Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp3091124rwb; Mon, 15 Aug 2022 17:54:42 -0700 (PDT) X-Google-Smtp-Source: AA6agR6/XoPLRU+QCzLH1sB+k/VJJ+hpTTon81lK4b/O631JFqzsQJtjKIf1Rjz2U8L2P8I1dw9/ X-Received: by 2002:a17:907:75e1:b0:730:8f65:a278 with SMTP id jz1-20020a17090775e100b007308f65a278mr11800490ejc.147.1660611282128; Mon, 15 Aug 2022 17:54:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660611282; cv=none; d=google.com; s=arc-20160816; b=p8BWmwOR42r2XRayuFMgTNhD9WRsXs3aEnZHUEzxfFms9GkUFKjIR3DQoqhGplNWR/ +WISNAtnQogehGSfgtdbGmMEaEqeIzquPRz0FSqo2mcIw0mNmrPsbmhOB7zv3IgSRgMc 2X2YHLNqZl2LEceBwlA67VAdbarCN+OnmcKmUMEF70U95vhhqdhGStxNj05LYqwjpaWw wUQEmrNmohFGXAiRhmtIXQRcANdt5UjIRD3AjwaKj3zZVv8vli4HAEeJGnrP90yFRIcH IX5PM5YkCms61EDaWxjsdO1O+252ZHHVnrDdqHQKib4ASO9FRM8TCO2pFs43cyjo+u97 D7oA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=cDjAxylN9yt4bEeUmX2ew2XJIvR3hN86MlwPAKfEzxA=; b=TaoS1k5c7kIeP6w3cYSuju4QY1dzPRedQXQIbSN8xHauCVwqzCARlfk/0Makux/Sn/ jfeFLHYTkYg6+XaKWJQX/yWQiM9e+C6coFhF2adfxeuui0jU1+IVUMQfrd+0uDw0WcT8 sv9pUD38xPqgd0n3DFBNuuSXJ2pCL3Q0hrO0QBDTDsvro99U1QdHYUVZaTr8s0HfO5XJ QpIIeQAzyAfUJfrrYhQGm8aprfwsYymt2Ejg3N/JrcbTRjGqstMiSp1XpKVyJCL6xSzf AGv9x7xaXvlQSeExK98yOBpN7rXAVDWhcFa3Paj5qvVb70x7IzahN5LpT5qek0NpLyF6 X0bQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Z33Hk1t7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id o11-20020a170906974b00b00730a1f55ac8si9188987ejy.821.2022.08.15.17.54.16; Mon, 15 Aug 2022 17:54:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Z33Hk1t7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344024AbiHOXUu (ORCPT + 99 others); Mon, 15 Aug 2022 19:20:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52682 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353434AbiHOXQc (ORCPT ); Mon, 15 Aug 2022 19:16:32 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 30D771481FD; Mon, 15 Aug 2022 13:03:14 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 920AC61299; Mon, 15 Aug 2022 20:03:13 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 964AEC433D6; Mon, 15 Aug 2022 20:03:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660593793; bh=5Yp6igdeXS+EWXG2NTOm4EuzoPMlhsDncrfw0qxvFDw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Z33Hk1t7duRNQxsHXNJ1H3hJqNtH4LHj+M1WRJqS3zCed6qvBeZGPSrZeOlCiZ5dX AqkiWCoS4nd5ziQfUzqC0UCdTVJMNP50+tV2T267a3aK1KnbcVppfX/LxOHRMctWma FsA01KmZTMxy9sOZJMUkE8GyT791ZQSqeE4LUsQc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tyler Hicks , Christian Schoenebeck , Dominique Martinet , Sasha Levin Subject: [PATCH 5.18 1007/1095] net/9p: Initialize the iounit field during fid creation Date: Mon, 15 Aug 2022 20:06:46 +0200 Message-Id: <20220815180510.754918285@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220815180429.240518113@linuxfoundation.org> References: <20220815180429.240518113@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Tyler Hicks [ Upstream commit aa7aeee169480e98cf41d83c01290a37e569be6d ] Ensure that the fid's iounit field is set to zero when a new fid is created. Certain 9P operations, such as OPEN and CREATE, allow the server to reply with an iounit size which the client code assigns to the p9_fid struct shortly after the fid is created by p9_fid_create(). On the other hand, an XATTRWALK operation doesn't allow for the server to specify an iounit value. The iounit field of the newly allocated p9_fid struct remained uninitialized in that case. Depending on allocation patterns, the iounit value could have been something reasonable that was carried over from previously freed fids or, in the worst case, could have been arbitrary values from non-fid related usages of the memory location. The bug was detected in the Windows Subsystem for Linux 2 (WSL2) kernel after the uninitialized iounit field resulted in the typical sequence of two getxattr(2) syscalls, one to get the size of an xattr and another after allocating a sufficiently sized buffer to fit the xattr value, to hit an unexpected ERANGE error in the second call to getxattr(2). An uninitialized iounit field would sometimes force rsize to be smaller than the xattr value size in p9_client_read_once() and the 9P server in WSL refused to chunk up the READ on the attr_fid and, instead, returned ERANGE to the client. The virtfs server in QEMU seems happy to chunk up the READ and this problem goes undetected there. Link: https://lkml.kernel.org/r/20220710141402.803295-1-tyhicks@linux.microsoft.com Fixes: ebf46264a004 ("fs/9p: Add support user. xattr") Cc: stable@vger.kernel.org Signed-off-by: Tyler Hicks Reviewed-by: Christian Schoenebeck Signed-off-by: Dominique Martinet Signed-off-by: Sasha Levin --- net/9p/client.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/net/9p/client.c b/net/9p/client.c index a36a40137caa..87cde948f628 100644 --- a/net/9p/client.c +++ b/net/9p/client.c @@ -886,16 +886,13 @@ static struct p9_fid *p9_fid_create(struct p9_client *clnt) struct p9_fid *fid; p9_debug(P9_DEBUG_FID, "clnt %p\n", clnt); - fid = kmalloc(sizeof(*fid), GFP_KERNEL); + fid = kzalloc(sizeof(*fid), GFP_KERNEL); if (!fid) return NULL; - memset(&fid->qid, 0, sizeof(fid->qid)); fid->mode = -1; fid->uid = current_fsuid(); fid->clnt = clnt; - fid->rdir = NULL; - fid->fid = 0; refcount_set(&fid->count, 1); idr_preload(GFP_KERNEL); -- 2.35.1