diff options
author | Jann Horn <jannh@google.com> | 2019-01-12 02:39:05 +0100 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2019-05-02 21:41:22 +0100 |
commit | 7e39bb8f23f62b37f8f843b61648c8bfe494908c (patch) | |
tree | 527f8a53cb6ee45417ff717a165185f880778bfa /fs/fuse | |
parent | 2e1f7654f16212bffab18033f9bf95cdca1764e5 (diff) | |
download | linux-stable-7e39bb8f23f62b37f8f843b61648c8bfe494908c.tar.gz linux-stable-7e39bb8f23f62b37f8f843b61648c8bfe494908c.tar.bz2 linux-stable-7e39bb8f23f62b37f8f843b61648c8bfe494908c.zip |
fuse: call pipe_buf_release() under pipe lock
commit 9509941e9c534920ccc4771ae70bd6cbbe79df1c upstream.
Some of the pipe_buf_release() handlers seem to assume that the pipe is
locked - in particular, anon_pipe_buf_release() accesses pipe->tmp_page
without taking any extra locks. From a glance through the callers of
pipe_buf_release(), it looks like FUSE is the only one that calls
pipe_buf_release() without having the pipe locked.
This bug should only lead to a memory leak, nothing terrible.
Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'fs/fuse')
-rw-r--r-- | fs/fuse/dev.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c index df1dfc4d535e..29cbf574d2b7 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -1978,10 +1978,12 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe, ret = fuse_dev_do_write(fc, &cs, len); + pipe_lock(pipe); for (idx = 0; idx < nbuf; idx++) { struct pipe_buffer *buf = &bufs[idx]; buf->ops->release(pipe, buf); } + pipe_unlock(pipe); out: kfree(bufs); return ret; |