diff options
| author | Miklos Szeredi <mszeredi@redhat.com> | 2018-07-26 10:13:11 -0400 |
|---|---|---|
| committer | Miklos Szeredi <mszeredi@redhat.com> | 2018-07-26 10:13:11 -0400 |
| commit | e8f3bd773d22f488724dffb886a1618da85c2966 (patch) | |
| tree | 5edce11e41e1a089911ccfc18c1a3d941c5b3b39 /fs/fuse | |
| parent | b8f95e5d13f5f0191dcb4b9113113d241636e7cb (diff) | |
fuse: Fix oops at process_init_reply()
syzbot is hitting NULL pointer dereference at process_init_reply().
This is because deactivate_locked_super() is called before response for
initial request is processed.
Fix this by aborting and waiting for all requests (including FUSE_INIT)
before resetting fc->sb.
Original patch by Tetsuo Handa <penguin-kernel@I-love.SKAURA.ne.jp>.
Reported-by: syzbot <syzbot+b62f08f4d5857755e3bc@syzkaller.appspotmail.com>
Fixes: e27c9d3877a0 ("fuse: fuse: add time_gran to INIT_OUT")
Cc: <stable@vger.kernel.org> # v3.19
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Diffstat (limited to 'fs/fuse')
| -rw-r--r-- | fs/fuse/inode.c | 25 |
1 files changed, 11 insertions, 14 deletions
diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c index eeab70e7904d..0115c2f0a428 100644 --- a/fs/fuse/inode.c +++ b/fs/fuse/inode.c | |||
| @@ -391,11 +391,6 @@ static void fuse_put_super(struct super_block *sb) | |||
| 391 | { | 391 | { |
| 392 | struct fuse_conn *fc = get_fuse_conn_super(sb); | 392 | struct fuse_conn *fc = get_fuse_conn_super(sb); |
| 393 | 393 | ||
| 394 | fuse_send_destroy(fc); | ||
| 395 | |||
| 396 | fuse_abort_conn(fc, false); | ||
| 397 | fuse_wait_aborted(fc); | ||
| 398 | |||
| 399 | mutex_lock(&fuse_mutex); | 394 | mutex_lock(&fuse_mutex); |
| 400 | list_del(&fc->entry); | 395 | list_del(&fc->entry); |
| 401 | fuse_ctl_remove_conn(fc); | 396 | fuse_ctl_remove_conn(fc); |
| @@ -1212,16 +1207,25 @@ static struct dentry *fuse_mount(struct file_system_type *fs_type, | |||
| 1212 | return mount_nodev(fs_type, flags, raw_data, fuse_fill_super); | 1207 | return mount_nodev(fs_type, flags, raw_data, fuse_fill_super); |
| 1213 | } | 1208 | } |
| 1214 | 1209 | ||
| 1215 | static void fuse_kill_sb_anon(struct super_block *sb) | 1210 | static void fuse_sb_destroy(struct super_block *sb) |
| 1216 | { | 1211 | { |
| 1217 | struct fuse_conn *fc = get_fuse_conn_super(sb); | 1212 | struct fuse_conn *fc = get_fuse_conn_super(sb); |
| 1218 | 1213 | ||
| 1219 | if (fc) { | 1214 | if (fc) { |
| 1215 | fuse_send_destroy(fc); | ||
| 1216 | |||
| 1217 | fuse_abort_conn(fc, false); | ||
| 1218 | fuse_wait_aborted(fc); | ||
| 1219 | |||
| 1220 | down_write(&fc->killsb); | 1220 | down_write(&fc->killsb); |
| 1221 | fc->sb = NULL; | 1221 | fc->sb = NULL; |
| 1222 | up_write(&fc->killsb); | 1222 | up_write(&fc->killsb); |
| 1223 | } | 1223 | } |
| 1224 | } | ||
| 1224 | 1225 | ||
| 1226 | static void fuse_kill_sb_anon(struct super_block *sb) | ||
| 1227 | { | ||
| 1228 | fuse_sb_destroy(sb); | ||
| 1225 | kill_anon_super(sb); | 1229 | kill_anon_super(sb); |
| 1226 | } | 1230 | } |
| 1227 | 1231 | ||
| @@ -1244,14 +1248,7 @@ static struct dentry *fuse_mount_blk(struct file_system_type *fs_type, | |||
| 1244 | 1248 | ||
| 1245 | static void fuse_kill_sb_blk(struct super_block *sb) | 1249 | static void fuse_kill_sb_blk(struct super_block *sb) |
| 1246 | { | 1250 | { |
| 1247 | struct fuse_conn *fc = get_fuse_conn_super(sb); | 1251 | fuse_sb_destroy(sb); |
| 1248 | |||
| 1249 | if (fc) { | ||
| 1250 | down_write(&fc->killsb); | ||
| 1251 | fc->sb = NULL; | ||
| 1252 | up_write(&fc->killsb); | ||
| 1253 | } | ||
| 1254 | |||
| 1255 | kill_block_super(sb); | 1252 | kill_block_super(sb); |
| 1256 | } | 1253 | } |
| 1257 | 1254 | ||