fuse: check if copy_file_range() returns larger than requested size

Just like write(), copy_file_range() should check if the return value is less or equal to the requested number of bytes. Reported-by: Chunsheng Luo <luochunsheng@ustc.edu> Closes: https://lore.kernel.org/all/20250807062425.694-1-luochunsheng@ustc.edu/ Fixes: 88bc7d5097 ("fuse: add support for copy_file_range()") Cc: <stable@vger.kernel.org> # v4.20 Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-05-26 08:02:27 +02:00 · 2025-08-12 14:07:54 +02:00 · 2025-08-12 14:07:54 +02:00 · e5203209b3
commit e5203209b3
parent e9c8da670e
1 changed files with 3 additions and 0 deletions
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@ -3026,6 +3026,9 @@ static ssize_t __fuse_copy_file_range(struct file *file_in, loff_t pos_in,
 		fc->no_copy_file_range = 1;
 		err = -EOPNOTSUPP;
 	}
+	if (!err && outarg.size > len)
+		err = -EIO;
+
 	if (err)
 		goto out;