diff options
| author | Miklos Szeredi <mszeredi@redhat.com> | 2025-08-12 14:07:54 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-09-19 16:32:03 +0200 |
| commit | 01e1eba64860d6ae502b2d3ff0f83843991f86ef (patch) | |
| tree | 28f9ddbb4175c01728dcf6efa4de8e5955fdad3c /fs | |
| parent | c50336dfcb24ad83349491166261aed72d03f801 (diff) | |
| download | linux-01e1eba64860d6ae502b2d3ff0f83843991f86ef.tar.gz linux-01e1eba64860d6ae502b2d3ff0f83843991f86ef.tar.bz2 linux-01e1eba64860d6ae502b2d3ff0f83843991f86ef.zip | |
fuse: check if copy_file_range() returns larger than requested size
commit e5203209b3935041dac541bc5b37efb44220cc0b upstream.
Just like write(), copy_file_range() should check if the return value is
less or equal to the requested number of bytes.
Reported-by: Chunsheng Luo <luochunsheng@ustc.edu>
Closes: https://lore.kernel.org/all/20250807062425.694-1-luochunsheng@ustc.edu/
Fixes: 88bc7d5097a1 ("fuse: add support for copy_file_range()")
Cc: <stable@vger.kernel.org> # v4.20
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/fuse/file.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/fs/fuse/file.c b/fs/fuse/file.c index 3e4c3fcb588b..1a0f07710a2b 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -3172,6 +3172,9 @@ static ssize_t __fuse_copy_file_range(struct file *file_in, loff_t pos_in, fc->no_copy_file_range = 1; err = -EOPNOTSUPP; } + if (!err && outarg.size > len) + err = -EIO; + if (err) goto out; |