From patchwork Thu Dec 21 03:09:13 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Ahelenia_Ziemia=C5=84ska?=
 <nabijaczleweli@nabijaczleweli.xyz>
X-Patchwork-Id: 181963
Return-Path: <linux-kernel+bounces-7783-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2483:b0:fb:cd0c:d3e with SMTP id q3csp156850dyi;
        Wed, 20 Dec 2023 19:12:29 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IHm5s5nCjWqRjkN51iy0fW42qE43fmolNRBNElK+hp4cI4aB0cXrkKIdGjPp2fOcG5V4Rb2
X-Received: by 2002:a05:6a21:1a6:b0:190:af10:3ede with SMTP id
 le38-20020a056a2101a600b00190af103edemr52251pzb.36.1703128349133;
        Wed, 20 Dec 2023 19:12:29 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1703128349; cv=none;
        d=google.com; s=arc-20160816;
        b=hXzpTLFhLAxWJ9zrApQr7nUWIcNC29/uuRM5Q6JSHqFiCc7TxNo2Rjvwv8Qzu8onN3
         S0ISsRcVrCHjo3BN1VXHxgnko35LJduSBxcBoPlHGL3uks9wyVZqq36E9sH3BII4E047
         E9L8pkEDKfbXUuUWzWouAEyRCcqrh2c1KMNPmSdgFAghaCfth+7BOuZR73heixine4jA
         Y2/epOCFrtlnVyVJYCY/YXMhO9xTXRnja+BNU+V9NUL6vHRLYnKNbnKqW7BTr75O5GGR
         9ypTXvMKv1bgCqVqxKZr5VZmhBaROw6R2bmaCEh/9cSsPlcjRNcOdNFWJG5RvVY5p9hl
         4wjA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=user-agent:in-reply-to:content-disposition:mime-version
         :list-unsubscribe:list-subscribe:list-id:precedence:references
         :message-id:subject:cc:from:date:dkim-signature;
        bh=17Sxmnr1MxqjuoZxXXw6syBeXaDaAMWdHoLcrVthhtw=;
        fh=grtmQa8g7p4vZpd6yI8tsfn4c7WMooIpeJbqcqOjGEk=;
        b=FCgX+mHVoqmjO+fGkHNIyWmfXeZqwSoyUyYM5xKgPYigitDyCb5sHJKnftj2OjxhKy
         JEG18fHODY3N6bxLnrToZFgTh/fE89Xlz2SoV78Fbr40tnHaGydtnkWJWAqgpNRI+RJN
         ZsyZ37kABMe2lDZ520L+LGjmc42FdHSjoUMGasvqCzZR6NJNeICfg5qK4ycERBu39GHZ
         69dIaihIxAOANs8oIsarb4I2OShlaKx/uGmIHuV2boDipfCgDorCLk9i/qH3crTKYRER
         nr5lZuQqZB2cHd/81786PLuqT8pBqduILluOCRbvJuDHoOR6t7bjMUPgbh3NKsXoS6Uw
         r3cQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@nabijaczleweli.xyz header.s=202305
 header.b=QZmoX77V;
       spf=pass (google.com: domain of
 linux-kernel+bounces-7783-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-7783-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nabijaczleweli.xyz
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org.
 [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id
 g6-20020a056a00078600b006d808ac1cc9si752373pfu.127.2023.12.20.19.12.29
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 20 Dec 2023 19:12:29 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-7783-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@nabijaczleweli.xyz header.s=202305
 header.b=QZmoX77V;
       spf=pass (google.com: domain of
 linux-kernel+bounces-7783-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-7783-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nabijaczleweli.xyz
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id DC6B6283B24
	for <ouuuleilei@gmail.com>; Thu, 21 Dec 2023 03:12:17 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id B8148200DC;
	Thu, 21 Dec 2023 03:09:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=nabijaczleweli.xyz
 header.i=@nabijaczleweli.xyz header.b="QZmoX77V"
X-Original-To: linux-kernel@vger.kernel.org
Received: from tarta.nabijaczleweli.xyz (tarta.nabijaczleweli.xyz
 [139.28.40.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C7AF97465;
	Thu, 21 Dec 2023 03:09:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=nabijaczleweli.xyz
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=nabijaczleweli.xyz
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nabijaczleweli.xyz;
	s=202305; t=1703128153;
	bh=Th4fa7MCjmNnRPOCcYkriGTTe1mzhXYl0tas+sW0PFs=;
	h=Date:From:Cc:Subject:References:In-Reply-To:From;
	b=QZmoX77VwzQxQHIG1I56OoFEDolsC6mQnhbznWXo6F2+hmH01F3MkkiwHN9SXcwzJ
	 g0QW/nQrIqn41sTciSQNp7k1k2PfnQ99LjtiwdJSr/g6T31J/41WDWbRaOQc9fUCrX
	 U3SOYC7eBBoXhVWDZPomuDCJU8gtlUwOnfDTgBvFcTC5dSOLfepH/1EdkurAwN7DqW
	 HY1ui1CQ/r2/R8oX3lE2APrABJuAvFGhimZHGma1oxyaePZP8+80wxo7peqNlLXJ5l
	 pEV43tDp8/0XgbfVtoJyAFCaWSk2k/2meqF0FfbFhjcFEYbu9Wf5qkF9fuIjw25XeS
	 n00zYlXNJ/HNA==
Received: from tarta.nabijaczleweli.xyz (unknown [192.168.1.250])
	by tarta.nabijaczleweli.xyz (Postfix) with ESMTPSA id 44BF813DB4;
	Thu, 21 Dec 2023 04:09:13 +0100 (CET)
Date: Thu, 21 Dec 2023 04:09:13 +0100
From: Ahelenia =?utf-8?q?Ziemia=C5=84ska?= <nabijaczleweli@nabijaczleweli.xyz>
Cc: Jens Axboe <axboe@kernel.dk>, Christian Brauner <brauner@kernel.org>,
	Alexander Viro <viro@zeniv.linux.org.uk>, linux-fsdevel@vger.kernel.org,
	Miklos Szeredi <miklos@szeredi.hu>, Vivek Goyal <vgoyal@redhat.com>,
	Stefan Hajnoczi <stefanha@redhat.com>, linux-kernel@vger.kernel.org,
 virtualization@lists.linux.dev
Subject: [PATCH v2 09/11] fuse: file: limit splice_read to virtiofs
Message-ID: 
 <9b5cd13bc9e9c570978ec25b25ba5e4081b3d56b.1703126594.git.nabijaczleweli@nabijaczleweli.xyz>
References: <cover.1703126594.git.nabijaczleweli@nabijaczleweli.xyz>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1703126594.git.nabijaczleweli@nabijaczleweli.xyz>
User-Agent: NeoMutt/20231103-116-3b855e-dirty
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1785859511578616625
X-GMAIL-MSGID: 1785859511578616625

Potentially-blocking splice_reads are allowed for normal filesystems
like NFS because they're blessed by root.

FUSE is commonly used suid-root, and allows anyone to trivially create
a file that, when spliced from, will just sleep forever with the pipe
lock held.

The only way IPC to the fusing process could be avoided is if
!(ff->open_flags & FOPEN_DIRECT_IO) and the range was already cached
and we weren't past the end. Just refuse it.

virtiofs behaves like a normal filesystem and can only be mounted
by root, it's unaffected by use of a new "trusted" connection flag.
This may be extended to include real FUSE mounts by processes which
aren't suid, to match the semantics for normal filesystems.

Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
---
 fs/fuse/file.c      | 17 ++++++++++++++++-
 fs/fuse/fuse_i.h    |  3 +++
 fs/fuse/virtio_fs.c |  1 +
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index a660f1f21540..20bb16ddfcc9 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -3200,6 +3200,21 @@ static ssize_t fuse_copy_file_range(struct file *src_file, loff_t src_off,
 	return ret;
 }
 
+static long fuse_splice_read(struct file *in, loff_t *ppos,
+			     struct pipe_inode_info *pipe, size_t len,
+			     unsigned int flags)
+{
+	struct inode *inode = file_inode(in);
+
+	if (fuse_is_bad(inode))
+		return -EIO;
+
+	if (get_fuse_conn(inode)->trusted)
+		return filemap_splice_read(in, ppos, pipe, len, flags);
+
+	return -EINVAL;
+}
+
 static const struct file_operations fuse_file_operations = {
 	.llseek		= fuse_file_llseek,
 	.read_iter	= fuse_file_read_iter,
@@ -3212,7 +3227,7 @@ static const struct file_operations fuse_file_operations = {
 	.lock		= fuse_file_lock,
 	.get_unmapped_area = thp_get_unmapped_area,
 	.flock		= fuse_file_flock,
-	.splice_read	= filemap_splice_read,
+	.splice_read	= fuse_splice_read,
 	.splice_write	= iter_file_splice_write,
 	.unlocked_ioctl	= fuse_file_ioctl,
 	.compat_ioctl	= fuse_file_compat_ioctl,
diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
index 1df83eebda92..463c5d4ad8b4 100644
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -818,6 +818,9 @@ struct fuse_conn {
 	/* Is statx not implemented by fs? */
 	unsigned int no_statx:1;
 
+	/* Do we trust this connection to always respond? */
+	bool trusted:1;
+
 	/** The number of requests waiting for completion */
 	atomic_t num_waiting;
 
diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c
index 5f1be1da92ce..fce0fe24899a 100644
--- a/fs/fuse/virtio_fs.c
+++ b/fs/fuse/virtio_fs.c
@@ -1448,6 +1448,7 @@ static int virtio_fs_get_tree(struct fs_context *fsc)
 	fc->delete_stale = true;
 	fc->auto_submounts = true;
 	fc->sync_fs = true;
+	fc->trusted = true;
 
 	/* Tell FUSE to split requests that exceed the virtqueue's size */
 	fc->max_pages_limit = min_t(unsigned int, fc->max_pages_limit,