On Wed, Jun 15, 2022 at 01:57:55PM +0800, Xie Yongji
wrote:> Virtio-fs does not support aborting requests which are being
> processed. Otherwise, it might trigger UAF since
What is full form of UAF? Use after free?
Thanks
Vivek
> virtio_fs_request_complete() doesn't know the requests are
> aborted. So let's remove the abort interface.
>
> Fixes: 15c8e72e88e0 ("fuse: allow skipping control interface and
forced unmount")
> Signed-off-by: Xie Yongji <xieyongji at bytedance.com>
> ---
> fs/fuse/control.c | 4 ++--
> fs/fuse/fuse_i.h | 4 ++++
> fs/fuse/inode.c | 1 +
> fs/fuse/virtio_fs.c | 1 +
> 4 files changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/fs/fuse/control.c b/fs/fuse/control.c
> index 7cede9a3bc96..d93d8ea3a090 100644
> --- a/fs/fuse/control.c
> +++ b/fs/fuse/control.c
> @@ -272,8 +272,8 @@ int fuse_ctl_add_conn(struct fuse_conn *fc)
>
> if (!fuse_ctl_add_dentry(parent, fc, "waiting", S_IFREG | 0400,
1,
> NULL, &fuse_ctl_waiting_ops) ||
> - !fuse_ctl_add_dentry(parent, fc, "abort", S_IFREG | 0200,
1,
> - NULL, &fuse_ctl_abort_ops) ||
> + (!fc->no_abort_control && !fuse_ctl_add_dentry(parent, fc,
"abort",
> + S_IFREG | 0200, 1, NULL, &fuse_ctl_abort_ops)) ||
> !fuse_ctl_add_dentry(parent, fc, "max_background", S_IFREG
| 0600,
> 1, NULL, &fuse_conn_max_background_ops) ||
> !fuse_ctl_add_dentry(parent, fc, "congestion_threshold",
> diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
> index a47f14d0ee3f..e29a4e2f2b35 100644
> --- a/fs/fuse/fuse_i.h
> +++ b/fs/fuse/fuse_i.h
> @@ -507,6 +507,7 @@ struct fuse_fs_context {
> bool default_permissions:1;
> bool allow_other:1;
> bool destroy:1;
> + bool no_abort_control:1;
> bool no_force_umount:1;
> bool legacy_opts_show:1;
> enum fuse_dax_mode dax_mode;
> @@ -765,6 +766,9 @@ struct fuse_conn {
> /* Delete dentries that have gone stale */
> unsigned int delete_stale:1;
>
> + /** Do not create abort entry in fusectl fs */
> + unsigned int no_abort_control:1;
> +
> /** Do not allow MNT_FORCE umount */
> unsigned int no_force_umount:1;
>
> diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
> index 4059c6898e08..02a16cd35f42 100644
> --- a/fs/fuse/inode.c
> +++ b/fs/fuse/inode.c
> @@ -1564,6 +1564,7 @@ int fuse_fill_super_common(struct super_block *sb,
struct fuse_fs_context *ctx)
> fc->legacy_opts_show = ctx->legacy_opts_show;
> fc->max_read = max_t(unsigned int, 4096, ctx->max_read);
> fc->destroy = ctx->destroy;
> + fc->no_abort_control = ctx->no_abort_control;
> fc->no_force_umount = ctx->no_force_umount;
>
> err = -ENOMEM;
> diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c
> index 24bcf4dbca2a..af369bea6dbb 100644
> --- a/fs/fuse/virtio_fs.c
> +++ b/fs/fuse/virtio_fs.c
> @@ -1287,6 +1287,7 @@ static inline void virtio_fs_ctx_set_defaults(struct
fuse_fs_context *ctx)
> ctx->max_read = UINT_MAX;
> ctx->blksize = 512;
> ctx->destroy = true;
> + ctx->no_abort_control = true;
> ctx->no_force_umount = true;
> }
>
> --
> 2.20.1
>