fuse: fix pipe buffer lifetime for direct_io

bmastbergen · bmastbergen · commit 49f9d93124b0 · 2025-08-22T13:12:38.000-04:00
jira VULN-7917 cve CVE-2022-1011 commit-author Miklos Szeredi <mszeredi@redhat.com> commit 0c4bcfd upstream-diff Used 4.19 LT commit 99db282 because page info is in fuse_req in this kernel as opposed to fuse_args in upstream In FOPEN_DIRECT_IO mode, fuse_file_write_iter() calls fuse_direct_write_iter(), which normally calls fuse_direct_io(), which then imports the write buffer with fuse_get_user_pages(), which uses iov_iter_get_pages() to grab references to userspace pages instead of actually copying memory. On the filesystem device side, these pages can then either be read to userspace (via fuse_dev_read()), or splice()d over into a pipe using fuse_dev_splice_read() as pipe buffers with &nosteal_pipe_buf_ops. This is wrong because after fuse_dev_do_read() unlocks the FUSE request, the userspace filesystem can mark the request as completed, causing write() to return. At that point, the userspace filesystem should no longer have access to the pipe buffer. Fix by copying pages coming from the user address space to new pipe buffers. Reported-by: Jann Horn <jannh@google.com> Fixes: c302162 ("fuse: support splice() reading from fuse device") Cc: <stable@vger.kernel.org> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> (cherry picked from commit 0c4bcfd) Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
@@ -932,7 +932,17 @@ static int fuse_copy_page(struct fuse_copy_state *cs, struct page **pagep,
 
 	while (count) {
 		if (cs->write && cs->pipebufs && page) {
-			return fuse_ref_page(cs, page, offset, count);
+			/*
+			 * Can't control lifetime of pipe buffers, so always
+			 * copy user pages.
+			 */
+			if (cs->req->user_pages) {
+				err = fuse_copy_fill(cs);
+				if (err)
+					return err;
+			} else {
+				return fuse_ref_page(cs, page, offset, count);
+			}
 		} else if (!cs->len) {
 			if (cs->move_pages && page &&
 			    offset == 0 && count == PAGE_SIZE) {
diff --git a/fs/fuse/file.c b/fs/fuse/file.c
@@ -1386,6 +1386,7 @@ static int fuse_get_user_pages(struct fuse_req *req, struct iov_iter *ii,
 		nbytes += frag_size;
 	}
 
+	req->user_pages = true;
 	if (write)
 		req->in.argpages = 1;
 	else
diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
@@ -267,6 +267,8 @@ struct fuse_req {
 	/** refcount */
 	atomic_t count;
 
+	bool user_pages;
+
 	/** Unique ID for the interrupt request */
 	u64 intr_unique;
 

Original file line number	Diff line number	Diff line change
`@@ -1386,6 +1386,7 @@ static int fuse_get_user_pages(struct fuse_req req, struct iov_iter ii,`
`1386`	`1386`	`nbytes += frag_size;`
`1387`	`1387`	`}`
`1388`	`1388`
	`1389`	`+ req->user_pages = true;`
`1389`	`1390`	`if (write)`
`1390`	`1391`	`req->in.argpages = 1;`
`1391`	`1392`	`else`