From ad06e648517e8b7d796a398e46a6e30e7bcae1fb Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 1 Dec 2022 13:39:00 +0100 Subject: [PATCH] 5.10-stable patches added patches: fuse-lock-inode-unconditionally-in-fuse_fallocate.patch --- ...de-unconditionally-in-fuse_fallocate.patch | 88 +++++++++++++++++++ queue-5.10/series | 1 + 2 files changed, 89 insertions(+) create mode 100644 queue-5.10/fuse-lock-inode-unconditionally-in-fuse_fallocate.patch diff --git a/queue-5.10/fuse-lock-inode-unconditionally-in-fuse_fallocate.patch b/queue-5.10/fuse-lock-inode-unconditionally-in-fuse_fallocate.patch new file mode 100644 index 00000000000..bb960b67c3f --- /dev/null +++ b/queue-5.10/fuse-lock-inode-unconditionally-in-fuse_fallocate.patch @@ -0,0 +1,88 @@ +From 44361e8cf9ddb23f17bdcc40ca944abf32e83e79 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 23 Nov 2022 09:10:42 +0100 +Subject: fuse: lock inode unconditionally in fuse_fallocate() + +From: Miklos Szeredi + +commit 44361e8cf9ddb23f17bdcc40ca944abf32e83e79 upstream. + +file_modified() must be called with inode lock held. fuse_fallocate() +didn't lock the inode in case of just FALLOC_KEEP_SIZE flags value, which +resulted in a kernel Warning in notify_change(). + +Lock the inode unconditionally, like all other fallocate implementations +do. + +Reported-by: Pengfei Xu +Reported-and-tested-by: syzbot+462da39f0667b357c4b6@syzkaller.appspotmail.com +Fixes: 4a6f278d4827 ("fuse: add file_modified() to fallocate") +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/file.c | 40 ++++++++++++++++++---------------------- + 1 file changed, 18 insertions(+), 22 deletions(-) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -3275,10 +3275,9 @@ static long fuse_file_fallocate(struct f + .mode = mode + }; + int err; +- bool lock_inode = !(mode & FALLOC_FL_KEEP_SIZE) || +- (mode & FALLOC_FL_PUNCH_HOLE); +- +- bool block_faults = FUSE_IS_DAX(inode) && lock_inode; ++ bool block_faults = FUSE_IS_DAX(inode) && ++ (!(mode & FALLOC_FL_KEEP_SIZE) || ++ (mode & FALLOC_FL_PUNCH_HOLE)); + + if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE)) + return -EOPNOTSUPP; +@@ -3286,22 +3285,20 @@ static long fuse_file_fallocate(struct f + if (fm->fc->no_fallocate) + return -EOPNOTSUPP; + +- if (lock_inode) { +- inode_lock(inode); +- if (block_faults) { +- down_write(&fi->i_mmap_sem); +- err = fuse_dax_break_layouts(inode, 0, 0); +- if (err) +- goto out; +- } +- +- if (mode & FALLOC_FL_PUNCH_HOLE) { +- loff_t endbyte = offset + length - 1; +- +- err = fuse_writeback_range(inode, offset, endbyte); +- if (err) +- goto out; +- } ++ inode_lock(inode); ++ if (block_faults) { ++ down_write(&fi->i_mmap_sem); ++ err = fuse_dax_break_layouts(inode, 0, 0); ++ if (err) ++ goto out; ++ } ++ ++ if (mode & FALLOC_FL_PUNCH_HOLE) { ++ loff_t endbyte = offset + length - 1; ++ ++ err = fuse_writeback_range(inode, offset, endbyte); ++ if (err) ++ goto out; + } + + if (!(mode & FALLOC_FL_KEEP_SIZE) && +@@ -3351,8 +3348,7 @@ out: + if (block_faults) + up_write(&fi->i_mmap_sem); + +- if (lock_inode) +- inode_unlock(inode); ++ inode_unlock(inode); + + fuse_flush_time_update(inode); + diff --git a/queue-5.10/series b/queue-5.10/series index 8b0f5b3d672..641aae52d6a 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -157,3 +157,4 @@ btrfs-sysfs-normalize-the-error-handling-branch-in-btrfs_init_sysfs.patch drm-amd-dc-dce120-fix-audio-register-mapping-stop-triggering-kasan.patch drm-amdgpu-always-register-an-mmu-notifier-for-userptr.patch drm-i915-fix-tlb-invalidation-for-gen12-video-and-compute-engines.patch +fuse-lock-inode-unconditionally-in-fuse_fallocate.patch -- 2.47.3