Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1498445pxf;
        Fri, 19 Mar 2021 08:23:33 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwr0do7XL77o3Gnc240+htKpKTPOLnkSW9lBEMdKS1iuuA1eQ7wQkttsejiS9Iuk59l7Xgd
X-Received: by 2002:a17:906:6c93:: with SMTP id s19mr4932964ejr.151.1616167413733;
        Fri, 19 Mar 2021 08:23:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1616167413; cv=none;
        d=google.com; s=arc-20160816;
        b=vMqQtDmGhXxKZw1hP7S+ntmXqcpiQ+ap6AjaWWKRsWtv68Ah/JEDHpGdS52nl9lsCG
         9vCAXr2YRPUB3/4UWRTvZwGMWNdPmxnktT7S1vkbpaRrhXqmDU1a7EuC9dASdGsaVZpl
         i8E95dFzThxS46Awb0lfR6roALdJtZhs6/QuGs6Wmdbt9S4ItIlnpVvGI9V7rlTmHOBc
         2ay+13ne0pq5ogfR3j1pSNlhUGC54j6yo2tZnivBsj53+0e4/sjeMGDdsUiYYoQQxn7p
         kbRISIFtP3+OhwLdgtz2vVZmdTZr7xUjuxo8vfReA5K2xsjweSBbHgZUa/jSMQNe0pSD
         U2VQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=ZHMAhBAQOpphLRREZJlNVL6uBoRegoHiEupgJ4ClwKw=;
        b=jIgHjkiNLAd9XgDbw2nfm/cBMAx7mkNegLmqw+FXr33OuODiNuaBs1ItkezNHYSUx9
         5G6kHqFELCJ0aSA8HOrfsyjkc3nAxyseVaV5HJ/iwOzntqmvzhbxr2JsBMqz1bQSIhC5
         nDW6MQ5wCS1l8DjB7ei/sqYcLSebu6H5rKJQOoa5dXs7v1Xd1PBKp03UF469R34BVk/Q
         csMfa7RDFbQcKvE/D6NthyaK2QVrUz3QBIFm5/cGuev758qcBUQ6DxkWV9V6axKRo44u
         fkdq2TBn4+ZcpEUJFt2HZHKdhZDUZeuGYqbPaXLR1ATeCFPC+YCvdOB4r5bss0Z5GbRj
         JbPg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@android.com header.s=20161025 header.b="BeQ/Y7G9";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=android.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id k15si4514864eji.582.2021.03.19.08.23.11;
        Fri, 19 Mar 2021 08:23:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@android.com header.s=20161025 header.b="BeQ/Y7G9";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=android.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230046AbhCSPVm (ORCPT <rfc822;madrobroadblock@gmail.com>
        + 99 others); Fri, 19 Mar 2021 11:21:42 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38260 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230272AbhCSPVf (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 19 Mar 2021 11:21:35 -0400
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8A521C06174A
        for <linux-kernel@vger.kernel.org>; Fri, 19 Mar 2021 08:21:35 -0700 (PDT)
Received: by mail-wr1-x430.google.com with SMTP id 61so9477432wrm.12
        for <linux-kernel@vger.kernel.org>; Fri, 19 Mar 2021 08:21:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=android.com; s=20161025;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=ZHMAhBAQOpphLRREZJlNVL6uBoRegoHiEupgJ4ClwKw=;
        b=BeQ/Y7G9PKlLSgTvrVqTbv9UYOwFvwQV2vCiiXKrpFdx48ue4RJWqK2E5Y3hZBX0Zc
         cRVLYAI4PKFcOpaD8KDxYlQVbGKLLSC0XGuySmfIV1xJ7P3J7gkrsggRSyd7n/GhIvwp
         Csf/+kj/SYoazFwU7t7Q+PMp29QGE0HTy8GowqGzTWMGtmcdsgOSiiJK2e1maqB05JUv
         P/68MkGcd14W8EKxbJzg0rkb/bmuYLW/u9JDDRIBwfb1p4BPkcyLEFBQ6UsCobSzKv2y
         jmHkj/KS5zKOJsKRl8B0siydrMFBIJ+hQmh2zfkZYZmMkoJeC/G6cAf2hs96B7ZL8DZu
         zSjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=ZHMAhBAQOpphLRREZJlNVL6uBoRegoHiEupgJ4ClwKw=;
        b=NYxgaRgsUAsI8GVk6b/K7iTvNidtf4vhOj/Xr687C7zFMKLgYjJSPB5ESGUiG6omao
         YVYDYjHDt+A/CwrXVEOHnESQDOlD9/EsrtJNTneOHqYGuticr0RgRhMgGWix1pcYL0EJ
         iRFsg6tusgdMLAXSrmRVjEeA0lzKPx8EC9jpDcMXrQ83oKBAmglAF5oXbAqG6Gej1HYO
         /PeIfTCJHpPwXim9KT9edbx8DWZ5w+PGkAI65Wx0BxQ7a8opxtveTT9mwm360QngXxfV
         rQ0m9Bz5ftLTCZyP5EsRWQIFRiBFt1H+CITwBNuL0yqdcqwrOXwtHebQb/n16iMatdsZ
         vFvQ==
X-Gm-Message-State: AOAM532VzbgmCBFtRa69+wkpBPh+2Ws6kqZrehVBy50tJfRNLwi5hTYl
        jVyDT1Ae/9p4LyFb3xCbEe7cBg==
X-Received: by 2002:a5d:67c8:: with SMTP id n8mr5097586wrw.351.1616167294369;
        Fri, 19 Mar 2021 08:21:34 -0700 (PDT)
Received: from google.com ([2a00:79e0:d:210:d49c:45f3:9d86:b2e9])
        by smtp.gmail.com with ESMTPSA id 13sm6777119wmw.5.2021.03.19.08.21.33
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 19 Mar 2021 08:21:34 -0700 (PDT)
Date:   Fri, 19 Mar 2021 15:21:32 +0000
From:   Alessio Balsini <balsini@android.com>
To:     Arnd Bergmann <arnd@kernel.org>
Cc:     Alessio Balsini <balsini@android.com>,
        Miklos Szeredi <miklos@szeredi.hu>,
        Akilesh Kailash <akailash@google.com>,
        Amir Goldstein <amir73il@gmail.com>,
        Antonio SJ Musumeci <trapexit@spawn.link>,
        David Anderson <dvander@google.com>,
        Giuseppe Scrivano <gscrivan@redhat.com>,
        Jann Horn <jannh@google.com>, Jens Axboe <axboe@kernel.dk>,
        Martijn Coenen <maco@android.com>,
        Palmer Dabbelt <palmer@dabbelt.com>,
        Paul Lawrence <paullawrence@google.com>,
        Peng Tao <bergwolf@gmail.com>,
        Stefano Duo <duostefano93@gmail.com>,
        Zimuzo Ezeozue <zezeozue@google.com>, wuyan <wu-yan@tcl.com>,
        fuse-devel@lists.sourceforge.net,
        Android Kernel Team <kernel-team@android.com>,
        Linux FS-devel Mailing List <linux-fsdevel@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH RESEND V12 2/8] fuse: 32-bit user space ioctl compat for
 fuse device
Message-ID: <YFTBfKslrZsHYQPi@google.com>
References: <20210125153057.3623715-1-balsini@android.com>
 <20210125153057.3623715-3-balsini@android.com>
 <CAK8P3a2VDH9-reuj8QTkFzbaU9XTUEOWFCmCVg1Snb6RjD6mHw@mail.gmail.com>
 <YFN8IyFTdqhlS9Lf@google.com>
 <CAK8P3a36ToSbvW1F_0w0gCiWGCoZgFwoLHmQ7Tz2jtwV++VrWA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAK8P3a36ToSbvW1F_0w0gCiWGCoZgFwoLHmQ7Tz2jtwV++VrWA@mail.gmail.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Mar 18, 2021 at 10:15:43PM +0100, Arnd Bergmann wrote:
> On Thu, Mar 18, 2021 at 5:13 PM Alessio Balsini <balsini@android.com> wrote:
> > On Tue, Mar 16, 2021 at 07:53:06PM +0100, Arnd Bergmann wrote:
> > > On Mon, Jan 25, 2021 at 4:48 PM Alessio Balsini <balsini@android.com> wrote:
> > > >
> >
> > Thanks for spotting this possible criticality.
> >
> > I noticed that 32-bit users pace was unable to use the
> > FUSE_DEV_IOC_CLONE ioctl on 64-bit kernels, so this change avoid this
> > issue by forcing the kernel to interpret 32 and 64 bit
> > FUSE_DEV_IOC_CLONE command as if they were the same.
> 
> As far as I can tell from the kernel headers, the command code should
> be the same for both 32-bit and 64-bit tasks: 0x8004e500.
> Can you find out what exact value you see in the user space that was
> causing problems, and how it ended up with a different value than
> the 64-bit version?
> 
> If there are two possible command codes, I'd suggest you just change
> the driver to handle both variants explicitly, but not any other one.
> 
> > This is the simplest solution I could find as the UAPI is not changed
> > as, as you mentioned, the argument doesn't require any conversion.
> >
> > I understand that this might limit possible future extensions of the
> > FUSE_DEV_IOC_XXX ioctls if their in/out argument changed depending on
> > the architecture, but only at that point we can switch to using the
> > compat layer, right?
> >
> > What I'm worried about is the direction, do you think this would be an
> > issue?
> >
> > I can start working on a compat layer fix meanwhile.
> 
> For a proper well-designed ioctl interface, compat support should not
> need anything beyond the '.compat_ioctl = compat_ptr_ioctl'
> assignment.
> 
>        Arnd

You are right and now I can see what happened here.

When I introduce the PASSTHROUGH ioctl, because of the 'void *', the
command mismatches on _IOC_SIZE(nr). I solved this by only testing
_IOC_NUMBER and _IOC_TYPE, implicitely (mistakenly) removing the
_IOC_SIZE check.  So, the fuse_dev_ioctl was correctly rejecting the
ioctl request from 32-bit userspace because of the wrong size and I was
just forcing it to digest the wrong data regardless.
Ouch!

The commit message for this patch would still be incorrect, but I posted
a fix here to bring the ioctl checking back to the original behavior:

  https://lore.kernel.org/lkml/20210319150514.1315985-1-balsini@android.com/

Thanks for spotting this!
Alessio