On Wed, Jun 15, 2022 at 01:57:55PM +0800, Xie Yongji wrote: > Virtio-fs does not support aborting requests which are being > processed. Otherwise, it might trigger UAF since What is full form of UAF? Use after free? Thanks Vivek > virtio_fs_request_complete() doesn't know the requests are > aborted. So let's remove the abort interface. > > Fixes: 15c8e72e88e0 ("fuse: allow skipping control interface and forced unmount") > Signed-off-by: Xie Yongji <xieyongji@xxxxxxxxxxxxx> > --- > fs/fuse/control.c | 4 ++-- > fs/fuse/fuse_i.h | 4 ++++ > fs/fuse/inode.c | 1 + > fs/fuse/virtio_fs.c | 1 + > 4 files changed, 8 insertions(+), 2 deletions(-) > > diff --git a/fs/fuse/control.c b/fs/fuse/control.c > index 7cede9a3bc96..d93d8ea3a090 100644 > --- a/fs/fuse/control.c > +++ b/fs/fuse/control.c > @@ -272,8 +272,8 @@ int fuse_ctl_add_conn(struct fuse_conn *fc) > > if (!fuse_ctl_add_dentry(parent, fc, "waiting", S_IFREG | 0400, 1, > NULL, &fuse_ctl_waiting_ops) || > - !fuse_ctl_add_dentry(parent, fc, "abort", S_IFREG | 0200, 1, > - NULL, &fuse_ctl_abort_ops) || > + (!fc->no_abort_control && !fuse_ctl_add_dentry(parent, fc, "abort", > + S_IFREG | 0200, 1, NULL, &fuse_ctl_abort_ops)) || > !fuse_ctl_add_dentry(parent, fc, "max_background", S_IFREG | 0600, > 1, NULL, &fuse_conn_max_background_ops) || > !fuse_ctl_add_dentry(parent, fc, "congestion_threshold", > diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h > index a47f14d0ee3f..e29a4e2f2b35 100644 > --- a/fs/fuse/fuse_i.h > +++ b/fs/fuse/fuse_i.h > @@ -507,6 +507,7 @@ struct fuse_fs_context { > bool default_permissions:1; > bool allow_other:1; > bool destroy:1; > + bool no_abort_control:1; > bool no_force_umount:1; > bool legacy_opts_show:1; > enum fuse_dax_mode dax_mode; > @@ -765,6 +766,9 @@ struct fuse_conn { > /* Delete dentries that have gone stale */ > unsigned int delete_stale:1; > > + /** Do not create abort entry in fusectl fs */ > + unsigned int no_abort_control:1; > + > /** Do not allow MNT_FORCE umount */ > unsigned int no_force_umount:1; > > diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c > index 4059c6898e08..02a16cd35f42 100644 > --- a/fs/fuse/inode.c > +++ b/fs/fuse/inode.c > @@ -1564,6 +1564,7 @@ int fuse_fill_super_common(struct super_block *sb, struct fuse_fs_context *ctx) > fc->legacy_opts_show = ctx->legacy_opts_show; > fc->max_read = max_t(unsigned int, 4096, ctx->max_read); > fc->destroy = ctx->destroy; > + fc->no_abort_control = ctx->no_abort_control; > fc->no_force_umount = ctx->no_force_umount; > > err = -ENOMEM; > diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c > index 24bcf4dbca2a..af369bea6dbb 100644 > --- a/fs/fuse/virtio_fs.c > +++ b/fs/fuse/virtio_fs.c > @@ -1287,6 +1287,7 @@ static inline void virtio_fs_ctx_set_defaults(struct fuse_fs_context *ctx) > ctx->max_read = UINT_MAX; > ctx->blksize = 512; > ctx->destroy = true; > + ctx->no_abort_control = true; > ctx->no_force_umount = true; > } > > -- > 2.20.1 >