Commit 9509941e authored Jan 12, 2019 by Jann Horn Committed by Miklos Szeredi Jan 16, 2019

fuse: call pipe_buf_release() under pipe lock



Some of the pipe_buf_release() handlers seem to assume that the pipe is
locked - in particular, anon_pipe_buf_release() accesses pipe->tmp_page
without taking any extra locks. From a glance through the callers of
pipe_buf_release(), it looks like FUSE is the only one that calls
pipe_buf_release() without having the pipe locked.

This bug should only lead to a memory leak, nothing terrible.

Fixes: dd3bb14f ("fuse: support splice() writing to fuse device")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

parent 8a3177db

fs/fuse/dev.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -2077,8 +2077,10 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,

		ret = fuse_dev_do_write(fud, &cs, len);

		pipe_lock(pipe);
		for (idx = 0; idx < nbuf; idx++)
		pipe_buf_release(pipe, &bufs[idx]);
		pipe_unlock(pipe);

		out:
		kvfree(bufs);

Admin message