]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
projects / thirdparty / kernel / stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c2f15e0)
fuse: check if copy_file_range() returns larger than requested size
authorMiklos Szeredi <mszeredi@redhat.com>
Tue, 12 Aug 2025 12:07:54 +0000 (14:07 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 2 Oct 2025 11:35:37 +0000 (13:35 +0200)
commit e5203209b3935041dac541bc5b37efb44220cc0b upstream.

Just like write(), copy_file_range() should check if the return value is
less or equal to the requested number of bytes.

Reported-by: Chunsheng Luo <luochunsheng@ustc.edu>
Closes: https://lore.kernel.org/all/20250807062425.694-1-luochunsheng@ustc.edu/
Fixes: 88bc7d5097a1 ("fuse: add support for copy_file_range()")
Cc: <stable@vger.kernel.org> # v4.20
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fs/fuse/file.c patch | blob | blame | history

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index fd7263ed25b92e5ea79cd42a185a3a53a1c1de24..f6c362623932b79e55ee3a83c5cd4384158f6eb9 100644 (file)
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -3450,6 +3450,9 @@ static ssize_t __fuse_copy_file_range(struct file *file_in, loff_t pos_in,
                fc->no_copy_file_range = 1;
                err = -EOPNOTSUPP;
        }
+       if (!err && outarg.size > len)
+               err = -EIO;
+
        if (err)
                goto out;
 
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git