5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabriel Krisman Bertazi krisman@collabora.com
[ Upstream commit 572c28f27a269f88e2d8d7b6b1507f114d637337 ]
struct fanotify_error_event, at least, is preallocated and isn't able to to handle arbitrarily large file handles. Future-proof the code by complaining loudly if a handle larger than MAX_HANDLE_SZ is ever found.
Link: https://lore.kernel.org/r/20211025192746.66445-26-krisman@collabora.com Reviewed-by: Amir Goldstein amir73il@gmail.com Reviewed-by: Jan Kara jack@suse.cz Signed-off-by: Gabriel Krisman Bertazi krisman@collabora.com Signed-off-by: Jan Kara jack@suse.cz Signed-off-by: Chuck Lever chuck.lever@oracle.com --- fs/notify/fanotify/fanotify.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c index cedcb15468043..45df610debbe4 100644 --- a/fs/notify/fanotify/fanotify.c +++ b/fs/notify/fanotify/fanotify.c @@ -360,13 +360,23 @@ static u32 fanotify_group_event_mask(struct fsnotify_group *group, static int fanotify_encode_fh_len(struct inode *inode) { int dwords = 0; + int fh_len;
if (!inode) return 0;
exportfs_encode_inode_fh(inode, NULL, &dwords, NULL); + fh_len = dwords << 2;
- return dwords << 2; + /* + * struct fanotify_error_event might be preallocated and is + * limited to MAX_HANDLE_SZ. This should never happen, but + * safeguard by forcing an invalid file handle. + */ + if (WARN_ON_ONCE(fh_len > MAX_HANDLE_SZ)) + return 0; + + return fh_len; }
/*