ANDROID: fuse: Allocate zeroed memory for canonical path

Biao Li · balsini · commit cad4f67e5b5b · 2021-09-17T11:08:21.000+01:00
The page used to contain the fuse_dentry_canonical_path to be handled in fuse_dev_do_write is allocated using __get_free_pages(GFP_KERNEL). The returned page may contain undefined data, that by chance may be considered as a valid path name that is not in the cache. In that case, if the FUSE daemon mistakenly doesn't fill the canonical path buffer, the FUSE driver may fall into two blocking request_wait_answer(fuse_dev_write->kern_path->fuse_lookup_name) causing a deadlock condition. The stack is as follows： find S 0 20511 20117 0x00000000 Call trace: [<ffffff8008085e78>] __switch_to+0xb8/0xd4 [<ffffff8008a0cac4>] __schedule+0x458/0x714 [<ffffff8008a0ce0c>] schedule+0x8c/0xa8 [<ffffff800833865c>] request_wait_answer+0x74/0x220 [<ffffff8008339f70>] __fuse_request_send+0x8c/0xa0 [<ffffff8008339fe4>] fuse_request_send+0x60/0x6c [<ffffff800833c1a8>] fuse_dentry_canonical_path+0xb8/0x104 [<ffffff800820b14c>] do_sys_open+0x1b4/0x260 [<ffffff800820b27c>] SyS_openat+0x3c/0x4c [<ffffff8008083540>] el0_svc_naked+0x34/0x38 mount.ntfs-3g S 0 5845 1 0x00000000 Call trace: [<ffffff8008085e78>] __switch_to+0xb8/0xd4 [<ffffff8008a0cac4>] __schedule+0x458/0x714 [<ffffff8008a0ce0c>] schedule+0x8c/0xa8 [<ffffff800833865c>] request_wait_answer+0x74/0x220 [<ffffff8008339f70>] __fuse_request_send+0x8c/0xa0 [<ffffff8008339fe4>] fuse_request_send+0x60/0x6c [<ffffff800833bdb0>] fuse_simple_request+0x128/0x16c [<ffffff800833dddc>] fuse_lookup_name+0x104/0x1b0 [<ffffff800833dee4>] fuse_lookup+0x5c/0x11c [<ffffff800821861c>] lookup_slow+0xfc/0x174 [<ffffff800821b474>] walk_component+0xf0/0x290 [<ffffff800821bbac>] path_lookupat+0xa0/0x128 [<ffffff800821c7f4>] filename_lookup+0x84/0x124 [<ffffff800821c8d8>] kern_path+0x44/0x54 [<ffffff800833b0c8>] fuse_dev_do_write+0x828/0xa0c [<ffffff800833b610>] fuse_dev_write+0x90/0xb4 [<ffffff800820b770>] do_iter_readv_writev+0xf4/0x13c [<ffffff800820cc88>] do_readv_writev+0xec/0x220 [<ffffff800820d05c>] vfs_writev+0x60/0x74 [<ffffff800820d0ec>] do_writev+0x7c/0x100 [<ffffff800820e348>] SyS_writev+0x38/0x48 [<ffffff8008083540>] el0_svc_naked+0x34/0x38 Fix by ensuring that the page allocated for the canonical path is zeroed. Bug: 194856119 Bug: 196051870 Fixes: 24ab59f ("ANDROID: fuse: Add support for d_canonical_path") Signed-off-by: Biao Li <libiao@allwinnertech.com> Signed-off-by: Shuosheng Huang <huangshuosheng@allwinnertech.com> Signed-off-by: Alessio Balsini <balsini@google.com> Change-Id: I400815dc1049d90c308f5cf87ce60de97ff82131
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
@@ -344,7 +344,7 @@ static void fuse_dentry_canonical_path(const struct path *path,
 	char *path_name;
 	int err;
 
-	path_name = (char *)__get_free_page(GFP_KERNEL);
+	path_name = (char *)get_zeroed_page(GFP_KERNEL);
 	if (!path_name)
 		goto default_path;
 
