linux/net/9p
Tyler Hicks fe9c758e5b net/9p: Initialize the iounit field during fid creation
commit aa7aeee169 upstream.

Ensure that the fid's iounit field is set to zero when a new fid is
created. Certain 9P operations, such as OPEN and CREATE, allow the
server to reply with an iounit size which the client code assigns to the
p9_fid struct shortly after the fid is created by p9_fid_create(). On
the other hand, an XATTRWALK operation doesn't allow for the server to
specify an iounit value. The iounit field of the newly allocated p9_fid
struct remained uninitialized in that case. Depending on allocation
patterns, the iounit value could have been something reasonable that was
carried over from previously freed fids or, in the worst case, could
have been arbitrary values from non-fid related usages of the memory
location.

The bug was detected in the Windows Subsystem for Linux 2 (WSL2) kernel
after the uninitialized iounit field resulted in the typical sequence of
two getxattr(2) syscalls, one to get the size of an xattr and another
after allocating a sufficiently sized buffer to fit the xattr value, to
hit an unexpected ERANGE error in the second call to getxattr(2). An
uninitialized iounit field would sometimes force rsize to be smaller
than the xattr value size in p9_client_read_once() and the 9P server in
WSL refused to chunk up the READ on the attr_fid and, instead, returned
ERANGE to the client. The virtfs server in QEMU seems happy to chunk up
the READ and this problem goes undetected there.

Link: https://lkml.kernel.org/r/20220710141402.803295-1-tyhicks@linux.microsoft.com
Fixes: ebf46264a0 ("fs/9p: Add support user. xattr")
Cc: stable@vger.kernel.org
Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Reviewed-by: Christian Schoenebeck <linux_oss@crudebyte.com>
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
[tyhicks: Adjusted context due to:
 - Lack of fid refcounting introduced in v5.11 commit 6636b6dcc3 ("9p:
   add refcount to p9_fid struct")
 - Difference in how buffer sizes are specified v5.16 commit
   6e195b0f7c ("9p: fix a bunch of checkpatch warnings")]
Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-08-25 11:15:32 +02:00
..
client.c net/9p: Initialize the iounit field during fid creation 2022-08-25 11:15:32 +02:00
error.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
Kconfig IB: Revert "remove redundant INFINIBAND kconfig dependencies" 2018-05-28 10:40:16 -06:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mod.c 9p: Use a slab for allocating requests 2019-07-03 13:14:41 +02:00
protocol.c 9p: p9dirent_read: check network-provided name length 2019-07-03 13:14:42 +02:00
protocol.h net/9p: Convert net/9p protocol dumps to tracepoints 2011-10-24 11:13:12 -05:00
trans_common.c net/9p: include trans_common.h to fix missing prototype warning. 2019-07-03 13:14:43 +02:00
trans_common.h net/9p: remove (now-)unused helpers 2015-04-11 22:28:29 -04:00
trans_fd.c net: 9p: initialize sun_server.sun_path to have addr's value only when addr is valid 2020-11-05 11:08:44 +01:00
trans_rdma.c 9p/rdma: remove useless check in cm_event_handler 2019-07-03 13:14:42 +02:00
trans_virtio.c 9p/trans_virtio: Remove sysfs file on probe failure 2021-09-26 13:39:47 +02:00
trans_xen.c xen/9p: use alloc/free_pages_exact() 2022-03-11 10:15:13 +01:00
util.c 9p: fix whitespace issues 2018-08-13 09:34:58 +09:00