fuse: prevent overflow in copy_file_range return value

The FUSE protocol uses struct fuse_write_out to convey the return value of copy_file_range, which is restricted to uint32_t. But the COPY_FILE_RANGE interface supports a 64-bit size copies. Currently the number of bytes copied is silently truncated to 32-bit, which may result in poor performance or even failure to copy in case of truncation to zero. Reported-by: Florian Weimer <fweimer@redhat.com> Closes: https://lore.kernel.org/all/lhuh5ynl8z5.fsf@oldenburg.str.redhat.com/ Fixes: 88bc7d5097a1 ("fuse: add support for copy_file_range()") Cc: <stable@vger.kernel.org> # v4.20 Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
author: Miklos Szeredi <mszeredi@redhat.com> 2025-08-12 14:46:34 +0200
committer: Miklos Szeredi <mszeredi@redhat.com> 2025-08-26 12:43:31 +0200
commit: 1e08938c3694f707bb165535df352ac97a8c75c9 (patch)
tree: 49d4361c8cc5595312c64b4a7743b59d709aafbd
parent: e5203209b3935041dac541bc5b37efb44220cc0b (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 45207a6bb85f..4adcf09d4b01 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -2960,7 +2960,7 @@ static ssize_t __fuse_copy_file_range(struct file *file_in, loff_t pos_in,
 		.nodeid_out = ff_out->nodeid,
 		.fh_out = ff_out->fh,
 		.off_out = pos_out,
-		.len = len,
+		.len = min_t(size_t, len, UINT_MAX & PAGE_MASK),
 		.flags = flags
 	};
 	struct fuse_write_out outarg;
author	Miklos Szeredi <mszeredi@redhat.com>	2025-08-12 14:46:34 +0200
committer	Miklos Szeredi <mszeredi@redhat.com>	2025-08-26 12:43:31 +0200
commit	1e08938c3694f707bb165535df352ac97a8c75c9 (patch)
tree	49d4361c8cc5595312c64b4a7743b59d709aafbd
parent	e5203209b3935041dac541bc5b37efb44220cc0b (diff)