: oh.len mismatch (%u != %u)\n", oh->len, len); 772 + return false; 773 + } 774 + if (oh->unique != req->in.h.unique) { 775 + pr_warn("virtio-fs: oh.unique mismatch (%llu != %llu)\n", 776 + oh->unique, req->in.h.unique); 777 + return false; 778 + } 779 + return true; 780 + } 781 + 761 782 /* Work function for request completion */ 762 783 static void virtio_fs_request_complete(struct fuse_req *req, 763 784 struct virtio_fs_vq *fsvq) ··· 788 767 unsigned int len, i, thislen; 789 768 struct folio *folio; 790 769 791 - /* 792 - * TODO verify that server properly follows FUSE protocol 793 - * (oh.uniq, oh.len) 794 - */ 795 770 args = req->args; 796 771 copy_args_from_argbuf(args, req); 797 772 ··· 841 824 virtqueue_disable_cb(vq); 842 825 843 826 while ((req = virtqueue_get_buf(vq, &len)) != NULL) { 827 + if (!virtio_fs_verify_response(req, len)) { 828 + req->out.h.error = -EIO; 829 + req->out.h.len = sizeof(struct fuse_out_header); 830 + } 844 831 spin_lock(&fpq->lock); 845 832 list_move_tail(&req->list, &reqs); 846 833 spin_unlock(&fpq->lock); ··· 1590 1569 goto err_free_fuse_devs; 1591 1570 } 1592 1571 1593 - /* virtiofs allocates and installs its own fuse devices */ 1594 - ctx->fudptr = NULL; 1595 1572 if (ctx->dax_mode != FUSE_DAX_NEVER) { 1596 1573 if (ctx->dax_mode == FUSE_DAX_ALWAYS && !fs->dax_dev) { 1597 1574 err = -EINVAL;