From: Jann Horn <jannh@google.com>
Date: Sat, 12 Jan 2019 01:39:05 +0000 (+0100)
Subject: fuse: call pipe_buf_release() under pipe lock
X-Git-Tag: Ubuntu-4.15.0-49.53~71
X-Git-Url: https://git.proxmox.com/?p=mirror_ubuntu-bionic-kernel.git;a=commitdiff_plain;h=3f2044c765d6e5699ec5d91c38b3d810bdca82a4

fuse: call pipe_buf_release() under pipe lock

BugLink: https://bugs.launchpad.net/bugs/1824553

Some of the pipe_buf_release() handlers seem to assume that the pipe is
locked - in particular, anon_pipe_buf_release() accesses pipe->tmp_page
without taking any extra locks. From a glance through the callers of
pipe_buf_release(), it looks like FUSE is the only one that calls
pipe_buf_release() without having the pipe locked.

This bug should only lead to a memory leak, nothing terrible.

Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
(cherry picked from commit 9509941e9c534920ccc4771ae70bd6cbbe79df1c)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
---

diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index cfae27c7a828..8a08c2baf69d 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -2038,8 +2038,10 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
 
 	ret = fuse_dev_do_write(fud, &cs, len);
 
+	pipe_lock(pipe);
 	for (idx = 0; idx < nbuf; idx++)
 		pipe_buf_release(pipe, &bufs[idx]);
+	pipe_unlock(pipe);
 
 out:
 	kfree(bufs);