Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp2833416pxb; Mon, 6 Sep 2021 06:26:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyBBtlFkha32iRMh5ZQB5twJ5cC4T1UnhcWkvK10hjJlwk7NVrLtYKYrnilVAsOdtdG2VgU X-Received: by 2002:a6b:d90b:: with SMTP id r11mr9597818ioc.99.1630934815000; Mon, 06 Sep 2021 06:26:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1630934814; cv=none; d=google.com; s=arc-20160816; b=Sjgct/hRdajvHuOQX8dZK9QW7xU0a6ou0+4OxDgH8vYsa2+QGTyeEoazpCIXIiXIe6 Mqrsv2Gk9u2gH0n4xJDcCfFWlnKP7E5rfIQ+aXrzPo42XqPYtxVK9WOaIU3wNSl8iIYt Qmm5d3KcpYV5FOMC3PM8RSGIyFrqPoHb3vTnYQSJq8ISC/hLsfMOG+zR5iYYP8+tn2zp T+vTQeIugdUKDHW6X8FdLU1bcsQipF02PsCO9XT25vEBulhwznyZgdfYV8FlogATb01P nwnHTLvf7pfcEDFqVBMtS4KgZs0itFlqZsAOtw5yJhXrdz3dbDujQcDJIgmeNQm9MtXh okRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Fie6H+2NskSM/5ZHbW4b0m1lWJbEGE3bhJ7+ZPxMI7A=; b=zgu0Sgi8wMXVPYLo71ugg+/cKMDlkhgDDjELjCwDxQBhx1DmRivlFU09HNRGLbVOHc AQEeDVkXZot/vi1GkKjGgG5spC78wEqrApVpcjlOY7tabnOTpVCFNUycLahz+rrFk6Ea dqs/1/oE9Ify3IYcs/Uy0trnCKxzYxK1YRmGXQLfGUssJIbCORUF1ZgGawmeYXqdfqaH caOh/KpeqMJzcuDP7P7S79uppMEOojLpGB/xffN7qigaxZNSByyBFhzOT9ondJxe1ATF fmCrPt72Oc/vrRvS3dS+qaLcbSJsoe2B8Ghl4BMWEsuLAFhgU5bg0er1BdaQcr3Majwq 0Ykg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=w2kcBD2r; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o20si9036327iov.71.2021.09.06.06.26.42; Mon, 06 Sep 2021 06:26:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=w2kcBD2r; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242710AbhIFM65 (ORCPT + 99 others); Mon, 6 Sep 2021 08:58:57 -0400 Received: from mail.kernel.org ([198.145.29.99]:35462 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242933AbhIFM60 (ORCPT ); Mon, 6 Sep 2021 08:58:26 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 53B886103D; Mon, 6 Sep 2021 12:57:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1630933041; bh=PQRmfGTaV5yBSF7Zayrd3gqnXik1sdjwlMeSAP3iGOQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=w2kcBD2rpw/yzDwg8JUKA4IRLWAV8C7JTZVgGdovBLZNeRc4gPEoLoIX1GuQZxsn1 Qywe5UzrhnVSIvlbaXjrnM0s7C5SSJ7UNpo/JUcjpnsLHEWRN5fFtw4J4yROP1Rxpg t1S2mNzq0TZxs6sVY4DkPiiq3OKEC4NZMUYo4czU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Amir Goldstein , Miklos Szeredi Subject: [PATCH 5.10 28/29] fuse: fix illegal access to inode with reused nodeid Date: Mon, 6 Sep 2021 14:55:43 +0200 Message-Id: <20210906125450.717001154@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210906125449.756437409@linuxfoundation.org> References: <20210906125449.756437409@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Amir Goldstein commit 15db16837a35d8007cb8563358787412213db25e upstream. Server responds to LOOKUP and other ops (READDIRPLUS/CREATE/MKNOD/...) with ourarg containing nodeid and generation. If a fuse inode is found in inode cache with the same nodeid but different generation, the existing fuse inode should be unhashed and marked "bad" and a new inode with the new generation should be hashed instead. This can happen, for example, with passhrough fuse filesystem that returns the real filesystem ino/generation on lookup and where real inode numbers can get recycled due to real files being unlinked not via the fuse passthrough filesystem. With current code, this situation will not be detected and an old fuse dentry that used to point to an older generation real inode, can be used to access a completely new inode, which should be accessed only via the new dentry. Note that because the FORGET message carries the nodeid w/o generation, the server should wait to get FORGET counts for the nlookup counts of the old and reused inodes combined, before it can free the resources associated to that nodeid. Stable backport notes: * This is not a regression. The bug has been in fuse forever, but only a certain class of low level fuse filesystems can trigger this bug * Because there is no way to check if this fix is applied in runtime, libfuse test_examples.py tests this fix with hardcoded check for kernel version >= 5.14 * After backport to stable kernel(s), the libfuse test can be updated to also check minimal stable kernel version(s) * Depends on "fuse: fix bad inode" which is already applied to stable kernels v5.4.y and v5.10.y * Required backporting helper inode_wrong_type() Signed-off-by: Amir Goldstein Signed-off-by: Miklos Szeredi Cc: stable@vger.kernel.org Link: https://lore.kernel.org/linux-fsdevel/CAOQ4uxi8DymG=JO_sAU+wS8akFdzh+PuXwW3Ebgahd2Nwnh7zA@mail.gmail.com/ Signed-off-by: Amir Goldstein Signed-off-by: Greg Kroah-Hartman --- fs/fuse/dir.c | 2 +- fs/fuse/fuse_i.h | 7 +++++++ fs/fuse/inode.c | 4 ++-- fs/fuse/readdir.c | 7 +++++-- 4 files changed, 15 insertions(+), 5 deletions(-) --- a/fs/fuse/dir.c +++ b/fs/fuse/dir.c @@ -252,7 +252,7 @@ static int fuse_dentry_revalidate(struct if (ret == -ENOMEM) goto out; if (ret || fuse_invalid_attr(&outarg.attr) || - inode_wrong_type(inode, outarg.attr.mode)) + fuse_stale_inode(inode, outarg.generation, &outarg.attr)) goto invalid; forget_all_cached_acls(inode); --- a/fs/fuse/fuse_i.h +++ b/fs/fuse/fuse_i.h @@ -860,6 +860,13 @@ static inline u64 fuse_get_attr_version( return atomic64_read(&fc->attr_version); } +static inline bool fuse_stale_inode(const struct inode *inode, int generation, + struct fuse_attr *attr) +{ + return inode->i_generation != generation || + inode_wrong_type(inode, attr->mode); +} + static inline void fuse_make_bad(struct inode *inode) { remove_inode_hash(inode); --- a/fs/fuse/inode.c +++ b/fs/fuse/inode.c @@ -340,8 +340,8 @@ retry: inode->i_generation = generation; fuse_init_inode(inode, attr); unlock_new_inode(inode); - } else if (inode_wrong_type(inode, attr->mode)) { - /* Inode has changed type, any I/O on the old should fail */ + } else if (fuse_stale_inode(inode, generation, attr)) { + /* nodeid was reused, any I/O on the old inode should fail */ fuse_make_bad(inode); iput(inode); goto retry; --- a/fs/fuse/readdir.c +++ b/fs/fuse/readdir.c @@ -200,9 +200,12 @@ retry: if (!d_in_lookup(dentry)) { struct fuse_inode *fi; inode = d_inode(dentry); + if (inode && get_node_id(inode) != o->nodeid) + inode = NULL; if (!inode || - get_node_id(inode) != o->nodeid || - inode_wrong_type(inode, o->attr.mode)) { + fuse_stale_inode(inode, o->generation, &o->attr)) { + if (inode) + fuse_make_bad(inode); d_invalidate(dentry); dput(dentry); goto retry;