summaryrefslogtreecommitdiff
path: root/fs/fuse
diff options
context:
space:
mode:
authorAndrey Ryabinin <aryabinin@virtuozzo.com>2018-07-17 19:00:33 +0300
committerMiklos Szeredi <mszeredi@redhat.com>2018-07-26 17:13:11 +0300
commita2477b0e67c52f4364a47c3ad70902bc2a61bd4c (patch)
treecb4724a138dccddd5f972b3174d075bf02cf2914 /fs/fuse
parent63576c13bd17848376c8ba4a98f5d5151140c4ac (diff)
downloadlinux-a2477b0e67c52f4364a47c3ad70902bc2a61bd4c.tar.xz
fuse: Don't access pipe->buffers without pipe_lock()
fuse_dev_splice_write() reads pipe->buffers to determine the size of 'bufs' array before taking the pipe_lock(). This is not safe as another thread might change the 'pipe->buffers' between the allocation and taking the pipe_lock(). So we end up with too small 'bufs' array. Move the bufs allocations inside pipe_lock()/pipe_unlock() to fix this. Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device") Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: <stable@vger.kernel.org> # v2.6.35 Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Diffstat (limited to 'fs/fuse')
-rw-r--r--fs/fuse/dev.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index ec83b107c1a0..4a9ace7280b9 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1955,12 +1955,15 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
if (!fud)
return -EPERM;
+ pipe_lock(pipe);
+
bufs = kmalloc_array(pipe->buffers, sizeof(struct pipe_buffer),
GFP_KERNEL);
- if (!bufs)
+ if (!bufs) {
+ pipe_unlock(pipe);
return -ENOMEM;
+ }
- pipe_lock(pipe);
nbuf = 0;
rem = 0;
for (idx = 0; idx < pipe->nrbufs && rem < len; idx++)