[Bug 236381] [FUSE] EFAULT and possible data corruption with short writes

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Mar 8 01:57:47 UTC 2019


            Bug ID: 236381
           Summary: [FUSE] EFAULT and possible data corruption with short
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: asomers at FreeBSD.org

Normally fuse filesystems are required to always write the exact amount of data
requested by a FUSE_WRITE operation.  However, if the filesystem sets
FOPEN_DIRECT_IO in the response to a FUSE_OPEN request, then it is allowed to
write less data than was requested.  In that case, the client will likely want
to write the remainder of the data.

The problem is that fuse_write_directbackend doesn't correctly account for the
short write.  It correctly detects a short write, and tries to "rewind" the uio
by adjusting its uio_resid and uio_offset fields.  However, it neglects to
rewind the uio_iov field.  In fact, it will not always be possible to rewind
the uio_iov, because uiomove may have incremented the uio_iov pointer.  I see
two possible solutions:

1) Add a second inner loop to fuse_write_directbackend.  The inner loop will
handle short writes, and will get its data from the fdi buffer.  uiomove will
not be called again.  In addition to fixing the bug, this method will also be
more efficient than current code, because it won't copy data across the
user-kernel boundary multiple times.

2) Don't try to make up for short writes.  Simply return to userland.  This
would probably be more in the spirit of direct_io.  However,
fuse_write_directbackend can have many different callers, and it might not be
appropriate for all of them.  In particular, fuse(4) currently doesn't
accurately track whether the filesystem requested FOPEN_DIRECT_IO.

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list