From: Miklos Szeredi <mszeredi@redhat.com>

Date: Thu, 10 Dec 2020 15:33:14 +0100

Subject: fuse: fix bad inode

Git-commit: 5d069dbe8aaf2a197142558b6fb2978189ba3454

Patch-mainline: v5.11-rc1

References: bsc#1184211 CVE-2020-36322

Jan Kara's analysis of the syzbot report (edited):

  The reproducer opens a directory on FUSE filesystem, it then attaches

  dnotify mark to the open directory.  After that a fuse_do_getattr() call

  finds that attributes returned by the server are inconsistent, and calls

  make_bad_inode() which, among other things does:

          inode->i_mode = S_IFREG;

  This then confuses dnotify which doesn't tear down its structures

  properly and eventually crashes.

Avoid calling make_bad_inode() on a live inode: switch to a private flag on

the fuse inode.  Also add the test to ops which the bad_inode_ops would

have caught.

This bug goes back to the initial merge of fuse in 2.6.14...

Reported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

Tested-by: Jan Kara <jack@suse.cz>

Cc: <stable@vger.kernel.org>

[luis:

 - Adjust context

 - Modify fuse_readpages() instead of fuse_readahead() since we don't have

   commit 76a0294eb19b ("fuse: convert from readpages to readahead")]

Acked-by: Luis Henriques <lhenriques@suse.com>

---

 fs/fuse/acl.c     |    6 ++++++

 fs/fuse/dir.c     |   37 ++++++++++++++++++++++++++++++++-----

 fs/fuse/file.c    |   19 +++++++++++--------

 fs/fuse/fuse_i.h  |   12 ++++++++++++

 fs/fuse/inode.c   |    4 ++--

 fs/fuse/readdir.c |    4 ++--

 fs/fuse/xattr.c   |    9 +++++++++

 7 files changed, 74 insertions(+), 17 deletions(-)

--- a/fs/fuse/acl.c

+++ b/fs/fuse/acl.c

@@ -19,6 +19,9 @@ struct posix_acl *fuse_get_acl(struct in

 	void *value = NULL;

 	struct posix_acl *acl;

+	if (fuse_is_bad(inode))

+		return ERR_PTR(-EIO);

+

 	if (!fc->posix_acl || fc->no_getxattr)

 		return NULL;

@@ -53,6 +56,9 @@ int fuse_set_acl(struct inode *inode, st

 	const char *name;

 	int ret;

+	if (fuse_is_bad(inode))

+		return -EIO;

+

 	if (!fc->posix_acl || fc->no_setxattr)

 		return -EOPNOTSUPP;

--- a/fs/fuse/dir.c

+++ b/fs/fuse/dir.c

@@ -167,7 +167,7 @@ static int fuse_dentry_revalidate(struct

 	int ret;

 	inode = d_inode_rcu(entry);

-	if (inode && is_bad_inode(inode))

+	if (inode && fuse_is_bad(inode))

 		goto invalid;

 	else if (time_before64(fuse_dentry_time(entry), get_jiffies_64()) ||

 		 (flags & LOOKUP_REVAL)) {

@@ -339,6 +339,9 @@ static struct dentry *fuse_lookup(struct

 	bool outarg_valid = true;

 	bool locked;

+	if (fuse_is_bad(dir))

+		return ERR_PTR(-EIO);

+

 	locked = fuse_lock_inode(dir);

 	err = fuse_lookup_name(dir->i_sb, get_node_id(dir), &entry->d_name,

 			       &outarg, &inode;;

@@ -481,6 +484,9 @@ static int fuse_atomic_open(struct inode

 	struct fuse_conn *fc = get_fuse_conn(dir);

 	struct dentry *res = NULL;

+	if (fuse_is_bad(dir))

+		return -EIO;

+

 	if (d_in_lookup(entry)) {

 		res = fuse_lookup(dir, entry, 0);

 		if (IS_ERR(res))

@@ -529,6 +535,9 @@ static int create_new_entry(struct fuse_

 	int err;

 	struct fuse_forget_link *forget;

+	if (fuse_is_bad(dir))

+		return -EIO;

+

 	forget = fuse_alloc_forget();

 	if (!forget)

 		return -ENOMEM;

@@ -656,6 +665,9 @@ static int fuse_unlink(struct inode *dir

 	struct fuse_conn *fc = get_fuse_conn(dir);

 	FUSE_ARGS(args);

+	if (fuse_is_bad(dir))

+		return -EIO;

+

 	args.in.h.opcode = FUSE_UNLINK;

 	args.in.h.nodeid = get_node_id(dir);

 	args.in.numargs = 1;

@@ -692,6 +704,9 @@ static int fuse_rmdir(struct inode *dir,

 	struct fuse_conn *fc = get_fuse_conn(dir);

 	FUSE_ARGS(args);

+	if (fuse_is_bad(dir))

+		return -EIO;

+

 	args.in.h.opcode = FUSE_RMDIR;

 	args.in.h.nodeid = get_node_id(dir);

 	args.in.numargs = 1;

@@ -770,6 +785,9 @@ static int fuse_rename2(struct inode *ol

 	struct fuse_conn *fc = get_fuse_conn(olddir);

 	int err;

+	if (fuse_is_bad(olddir))

+		return -EIO;

+

 	if (flags & ~(RENAME_NOREPLACE | RENAME_EXCHANGE))

 		return -EINVAL;

@@ -905,7 +923,7 @@ static int fuse_do_getattr(struct inode

 	if (!err) {

 		if (fuse_invalid_attr(&outarg.attr) ||

 		    (inode->i_mode ^ outarg.attr.mode) & S_IFMT) {

-			make_bad_inode(inode);

+			fuse_make_bad(inode);

 			err = -EIO;

 		} else {

 			fuse_change_attributes(inode, &outarg.attr,

@@ -1107,6 +1125,9 @@ static int fuse_permission(struct inode

 	bool refreshed = false;

 	int err = 0;

+	if (fuse_is_bad(inode))

+		return -EIO;

+

 	if (!fuse_allow_current_process(fc))

 		return -EACCES;

@@ -1204,7 +1225,7 @@ static const char *fuse_get_link(struct

 	int err;

 	err = -EIO;

-	if (is_bad_inode(inode))

+	if (fuse_is_bad(inode))

 		goto out_err;

 	if (fc->cache_symlinks)

@@ -1252,7 +1273,7 @@ static int fuse_dir_fsync(struct file *f

 	struct fuse_conn *fc = get_fuse_conn(inode);

 	int err;

-	if (is_bad_inode(inode))

+	if (fuse_is_bad(inode))

 		return -EIO;

 	if (fc->no_fsyncdir)

@@ -1529,7 +1550,7 @@ int fuse_do_setattr(struct dentry *dentr

 	if (fuse_invalid_attr(&outarg.attr) ||

 	    (inode->i_mode ^ outarg.attr.mode) & S_IFMT) {

-		make_bad_inode(inode);

+		fuse_make_bad(inode);

 		err = -EIO;

 		goto error;

 	}

@@ -1585,6 +1606,9 @@ static int fuse_setattr(struct dentry *e

 	struct file *file = (attr->ia_valid & ATTR_FILE) ? attr->ia_file : NULL;

 	int ret;

+	if (fuse_is_bad(inode))

+		return -EIO;

+

 	if (!fuse_allow_current_process(get_fuse_conn(inode)))

 		return -EACCES;

@@ -1643,6 +1667,9 @@ static int fuse_getattr(const struct pat

 	struct inode *inode = d_inode(path->dentry);

 	struct fuse_conn *fc = get_fuse_conn(inode);

+	if (fuse_is_bad(inode))

+		return -EIO;

+

 	if (!fuse_allow_current_process(fc))

 		return -EACCES;

--- a/fs/fuse/file.c

+++ b/fs/fuse/file.c

@@ -206,6 +206,9 @@ int fuse_open_common(struct inode *inode

 			  fc->atomic_o_trunc &&

 			  fc->writeback_cache;

+	if (fuse_is_bad(inode))

+		return -EIO;

+

 	err = generic_file_open(inode, file);

 	if (err)

 		return err;

@@ -420,7 +423,7 @@ static int fuse_flush(struct file *file,

 	struct fuse_flush_in inarg;

 	int err;

-	if (is_bad_inode(inode))

+	if (fuse_is_bad(inode))

 		return -EIO;

 	if (fc->no_flush)

@@ -485,7 +488,7 @@ static int fuse_fsync(struct file *file,

 	struct fuse_conn *fc = get_fuse_conn(inode);

 	int err;

-	if (is_bad_inode(inode))

+	if (fuse_is_bad(inode))

 		return -EIO;

 	inode_lock(inode);

@@ -784,7 +787,7 @@ static int fuse_readpage(struct file *fi

 	int err;

 	err = -EIO;

-	if (is_bad_inode(inode))

+	if (fuse_is_bad(inode))

 		goto out;

 	err = fuse_do_readpage(file, page);

@@ -911,7 +914,7 @@ static int fuse_readpages(struct file *f

 	unsigned int nr_alloc = min_t(unsigned int, nr_pages, fc->max_pages);

 	err = -EIO;

-	if (is_bad_inode(inode))

+	if (fuse_is_bad(inode))

 		goto out;

 	data.file = file;

@@ -1497,7 +1500,7 @@ static ssize_t fuse_file_read_iter(struc

 	struct file *file = iocb->ki_filp;

 	struct fuse_file *ff = file->private_data;

-	if (is_bad_inode(file_inode(file)))

+	if (fuse_is_bad(file_inode(file)))

 		return -EIO;

 	if (!(ff->open_flags & FOPEN_DIRECT_IO))

@@ -1511,7 +1514,7 @@ static ssize_t fuse_file_write_iter(stru

 	struct file *file = iocb->ki_filp;

 	struct fuse_file *ff = file->private_data;

-	if (is_bad_inode(file_inode(file)))

+	if (fuse_is_bad(file_inode(file)))

 		return -EIO;

 	if (!(ff->open_flags & FOPEN_DIRECT_IO))

@@ -1997,7 +2000,7 @@ static int fuse_writepages(struct addres

 	int err;

 	err = -EIO;

-	if (is_bad_inode(inode))

+	if (fuse_is_bad(inode))

 		goto out;

 	data.inode = inode;

@@ -2787,7 +2790,7 @@ long fuse_ioctl_common(struct file *file

 	if (!fuse_allow_current_process(fc))

 		return -EACCES;

-	if (is_bad_inode(inode))

+	if (fuse_is_bad(inode))

 		return -EIO;

 	return fuse_do_ioctl(file, cmd, arg, flags);

--- a/fs/fuse/fuse_i.h

+++ b/fs/fuse/fuse_i.h

@@ -161,6 +161,8 @@ enum {

 	FUSE_I_INIT_RDPLUS,

 	/** An operation changing file size is in progress  */

 	FUSE_I_SIZE_UNSTABLE,

+	/* Bad inode */

+	FUSE_I_BAD,

 };

 struct fuse_conn;

@@ -794,6 +796,16 @@ static inline u64 fuse_get_attr_version(

 	return atomic64_read(&fc->attr_version);

 }

+static inline void fuse_make_bad(struct inode *inode)

+{

+	set_bit(FUSE_I_BAD, &get_fuse_inode(inode)->state);

+}

+

+static inline bool fuse_is_bad(struct inode *inode)

+{

+	return unlikely(test_bit(FUSE_I_BAD, &get_fuse_inode(inode)->state));

+}

+

 /** Device operations */

 extern const struct file_operations fuse_dev_operations;

--- a/fs/fuse/inode.c

+++ b/fs/fuse/inode.c

@@ -125,7 +125,7 @@ static void fuse_evict_inode(struct inod

 		fuse_queue_forget(fc, fi->forget, fi->nodeid, fi->nlookup);

 		fi->forget = NULL;

 	}

-	if (S_ISREG(inode->i_mode) && !is_bad_inode(inode)) {

+	if (S_ISREG(inode->i_mode) && !fuse_is_bad(inode)) {

 		WARN_ON(!list_empty(&fi->write_files));

 		WARN_ON(!list_empty(&fi->queued_writes));

 	}

@@ -314,7 +314,7 @@ struct inode *fuse_iget(struct super_blo

 		unlock_new_inode(inode);

 	} else if ((inode->i_mode ^ attr->mode) & S_IFMT) {

 		/* Inode has changed type, any I/O on the old should fail */

-		make_bad_inode(inode);

+		fuse_make_bad(inode);

 		iput(inode);

 		goto retry;

 	}

--- a/fs/fuse/readdir.c

+++ b/fs/fuse/readdir.c

@@ -207,7 +207,7 @@ retry:

 			dput(dentry);

 			goto retry;

 		}

-		if (is_bad_inode(inode)) {

+		if (fuse_is_bad(inode)) {

 			dput(dentry);

 			return -EIO;

 		}

@@ -554,7 +554,7 @@ int fuse_readdir(struct file *file, stru

 	struct inode *inode = file_inode(file);

 	int err;

-	if (is_bad_inode(inode))

+	if (fuse_is_bad(inode))

 		return -EIO;

 	mutex_lock(&ff->readdir.lock);

--- a/fs/fuse/xattr.c

+++ b/fs/fuse/xattr.c

@@ -113,6 +113,9 @@ ssize_t fuse_listxattr(struct dentry *en

 	struct fuse_getxattr_out outarg;

 	ssize_t ret;

+	if (fuse_is_bad(inode))

+		return -EIO;

+

 	if (!fuse_allow_current_process(fc))

 		return -EACCES;

@@ -178,6 +181,9 @@ static int fuse_xattr_get(const struct x

 			 struct dentry *dentry, struct inode *inode,

 			 const char *name, void *value, size_t size)

 {

+	if (fuse_is_bad(inode))

+		return -EIO;

+

 	return fuse_getxattr(inode, name, value, size);

 }

@@ -186,6 +192,9 @@ static int fuse_xattr_set(const struct x

 			  const char *name, const void *value, size_t size,

 			  int flags)

 {

+	if (fuse_is_bad(inode))

+		return -EIO;

+

 	if (!value)

 		return fuse_removexattr(inode, name);