summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Ryabinin <aryabinin@virtuozzo.com>2018-07-17 19:00:33 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2018-09-05 09:20:08 +0200
commit67a9e4870ce1afcb66d314c57ca839aff421557e (patch)
tree88a569ba751b73115763640d17ce61fc3fde0cce
parent6a2346f3229495f1338b7a2a869efd16822d4ee6 (diff)
downloadlinux-stable-67a9e4870ce1afcb66d314c57ca839aff421557e.tar.gz
linux-stable-67a9e4870ce1afcb66d314c57ca839aff421557e.tar.bz2
linux-stable-67a9e4870ce1afcb66d314c57ca839aff421557e.zip
fuse: Don't access pipe->buffers without pipe_lock()
commit a2477b0e67c52f4364a47c3ad70902bc2a61bd4c upstream. fuse_dev_splice_write() reads pipe->buffers to determine the size of 'bufs' array before taking the pipe_lock(). This is not safe as another thread might change the 'pipe->buffers' between the allocation and taking the pipe_lock(). So we end up with too small 'bufs' array. Move the bufs allocations inside pipe_lock()/pipe_unlock() to fix this. Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device") Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: <stable@vger.kernel.org> # v2.6.35 Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--fs/fuse/dev.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index f11792672977..ce558c853722 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1935,11 +1935,14 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
if (!fud)
return -EPERM;
+ pipe_lock(pipe);
+
bufs = kmalloc(pipe->buffers * sizeof(struct pipe_buffer), GFP_KERNEL);
- if (!bufs)
+ if (!bufs) {
+ pipe_unlock(pipe);
return -ENOMEM;
+ }
- pipe_lock(pipe);
nbuf = 0;
rem = 0;
for (idx = 0; idx < pipe->nrbufs && rem < len; idx++)