From: Miklos Szeredi <mszeredi@redhat.com>
Date: Tue, 12 Aug 2025 12:07:54 +0000 (+0200)
Subject: fuse: check if copy_file_range() returns larger than requested size
X-Git-Tag: v5.10.245~104
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3e8056e1043a4f88184edc6288ac820ee16888c8;p=thirdparty%2Fkernel%2Fstable.git

fuse: check if copy_file_range() returns larger than requested size

commit e5203209b3935041dac541bc5b37efb44220cc0b upstream.

Just like write(), copy_file_range() should check if the return value is
less or equal to the requested number of bytes.

Reported-by: Chunsheng Luo <luochunsheng@ustc.edu>
Closes: https://lore.kernel.org/all/20250807062425.694-1-luochunsheng@ustc.edu/
Fixes: 88bc7d5097a1 ("fuse: add support for copy_file_range()")
Cc: <stable@vger.kernel.org> # v4.20
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index fd7263ed25b92..f6c362623932b 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -3450,6 +3450,9 @@ static ssize_t __fuse_copy_file_range(struct file *file_in, loff_t pos_in,
 		fc->no_copy_file_range = 1;
 		err = -EOPNOTSUPP;
 	}
+	if (!err && outarg.size > len)
+		err = -EIO;
+
 	if (err)
 		goto out;