diff options
| author | Miklos Szeredi <mszeredi@redhat.com> | 2018-07-26 16:13:11 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-09-05 09:18:39 +0200 |
| commit | 4ded21c9ea1cf8687e33ebe0577f6b4353f5d8c6 (patch) | |
| tree | 4a713969dc6668a8362007891111439276c0b6b8 | |
| parent | d14dbb5c6c4c068a2117fdd3ae73ade8d490f483 (diff) | |
| download | linux-cip-4ded21c9ea1cf8687e33ebe0577f6b4353f5d8c6.tar.gz | |
fuse: fix unlocked access to processing queue
commit 45ff350bbd9d0f0977ff270a0d427c71520c0c37 upstream.
fuse_dev_release() assumes that it's the only one referencing the
fpq->processing list, but that's not true, since fuse_abort_conn() can be
doing the same without any serialization between the two.
Fixes: c3696046beb3 ("fuse: separate pqueue for clones")
Cc: <stable@vger.kernel.org> # v4.2
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | fs/fuse/dev.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c index 42a6263e7809bc..5fc7521e05a485 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -2199,9 +2199,15 @@ int fuse_dev_release(struct inode *inode, struct file *file) if (fud) { struct fuse_conn *fc = fud->fc; struct fuse_pqueue *fpq = &fud->pq; + LIST_HEAD(to_end); + spin_lock(&fpq->lock); WARN_ON(!list_empty(&fpq->io)); - end_requests(fc, &fpq->processing); + list_splice_init(&fpq->processing, &to_end); + spin_unlock(&fpq->lock); + + end_requests(fc, &to_end); + /* Are we the last open device? */ if (atomic_dec_and_test(&fc->dev_count)) { WARN_ON(fc->iq.fasync != NULL); |