From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 67056FD4F08 for ; Tue, 10 Mar 2026 16:29:32 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vzzvO-0003S7-SO; Tue, 10 Mar 2026 12:27:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vzzv9-0003Le-GG for qemu-devel@nongnu.org; Tue, 10 Mar 2026 12:26:59 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vzzv7-0000uN-RB for qemu-devel@nongnu.org; Tue, 10 Mar 2026 12:26:59 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1773160017; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=M5HmUWnkEJbA+La4dJHbp0RAGgMPp0DV1nggQsvosNE=; b=ccK1SaMTIavWbPuiAMmQ0LYr8jPMaZKqW4puXS5xi7tmsXn1uV3GM1K+0E71JBG7H3GZ7j o3Zy+cHPihgNz6EcU3mfy3QcbfWwHEnX0IWObltnfKYBc5VnNDFjx/qfkQ0DOAg3KK8Hko FykWoAwVBfFI+R4JuznrzWNZHD7BIAg= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-518-uTwkAAJrM8Cwcqq-skD6Vg-1; Tue, 10 Mar 2026 12:26:54 -0400 X-MC-Unique: uTwkAAJrM8Cwcqq-skD6Vg-1 X-Mimecast-MFC-AGG-ID: uTwkAAJrM8Cwcqq-skD6Vg_1773160013 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 27F701956060; Tue, 10 Mar 2026 16:26:53 +0000 (UTC) Received: from merkur.fritz.box (unknown [10.45.224.112]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 0014819560A6; Tue, 10 Mar 2026 16:26:51 +0000 (UTC) From: Kevin Wolf To: qemu-block@nongnu.org Cc: kwolf@redhat.com, qemu-devel@nongnu.org Subject: [PULL 14/28] fuse: Explicitly handle non-grow post-EOF accesses Date: Tue, 10 Mar 2026 17:26:08 +0100 Message-ID: <20260310162622.333137-15-kwolf@redhat.com> In-Reply-To: <20260310162622.333137-1-kwolf@redhat.com> References: <20260310162622.333137-1-kwolf@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Received-SPF: pass client-ip=170.10.133.124; envelope-from=kwolf@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -3 X-Spam_score: -0.4 X-Spam_bar: / X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org From: Hanna Czenczek When reading to / writing from non-growable exports, we cap the I/O size by `offset - blk_len`. This will underflow for accesses that are completely past the disk end. Check and handle that case explicitly. This is also enough to ensure that `offset + size` will not overflow; blk_len is int64_t, offset is uint32_t, `offset < blk_len`, so from `INT64_MAX + UINT32_MAX < UINT64_MAX` it follows that `offset + size` cannot overflow. Just one catch: We have to allow write accesses to growable exports past the EOF, so then we cannot rely on `offset < blk_len`, but have to verify explicitly that `offset + size` does not overflow. The negative consequences of not having this commit are luckily limited because blk_pread() and blk_pwrite() will reject post-EOF requests anyway, so a `size` underflow post-EOF will just result in an I/O error. So: - Post-EOF reads will incorrectly result in I/O errors instead of just 0-length reads. We will also attempt to allocate a very large buffer, which is wrong and not good, but not terrible. - Post-EOF writes on non-growable exports will result in I/O errors instead of 0-length writes (which generally indicate ENOSPC). - Post-EOF writes on growable exports can theoretically overflow on EOF and truncate the export down to a much too small size, but in practice, FUSE will never send an offset greater than signed INT_MAX, preventing a uint64_t overflow. (fuse_write_args_fill() in the kernel uses loff_t for the offset, which is signed.) Signed-off-by: Hanna Czenczek Message-ID: <20260309150856.26800-15-hreitz@redhat.com> Reviewed-by: Kevin Wolf Signed-off-by: Kevin Wolf --- block/export/fuse.c | 20 +++++++++++++++++++- tests/qemu-iotests/308 | 35 ++++++++++++++++++++++++++++++----- tests/qemu-iotests/308.out | 10 ++++++++++ 3 files changed, 59 insertions(+), 6 deletions(-) diff --git a/block/export/fuse.c b/block/export/fuse.c index d45c6b814fe..af0a8de17b1 100644 --- a/block/export/fuse.c +++ b/block/export/fuse.c @@ -657,6 +657,16 @@ static void fuse_read(fuse_req_t req, fuse_ino_t inode, return; } + if (offset >= blk_len) { + /* + * Technically libfuse does not allow returning a zero error code for + * read requests, but in practice this is a 0-length read (and a future + * commit will change this code anyway) + */ + fuse_reply_err(req, 0); + return; + } + if (offset + size > blk_len) { size = blk_len - offset; } @@ -717,7 +727,15 @@ static void fuse_write(fuse_req_t req, fuse_ino_t inode, const char *buf, return; } - if (offset + size > blk_len) { + if (offset >= blk_len && !exp->growable) { + fuse_reply_write(req, 0); + return; + } + + if (offset + size < offset) { + fuse_reply_err(req, EINVAL); + return; + } else if (offset + size > blk_len) { if (exp->growable) { ret = fuse_do_truncate(exp, offset + size, true, PREALLOC_MODE_OFF); if (ret < 0) { diff --git a/tests/qemu-iotests/308 b/tests/qemu-iotests/308 index 6ecb275555a..a83c6fc01fb 100755 --- a/tests/qemu-iotests/308 +++ b/tests/qemu-iotests/308 @@ -300,16 +300,34 @@ dd if=/dev/zero of="$EXT_MP" bs=1 count=64k seek=$orig_len \ conv=notrunc 2>&1 \ | _filter_testdir | _filter_imgfmt +# And one really squarely post-EOF write +dd if=/dev/zero of="$EXT_MP" bs=1 count=1 seek=$((orig_len + 32 * 1024)) \ + conv=notrunc 2>&1 \ + | _filter_testdir | _filter_imgfmt + +# Half-post-EOF reads +dd if="$EXT_MP" of=/dev/null bs=1 count=64k skip=$((orig_len - 32 * 1024)) \ + 2>&1 | _filter_testdir | _filter_imgfmt + +# And one really squarely post-EOF read +dd if="$EXT_MP" of=/dev/null bs=1 count=1 skip=$((orig_len + 32 * 1024)) \ + 2>&1 | _filter_testdir | _filter_imgfmt + echo echo '--- Resize export ---' # But we can truncate it explicitly; even with fallocate -fallocate -o "$orig_len" -l 64k "$EXT_MP" +# (Make sure we extend it to a length not divisible by 128k, we need that below) +bs=$((128 * 1024)) +extend_to=$(((orig_len + bs - 1) / bs * bs + bs / 2)) +extend_by=$((extend_to - orig_len)) + +fallocate -o "$orig_len" -l $extend_by "$EXT_MP" new_len=$(get_proto_len "$EXT_MP" "$TEST_IMG") -if [ "$new_len" != "$((orig_len + 65536))" ]; then +if [ "$new_len" != "$extend_to" ]; then echo 'ERROR: Unexpected post-truncate image size:' - echo "$new_len != $((orig_len + 65536))" + echo "$new_len != $extend_to" else echo 'OK: Post-truncate image size is as expected' fi @@ -322,6 +340,13 @@ else echo "$orig_disk_usage => $new_disk_usage" fi +# Use this opportunity to test a read access across the (now no longer so much +# aligned) EOF. dd can only do requests with a length of its block size, and +# all of its seek/skip values are in bs units, so it is hard to do a request +# across the EOF if the EOF is at a power of two (64M). +dd if="$EXT_MP" of=/dev/null bs=$bs count=2 skip=$((extend_to / bs)) \ + 2>&1 | _filter_testdir | _filter_imgfmt + echo echo '--- Try growing growable export ---' @@ -338,9 +363,9 @@ dd if=/dev/zero of="$EXT_MP" bs=1 count=64k seek=$new_len conv=notrunc 2>&1 \ | _filter_testdir | _filter_imgfmt new_len=$(get_proto_len "$EXT_MP" "$TEST_IMG") -if [ "$new_len" != "$((orig_len + 131072))" ]; then +if [ "$new_len" != "$((extend_to + 65536))" ]; then echo 'ERROR: Unexpected post-grow image size:' - echo "$new_len != $((orig_len + 131072))" + echo "$new_len != $((extend_to + 65536))" else echo 'OK: Post-grow image size is as expected' fi diff --git a/tests/qemu-iotests/308.out b/tests/qemu-iotests/308.out index 2d7a38d63d2..ebeaf64b486 100644 --- a/tests/qemu-iotests/308.out +++ b/tests/qemu-iotests/308.out @@ -134,11 +134,21 @@ wrote 65536/65536 bytes at offset 1048576 dd: error writing 'TEST_DIR/t.IMGFMT.fuse': No space left on device 1+0 records in 0+0 records out +dd: error writing 'TEST_DIR/t.IMGFMT.fuse': No space left on device +1+0 records in +0+0 records out +32768+0 records in +32768+0 records out +dd: TEST_DIR/t.IMGFMT.fuse: cannot skip to specified offset +0+0 records in +0+0 records out --- Resize export --- (OK: Lengths of export and original are the same) OK: Post-truncate image size is as expected OK: Disk usage grew with fallocate +0+1 records in +0+1 records out --- Try growing growable export --- {'execute': 'block-export-del', -- 2.53.0