fuse: fix pipe_buf_operations

commit 28a625cbc2a14f17b83e47ef907b2658576a32aa upstream. Having this struct in module memory could Oops when if the module is unloaded while the buffer still persists in a pipe. Since sock_pipe_buf_ops is essentially the same as fuse_dev_pipe_buf_steal merge them into nosteal_pipe_buf_ops (this is the same as default_pipe_buf_ops except stealing the page from the buffer is not allowed). Reported-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Miklos Szeredi <mszeredi@suse.cz> 2014-01-22 13:36:57 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-02-13 16:47:59 -0500
commit: d840f9899a6bc8bd88b3c87cd067ddf39a6ada45 (patch)
tree: 4ef436e091d32ac9f01fe9c8fd87c02246cfd5c6 /fs
parent: 329f4557c93a1aa769896155deefa363f01283e5 (diff)
2 files changed, 23 insertions, 17 deletions
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 1d55f9465400..23bf1a52a5da 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1296,22 +1296,6 @@ static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
        return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
 }
-static int fuse_dev_pipe_buf_steal(struct pipe_inode_info *pipe,
-                                   struct pipe_buffer *buf)
-{
-        return 1;
-}
-static const struct pipe_buf_operations fuse_dev_pipe_buf_ops = {
-        .can_merge = 0,
-        .map = generic_pipe_buf_map,
-        .unmap = generic_pipe_buf_unmap,
-        .confirm = generic_pipe_buf_confirm,
-        .release = generic_pipe_buf_release,
-        .steal = fuse_dev_pipe_buf_steal,
-        .get = generic_pipe_buf_get,
-};
 static ssize_t fuse_dev_splice_read(struct file *in, loff_t *ppos,
                                    struct pipe_inode_info *pipe,
                                    size_t len, unsigned int flags)
@@ -1358,7 +1342,11 @@ static ssize_t fuse_dev_splice_read(struct file *in, loff_t *ppos,
                buf->page = bufs[page_nr].page;
                buf->offset = bufs[page_nr].offset;
                buf->len = bufs[page_nr].len;
-                buf->ops = &fuse_dev_pipe_buf_ops;
+                /*
+                 * Need to be careful about this.  Having buf->ops in module
+                 * code can Oops if the buffer persists after module unload.
+                 */
+                buf->ops = &nosteal_pipe_buf_ops;
                pipe->nrbufs++;
                page_nr++;
diff --git a/fs/splice.c b/fs/splice.c
index d37431dd60a1..4b5a5fac3383 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -555,6 +555,24 @@ static const struct pipe_buf_operations default_pipe_buf_ops = {
        .get = generic_pipe_buf_get,
 };
+static int generic_pipe_buf_nosteal(struct pipe_inode_info *pipe,
+                                    struct pipe_buffer *buf)
+{
+        return 1;
+}
+/* Pipe buffer operations for a socket and similar. */
+const struct pipe_buf_operations nosteal_pipe_buf_ops = {
+        .can_merge = 0,
+        .map = generic_pipe_buf_map,
+        .unmap = generic_pipe_buf_unmap,
+        .confirm = generic_pipe_buf_confirm,
+        .release = generic_pipe_buf_release,
+        .steal = generic_pipe_buf_nosteal,
+        .get = generic_pipe_buf_get,
+};
+EXPORT_SYMBOL(nosteal_pipe_buf_ops);
 static ssize_t kernel_readv(struct file *file, const struct iovec *vec,
                            unsigned long vlen, loff_t offset)
 {
author	Miklos Szeredi <mszeredi@suse.cz>	2014-01-22 13:36:57 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2014-02-13 16:47:59 -0500
commit	d840f9899a6bc8bd88b3c87cd067ddf39a6ada45 (patch)
tree	4ef436e091d32ac9f01fe9c8fd87c02246cfd5c6 /fs
parent	329f4557c93a1aa769896155deefa363f01283e5 (diff)