Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp2496516imw; Sun, 10 Jul 2022 07:48:51 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vbuoV0f0zLbJtLvs3aIKmknqtXB6OPh6tsaNJve/k+tWFvRe5HfYCK3uwnQyEW7D2p+twv X-Received: by 2002:a05:6402:5212:b0:43a:ad74:b336 with SMTP id s18-20020a056402521200b0043aad74b336mr17375941edd.16.1657464530956; Sun, 10 Jul 2022 07:48:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657464530; cv=none; d=google.com; s=arc-20160816; b=qdcsVHHqrNPh3wsf83yx/yxoxtfxsOD3LTk+yHrAnp/BLJk5hYCVyhUHrXANjBZO2k MF+Oy8EZFNCvK3E/HV89nlHBQTVIt/H94nMN8MxtLFQpM44Ln1gyEkKjEaxxs2goezO2 I1JvH3OisAHSr20EAd/h8G9n9qyDglTD6RGecxQAJ45NH+yR1p6h05rc4qI7DTbU/fw8 53fHlyySSWVLzqh1uXkrSMUoIL9MuIH4dYM5JWj8GVOOJK50+YvxL/NL4mcx4EMlJ/1b g/FKKKIZfs7J5VJoSsqb8AP+I6udefuxwYnoVU+SGTpi7TKMwCnkHDacWqSDV1zSqB4Q 2idg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-filter; bh=5luTSbCpek4DmkxIhGE2kWN5CmMJaM+dDduiyURuJiM=; b=Uq8RO7IzyYh86cLbxab7SFvKI3RNDkPbFM1QBrJAnVfz2hvDumb0Qe82OkWvlwaNwx HjKC5tBa3+GDSCPrEb1sYyqV7O3P1jlSewPQuzAwvbpeEtvYB8qHFfJo2DvqaUmfyDbc XLRrIdqs/Qh3YbvoC04baxO6o123C+ru6AZX3aehSOQqd2X3sBjybthTO0qN6vvPMAv3 0hrEo7lvVCRttf7a3hMoiTy7or6AEFu16/a2MJjpY/oSUpbkQk+UpyGu/GhlivFJu5Ui za2oyS8XQnA8+9WfHrpxDQYcpalAxVOLetJijCTsngPWRvNY3PhU/qL85JDY8oFK99EI mX6Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=X8g5f1Yw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d3-20020a170906c20300b006ff142129b0si5433718ejz.926.2022.07.10.07.48.26; Sun, 10 Jul 2022 07:48:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=X8g5f1Yw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229562AbiGJOOM (ORCPT + 99 others); Sun, 10 Jul 2022 10:14:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38808 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229476AbiGJOOL (ORCPT ); Sun, 10 Jul 2022 10:14:11 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 360D6D56; Sun, 10 Jul 2022 07:14:11 -0700 (PDT) Received: from sequoia.devices.tihix.com (162-237-133-238.lightspeed.rcsntx.sbcglobal.net [162.237.133.238]) by linux.microsoft.com (Postfix) with ESMTPSA id 2331B204CB25; Sun, 10 Jul 2022 07:14:10 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 2331B204CB25 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1657462451; bh=5luTSbCpek4DmkxIhGE2kWN5CmMJaM+dDduiyURuJiM=; h=From:To:Cc:Subject:Date:From; b=X8g5f1YwEVLfXet0rsx6tUQava5LirGnz2lNYN8QO64jhs55r6QAtuqnVuguzmiyC jIARGDheEzNVP/VCEoePMloq4Q2GU0OPtClDgSucD/USe4abLW/QZ/mYxVxpIfg8QC hTemGUV9IE7DPFG4bxDTQJsxjtxcz762FkC+Gikg= From: Tyler Hicks To: Eric Van Hensbergen , Latchesar Ionkov , Dominique Martinet , Christian Schoenebeck , Christophe JAILLET Cc: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2] net/9p: Initialize the iounit field during fid creation Date: Sun, 10 Jul 2022 09:14:02 -0500 Message-Id: <20220710141402.803295-1-tyhicks@linux.microsoft.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-19.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_MED, SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL, USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Ensure that the fid's iounit field is set to zero when a new fid is created. Certain 9P operations, such as OPEN and CREATE, allow the server to reply with an iounit size which the client code assigns to the p9_fid struct shortly after the fid is created by p9_fid_create(). On the other hand, an XATTRWALK operation doesn't allow for the server to specify an iounit value. The iounit field of the newly allocated p9_fid struct remained uninitialized in that case. Depending on allocation patterns, the iounit value could have been something reasonable that was carried over from previously freed fids or, in the worst case, could have been arbitrary values from non-fid related usages of the memory location. The bug was detected in the Windows Subsystem for Linux 2 (WSL2) kernel after the uninitialized iounit field resulted in the typical sequence of two getxattr(2) syscalls, one to get the size of an xattr and another after allocating a sufficiently sized buffer to fit the xattr value, to hit an unexpected ERANGE error in the second call to getxattr(2). An uninitialized iounit field would sometimes force rsize to be smaller than the xattr value size in p9_client_read_once() and the 9P server in WSL refused to chunk up the READ on the attr_fid and, instead, returned ERANGE to the client. The virtfs server in QEMU seems happy to chunk up the READ and this problem goes undetected there. Fixes: ebf46264a004 ("fs/9p: Add support user. xattr") Cc: stable@vger.kernel.org Signed-off-by: Tyler Hicks --- v2: - Add Fixes tag - Improve commit message clarity to make it clear that this only affects xattr get/set - kzalloc() the entire fid struct instead of individually zeroing each member - Thanks to Christophe JAILLET for the suggestion v1: https://lore.kernel.org/lkml/20220710062557.GA272934@sequoia/ net/9p/client.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/net/9p/client.c b/net/9p/client.c index 8bba0d9cf975..371519e7b885 100644 --- a/net/9p/client.c +++ b/net/9p/client.c @@ -889,16 +889,13 @@ static struct p9_fid *p9_fid_create(struct p9_client *clnt) struct p9_fid *fid; p9_debug(P9_DEBUG_FID, "clnt %p\n", clnt); - fid = kmalloc(sizeof(*fid), GFP_KERNEL); + fid = kzalloc(sizeof(*fid), GFP_KERNEL); if (!fid) return NULL; - memset(&fid->qid, 0, sizeof(fid->qid)); fid->mode = -1; fid->uid = current_fsuid(); fid->clnt = clnt; - fid->rdir = NULL; - fid->fid = 0; refcount_set(&fid->count, 1); idr_preload(GFP_KERNEL); -- 2.25.1