[thirdparty/kernel/stable-queue.git] / releases / 4.4.154 / fuse-fix-unlocked-access-to-processing-queue.patch

From 45ff350bbd9d0f0977ff270a0d427c71520c0c37 Mon Sep 17 00:00:00 2001
From: Miklos Szeredi <mszeredi@redhat.com>
Date: Thu, 26 Jul 2018 16:13:11 +0200
Subject: fuse: fix unlocked access to processing queue

From: Miklos Szeredi <mszeredi@redhat.com>

commit 45ff350bbd9d0f0977ff270a0d427c71520c0c37 upstream.

fuse_dev_release() assumes that it's the only one referencing the
fpq->processing list, but that's not true, since fuse_abort_conn() can be
doing the same without any serialization between the two.

Fixes: c3696046beb3 ("fuse: separate pqueue for clones")
Cc: <stable@vger.kernel.org> # v4.2
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dev.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -2199,9 +2199,15 @@ int fuse_dev_release(struct inode *inode
 	if (fud) {
 		struct fuse_conn *fc = fud->fc;
 		struct fuse_pqueue *fpq = &fud->pq;
+		LIST_HEAD(to_end);
 
+		spin_lock(&fpq->lock);
 		WARN_ON(!list_empty(&fpq->io));
-		end_requests(fc, &fpq->processing);
+		list_splice_init(&fpq->processing, &to_end);
+		spin_unlock(&fpq->lock);
+
+		end_requests(fc, &to_end);
+
 		/* Are we the last open device? */
 		if (atomic_dec_and_test(&fc->dev_count)) {
 			WARN_ON(fc->iq.fasync != NULL);
Commit	Line	Data
f7a9c07c GKH	1	From 45ff350bbd9d0f0977ff270a0d427c71520c0c37 Mon Sep 17 00:00:00 2001
	2	From: Miklos Szeredi <mszeredi@redhat.com>
	3	Date: Thu, 26 Jul 2018 16:13:11 +0200
	4	Subject: fuse: fix unlocked access to processing queue
	5
	6	From: Miklos Szeredi <mszeredi@redhat.com>
	7
	8	commit 45ff350bbd9d0f0977ff270a0d427c71520c0c37 upstream.
	9
	10	fuse_dev_release() assumes that it's the only one referencing the
	11	fpq->processing list, but that's not true, since fuse_abort_conn() can be
	12	doing the same without any serialization between the two.
	13
	14	Fixes: c3696046beb3 ("fuse: separate pqueue for clones")
	15	Cc: <stable@vger.kernel.org> # v4.2
	16	Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
	17	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	18
	19	---
	20	fs/fuse/dev.c \| 8 +++++++-
	21	1 file changed, 7 insertions(+), 1 deletion(-)
	22
	23	--- a/fs/fuse/dev.c
	24	+++ b/fs/fuse/dev.c
	25	@@ -2199,9 +2199,15 @@ int fuse_dev_release(struct inode *inode
	26	if (fud) {
	27	struct fuse_conn *fc = fud->fc;
	28	struct fuse_pqueue *fpq = &fud->pq;
	29	+ LIST_HEAD(to_end);
	30
	31	+ spin_lock(&fpq->lock);
	32	WARN_ON(!list_empty(&fpq->io));
	33	- end_requests(fc, &fpq->processing);
	34	+ list_splice_init(&fpq->processing, &to_end);
	35	+ spin_unlock(&fpq->lock);
	36	+
	37	+ end_requests(fc, &to_end);
	38	+
	39	/* Are we the last open device? */
	40	if (atomic_dec_and_test(&fc->dev_count)) {
	41	WARN_ON(fc->iq.fasync != NULL);