fuse: call pipe_buf_release() under pipe lock

commit 9509941e9c534920ccc4771ae70bd6cbbe79df1c upstream. Some of the pipe_buf_release() handlers seem to assume that the pipe is locked - in particular, anon_pipe_buf_release() accesses pipe->tmp_page without taking any extra locks. From a glance through the callers of pipe_buf_release(), it looks like FUSE is the only one that calls pipe_buf_release() without having the pipe locked. This bug should only lead to a memory leak, nothing terrible. Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Jann Horn <jannh@google.com> 2019-01-12 04:39:05 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-02-12 21:45:00 +0300
commit: 50449aafb818a55a012985d2412a34a4c624f7f2 (patch)
tree: f7ce92717df8cfcebe5e980581d2cbe8e77f9927 /fs/fuse/dev.c
parent: 18c071d41fda1e17a93aeb831e2f44d6c97ad02d (diff)
download: linux-50449aafb818a55a012985d2412a34a4c624f7f2.tar.xz
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index b4253181b5d4..ffcceb1bc20b 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -2018,8 +2018,10 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
 
 	ret = fuse_dev_do_write(fud, &cs, len);
 
+	pipe_lock(pipe);
 	for (idx = 0; idx < nbuf; idx++)
 		pipe_buf_release(pipe, &bufs[idx]);
+	pipe_unlock(pipe);
 
 out:
 	kfree(bufs);
author	Jann Horn <jannh@google.com>	2019-01-12 04:39:05 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-02-12 21:45:00 +0300
commit	50449aafb818a55a012985d2412a34a4c624f7f2 (patch)
tree	f7ce92717df8cfcebe5e980581d2cbe8e77f9927 /fs/fuse/dev.c
parent	18c071d41fda1e17a93aeb831e2f44d6c97ad02d (diff)
download	linux-50449aafb818a55a012985d2412a34a4c624f7f2.tar.xz