4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kirill Tkhai ktkhai@virtuozzo.com
commit d2d2d4fb1f54eff0f3faa9762d84f6446a4bc5d0 upstream.
After we found req in request_find() and released the lock, everything may happen with the req in parallel:
cpu0 cpu1 fuse_dev_do_write() fuse_dev_do_write() req = request_find(fpq, ...) ... spin_unlock(&fpq->lock) ... ... req = request_find(fpq, oh.unique) ... spin_unlock(&fpq->lock) queue_interrupt(&fc->iq, req); ... ... ... ... ... request_end(fc, req); fuse_put_request(fc, req); ... queue_interrupt(&fc->iq, req);
Signed-off-by: Kirill Tkhai ktkhai@virtuozzo.com Signed-off-by: Miklos Szeredi mszeredi@redhat.com Fixes: 46c34a348b0a ("fuse: no fc->lock for pqueue parts") Cc: stable@vger.kernel.org # v4.2 Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- fs/fuse/dev.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
--- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -1874,16 +1874,20 @@ static ssize_t fuse_dev_do_write(struct
/* Is it an interrupt reply? */ if (req->intr_unique == oh.unique) { + __fuse_get_request(req); spin_unlock(&fpq->lock);
err = -EINVAL; - if (nbytes != sizeof(struct fuse_out_header)) + if (nbytes != sizeof(struct fuse_out_header)) { + fuse_put_request(fc, req); goto err_finish; + }
if (oh.error == -ENOSYS) fc->no_interrupt = 1; else if (oh.error == -EAGAIN) queue_interrupt(&fc->iq, req); + fuse_put_request(fc, req);
fuse_copy_finish(cs); return nbytes;