Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 45ff350b authored by Miklos Szeredi's avatar Miklos Szeredi
Browse files

fuse: fix unlocked access to processing queue 



fuse_dev_release() assumes that it's the only one referencing the
fpq->processing list, but that's not true, since fuse_abort_conn() can be
doing the same without any serialization between the two.

Fixes: c3696046 ("fuse: separate pqueue for clones")
Cc: <stable@vger.kernel.org> # v4.2
Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
parent 87114373

fs/fuse/dev.c

+7 −1
Original line number Diff line number Diff line
@@ -2150,9 +2150,15 @@ int fuse_dev_release(struct inode *inode, struct file *file) 
	if (fud) {

		struct fuse_conn *fc = fud->fc;

		struct fuse_pqueue *fpq = &fud->pq;

		LIST_HEAD(to_end);



		spin_lock(&fpq->lock);

		WARN_ON(!list_empty(&fpq->io));

		end_requests(fc, &fpq->processing);

		list_splice_init(&fpq->processing, &to_end);

		spin_unlock(&fpq->lock);



		end_requests(fc, &to_end);



		/* Are we the last open device? */

		if (atomic_dec_and_test(&fc->dev_count)) {

			WARN_ON(fc->iq.fasync != NULL);