From bb875b38dc5e343bdb696b2eab8233e4d195e208 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Mon, 26 Jan 2009 15:00:58 +0100 Subject: fuse: fix NULL deref in fuse_file_alloc() ff is set to NULL and then dereferenced on line 65. Compile tested only. Signed-off-by: Dan Carpenter Signed-off-by: Miklos Szeredi CC: stable@kernel.org --- fs/fuse/file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'fs') diff --git a/fs/fuse/file.c b/fs/fuse/file.c index e8162646a9b5..d9fdb7cec538 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -54,7 +54,7 @@ struct fuse_file *fuse_file_alloc(struct fuse_conn *fc) ff->reserved_req = fuse_request_alloc(); if (!ff->reserved_req) { kfree(ff); - ff = NULL; + return NULL; } else { INIT_LIST_HEAD(&ff->write_entry); atomic_set(&ff->count, 0); -- cgit v1.2.3 From 3ddf1e7f57237ac7c5d5bfb7058f1ea4f970b661 Mon Sep 17 00:00:00 2001 From: Miklos Szeredi Date: Mon, 26 Jan 2009 15:00:58 +0100 Subject: fuse: fix missing fput on error Fix the leaking file reference if allocation or initialization of fuse_conn failed. Signed-off-by: Miklos Szeredi CC: stable@kernel.org --- fs/fuse/inode.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'fs') diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c index 47c96fdca1ac..6893717b6536 100644 --- a/fs/fuse/inode.c +++ b/fs/fuse/inode.c @@ -829,15 +829,20 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent) if (!file) return -EINVAL; - if (file->f_op != &fuse_dev_operations) + if (file->f_op != &fuse_dev_operations) { + fput(file); return -EINVAL; + } fc = kmalloc(sizeof(*fc), GFP_KERNEL); - if (!fc) + if (!fc) { + fput(file); return -ENOMEM; + } err = fuse_conn_init(fc, sb); if (err) { + fput(file); kfree(fc); return err; } -- cgit v1.2.3 From c2b8f006909b9bf9e165dfdf3c378527938c4497 Mon Sep 17 00:00:00 2001 From: Miklos Szeredi Date: Mon, 26 Jan 2009 15:00:58 +0100 Subject: fuse: fuse_fill_super error handling cleanup Clean up error handling for the whole of fuse_fill_super() function. Signed-off-by: Miklos Szeredi --- fs/fuse/inode.c | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) (limited to 'fs') diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c index 6893717b6536..dc649f6bc3e5 100644 --- a/fs/fuse/inode.c +++ b/fs/fuse/inode.c @@ -805,16 +805,18 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent) int err; int is_bdev = sb->s_bdev != NULL; + err = -EINVAL; if (sb->s_flags & MS_MANDLOCK) - return -EINVAL; + goto err; if (!parse_fuse_opt((char *) data, &d, is_bdev)) - return -EINVAL; + goto err; if (is_bdev) { #ifdef CONFIG_BLOCK + err = -EINVAL; if (!sb_set_blocksize(sb, d.blksize)) - return -EINVAL; + goto err; #endif } else { sb->s_blocksize = PAGE_CACHE_SIZE; @@ -826,25 +828,22 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent) sb->s_export_op = &fuse_export_operations; file = fget(d.fd); + err = -EINVAL; if (!file) - return -EINVAL; + goto err; - if (file->f_op != &fuse_dev_operations) { - fput(file); - return -EINVAL; - } + if (file->f_op != &fuse_dev_operations) + goto err_fput; fc = kmalloc(sizeof(*fc), GFP_KERNEL); - if (!fc) { - fput(file); - return -ENOMEM; - } + err = -ENOMEM; + if (!fc) + goto err_fput; err = fuse_conn_init(fc, sb); if (err) { - fput(file); kfree(fc); - return err; + goto err_fput; } fc->release = fuse_free_conn; @@ -859,12 +858,12 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent) err = -ENOMEM; root = fuse_get_root_inode(sb, d.rootmode); if (!root) - goto err; + goto err_put_conn; root_dentry = d_alloc_root(root); if (!root_dentry) { iput(root); - goto err; + goto err_put_conn; } init_req = fuse_request_alloc(); @@ -908,9 +907,11 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent) fuse_request_free(init_req); err_put_root: dput(root_dentry); - err: - fput(file); + err_put_conn: fuse_conn_put(fc); + err_fput: + fput(file); + err: return err; } -- cgit v1.2.3 From 26c3679101dbccc054dcf370143941844ba70531 Mon Sep 17 00:00:00 2001 From: Miklos Szeredi Date: Mon, 26 Jan 2009 15:00:59 +0100 Subject: fuse: destroy bdi on umount If a fuse filesystem is unmounted but the device file descriptor remains open and a new mount reuses the old device number, then the mount fails with EEXIST and the following warning is printed in the kernel log: WARNING: at fs/sysfs/dir.c:462 sysfs_add_one+0x35/0x3d() sysfs: duplicate filename '0:15' can not be created The cause is that the bdi belonging to the fuse filesystem was destoryed only after the device file was released. Fix this by calling bdi_destroy() from fuse_put_super() instead. Signed-off-by: Miklos Szeredi CC: stable@kernel.org --- fs/fuse/dev.c | 3 ++- fs/fuse/inode.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'fs') diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c index e0c7ada08a1f..c4a3d9bbdaa8 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -281,7 +281,8 @@ __releases(&fc->lock) fc->blocked = 0; wake_up_all(&fc->blocked_waitq); } - if (fc->num_background == FUSE_CONGESTION_THRESHOLD) { + if (fc->num_background == FUSE_CONGESTION_THRESHOLD && + fc->connected) { clear_bdi_congested(&fc->bdi, READ); clear_bdi_congested(&fc->bdi, WRITE); } diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c index dc649f6bc3e5..459b73dd45e1 100644 --- a/fs/fuse/inode.c +++ b/fs/fuse/inode.c @@ -292,6 +292,7 @@ static void fuse_put_super(struct super_block *sb) list_del(&fc->entry); fuse_ctl_remove_conn(fc); mutex_unlock(&fuse_mutex); + bdi_destroy(&fc->bdi); fuse_conn_put(fc); } @@ -532,7 +533,6 @@ void fuse_conn_put(struct fuse_conn *fc) if (fc->destroy_req) fuse_request_free(fc->destroy_req); mutex_destroy(&fc->inst_mutex); - bdi_destroy(&fc->bdi); fc->release(fc); } } -- cgit v1.2.3 From f6d47a1761896dcd89e3184399a8962dff17267d Mon Sep 17 00:00:00 2001 From: Miklos Szeredi Date: Mon, 26 Jan 2009 15:00:59 +0100 Subject: fuse: fix poll notify Move fuse_copy_finish() to before calling fuse_notify_poll_wakeup(). This is not a big issue because fuse_notify_poll_wakeup() should be atomic, but it's cleaner this way, and later uses of notification will need to be able to finish the copying before performing some actions. Signed-off-by: Miklos Szeredi --- fs/fuse/dev.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'fs') diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c index c4a3d9bbdaa8..ba76b68c52ff 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -826,16 +826,21 @@ static int fuse_notify_poll(struct fuse_conn *fc, unsigned int size, struct fuse_copy_state *cs) { struct fuse_notify_poll_wakeup_out outarg; - int err; + int err = -EINVAL; if (size != sizeof(outarg)) - return -EINVAL; + goto err; err = fuse_copy_one(cs, &outarg, sizeof(outarg)); if (err) - return err; + goto err; + fuse_copy_finish(cs); return fuse_notify_poll_wakeup(fc, &outarg); + +err: + fuse_copy_finish(cs); + return err; } static int fuse_notify(struct fuse_conn *fc, enum fuse_notify_code code, @@ -846,6 +851,7 @@ static int fuse_notify(struct fuse_conn *fc, enum fuse_notify_code code, return fuse_notify_poll(fc, size, cs); default: + fuse_copy_finish(cs); return -EINVAL; } } @@ -924,7 +930,6 @@ static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov, */ if (!oh.unique) { err = fuse_notify(fc, oh.error, nbytes - sizeof(oh), &cs); - fuse_copy_finish(&cs); return err ? err : nbytes; } -- cgit v1.2.3