diff options
| author | Jann Horn <jannh@google.com> | 2019-01-12 04:39:05 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-02-12 21:46:11 +0300 |
| commit | 65f222bb370ebc02d5035a4d890df0bfd7343c0d (patch) | |
| tree | d3e3f85871218fc20fb3357862902cfb23a91bf6 | |
| parent | c201e435e15f3595e508f630644ed0424cfc6666 (diff) | |
| download | linux-65f222bb370ebc02d5035a4d890df0bfd7343c0d.tar.xz | |
fuse: call pipe_buf_release() under pipe lock
commit 9509941e9c534920ccc4771ae70bd6cbbe79df1c upstream.
Some of the pipe_buf_release() handlers seem to assume that the pipe is
locked - in particular, anon_pipe_buf_release() accesses pipe->tmp_page
without taking any extra locks. From a glance through the callers of
pipe_buf_release(), it looks like FUSE is the only one that calls
pipe_buf_release() without having the pipe locked.
This bug should only lead to a memory leak, nothing terrible.
Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | fs/fuse/dev.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c index f7280c44cd4b..b29861854de4 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -2024,8 +2024,10 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe, ret = fuse_dev_do_write(fud, &cs, len); + pipe_lock(pipe); for (idx = 0; idx < nbuf; idx++) pipe_buf_release(pipe, &bufs[idx]); + pipe_unlock(pipe); out: kfree(bufs); |