summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJann Horn <jannh@google.com>2019-01-12 02:39:05 +0100
committerMiklos Szeredi <mszeredi@redhat.com>2019-01-16 10:27:59 +0100
commit9509941e9c534920ccc4771ae70bd6cbbe79df1c (patch)
tree4b6ee94635855b7826e54c455687a305f0761ff2
parentcuse: fix ioctl (diff)
downloadlinux-9509941e9c534920ccc4771ae70bd6cbbe79df1c.tar.xz
linux-9509941e9c534920ccc4771ae70bd6cbbe79df1c.zip
fuse: call pipe_buf_release() under pipe lock
Some of the pipe_buf_release() handlers seem to assume that the pipe is locked - in particular, anon_pipe_buf_release() accesses pipe->tmp_page without taking any extra locks. From a glance through the callers of pipe_buf_release(), it looks like FUSE is the only one that calls pipe_buf_release() without having the pipe locked. This bug should only lead to a memory leak, nothing terrible. Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
-rw-r--r--fs/fuse/dev.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index fc29264011a6..809c0f2f9942 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -2077,8 +2077,10 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
ret = fuse_dev_do_write(fud, &cs, len);
+ pipe_lock(pipe);
for (idx = 0; idx < nbuf; idx++)
pipe_buf_release(pipe, &bufs[idx]);
+ pipe_unlock(pipe);
out:
kvfree(bufs);