mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-27 22:51:31 +00:00
fuse fixes for 5.15-rc7
-----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQSQHSd0lITzzeNWNm3h3BK/laaZPAUCYXLSYQAKCRDh3BK/laaZ PEfYAQCZcGVboa5uIrCYmVnEgXXf5NX0UrrM0ytvnVssGcgUOQEA8nAx3hwyvwvS onA14DgXIz3koEE48PWv3gbJdpL/kAM= =R0ip -----END PGP SIGNATURE----- Merge tag 'fuse-fixes-5.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse Pull fuse fixes from Miklos Szeredi: "Syzbot discovered a race in case of reusing the fuse sb (introduced in this cycle). Fix it by doing the s_fs_info initialization at the proper place" * tag 'fuse-fixes-5.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse: fuse: clean up error exits in fuse_fill_super() fuse: always initialize sb->s_fs_info fuse: clean up fuse_mount destruction fuse: get rid of fuse_put_super() fuse: check s_root when destroying sb
This commit is contained in:
commit
5ab2ed0a8d
3 changed files with 46 additions and 56 deletions
|
@ -1121,6 +1121,9 @@ int fuse_init_fs_context_submount(struct fs_context *fsc);
|
||||||
*/
|
*/
|
||||||
void fuse_conn_destroy(struct fuse_mount *fm);
|
void fuse_conn_destroy(struct fuse_mount *fm);
|
||||||
|
|
||||||
|
/* Drop the connection and free the fuse mount */
|
||||||
|
void fuse_mount_destroy(struct fuse_mount *fm);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Add connection to control filesystem
|
* Add connection to control filesystem
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -457,14 +457,6 @@ static void fuse_send_destroy(struct fuse_mount *fm)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static void fuse_put_super(struct super_block *sb)
|
|
||||||
{
|
|
||||||
struct fuse_mount *fm = get_fuse_mount_super(sb);
|
|
||||||
|
|
||||||
fuse_conn_put(fm->fc);
|
|
||||||
kfree(fm);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void convert_fuse_statfs(struct kstatfs *stbuf, struct fuse_kstatfs *attr)
|
static void convert_fuse_statfs(struct kstatfs *stbuf, struct fuse_kstatfs *attr)
|
||||||
{
|
{
|
||||||
stbuf->f_type = FUSE_SUPER_MAGIC;
|
stbuf->f_type = FUSE_SUPER_MAGIC;
|
||||||
|
@ -1003,7 +995,6 @@ static const struct super_operations fuse_super_operations = {
|
||||||
.evict_inode = fuse_evict_inode,
|
.evict_inode = fuse_evict_inode,
|
||||||
.write_inode = fuse_write_inode,
|
.write_inode = fuse_write_inode,
|
||||||
.drop_inode = generic_delete_inode,
|
.drop_inode = generic_delete_inode,
|
||||||
.put_super = fuse_put_super,
|
|
||||||
.umount_begin = fuse_umount_begin,
|
.umount_begin = fuse_umount_begin,
|
||||||
.statfs = fuse_statfs,
|
.statfs = fuse_statfs,
|
||||||
.sync_fs = fuse_sync_fs,
|
.sync_fs = fuse_sync_fs,
|
||||||
|
@ -1424,20 +1415,17 @@ static int fuse_get_tree_submount(struct fs_context *fsc)
|
||||||
if (!fm)
|
if (!fm)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
|
fm->fc = fuse_conn_get(fc);
|
||||||
fsc->s_fs_info = fm;
|
fsc->s_fs_info = fm;
|
||||||
sb = sget_fc(fsc, NULL, set_anon_super_fc);
|
sb = sget_fc(fsc, NULL, set_anon_super_fc);
|
||||||
if (IS_ERR(sb)) {
|
if (fsc->s_fs_info)
|
||||||
kfree(fm);
|
fuse_mount_destroy(fm);
|
||||||
|
if (IS_ERR(sb))
|
||||||
return PTR_ERR(sb);
|
return PTR_ERR(sb);
|
||||||
}
|
|
||||||
fm->fc = fuse_conn_get(fc);
|
|
||||||
|
|
||||||
/* Initialize superblock, making @mp_fi its root */
|
/* Initialize superblock, making @mp_fi its root */
|
||||||
err = fuse_fill_super_submount(sb, mp_fi);
|
err = fuse_fill_super_submount(sb, mp_fi);
|
||||||
if (err) {
|
if (err) {
|
||||||
fuse_conn_put(fc);
|
|
||||||
kfree(fm);
|
|
||||||
sb->s_fs_info = NULL;
|
|
||||||
deactivate_locked_super(sb);
|
deactivate_locked_super(sb);
|
||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
|
@ -1569,8 +1557,6 @@ static int fuse_fill_super(struct super_block *sb, struct fs_context *fsc)
|
||||||
{
|
{
|
||||||
struct fuse_fs_context *ctx = fsc->fs_private;
|
struct fuse_fs_context *ctx = fsc->fs_private;
|
||||||
int err;
|
int err;
|
||||||
struct fuse_conn *fc;
|
|
||||||
struct fuse_mount *fm;
|
|
||||||
|
|
||||||
if (!ctx->file || !ctx->rootmode_present ||
|
if (!ctx->file || !ctx->rootmode_present ||
|
||||||
!ctx->user_id_present || !ctx->group_id_present)
|
!ctx->user_id_present || !ctx->group_id_present)
|
||||||
|
@ -1580,42 +1566,18 @@ static int fuse_fill_super(struct super_block *sb, struct fs_context *fsc)
|
||||||
* Require mount to happen from the same user namespace which
|
* Require mount to happen from the same user namespace which
|
||||||
* opened /dev/fuse to prevent potential attacks.
|
* opened /dev/fuse to prevent potential attacks.
|
||||||
*/
|
*/
|
||||||
err = -EINVAL;
|
|
||||||
if ((ctx->file->f_op != &fuse_dev_operations) ||
|
if ((ctx->file->f_op != &fuse_dev_operations) ||
|
||||||
(ctx->file->f_cred->user_ns != sb->s_user_ns))
|
(ctx->file->f_cred->user_ns != sb->s_user_ns))
|
||||||
goto err;
|
return -EINVAL;
|
||||||
ctx->fudptr = &ctx->file->private_data;
|
ctx->fudptr = &ctx->file->private_data;
|
||||||
|
|
||||||
fc = kmalloc(sizeof(*fc), GFP_KERNEL);
|
|
||||||
err = -ENOMEM;
|
|
||||||
if (!fc)
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
fm = kzalloc(sizeof(*fm), GFP_KERNEL);
|
|
||||||
if (!fm) {
|
|
||||||
kfree(fc);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
fuse_conn_init(fc, fm, sb->s_user_ns, &fuse_dev_fiq_ops, NULL);
|
|
||||||
fc->release = fuse_free_conn;
|
|
||||||
|
|
||||||
sb->s_fs_info = fm;
|
|
||||||
|
|
||||||
err = fuse_fill_super_common(sb, ctx);
|
err = fuse_fill_super_common(sb, ctx);
|
||||||
if (err)
|
if (err)
|
||||||
goto err_put_conn;
|
return err;
|
||||||
/* file->private_data shall be visible on all CPUs after this */
|
/* file->private_data shall be visible on all CPUs after this */
|
||||||
smp_mb();
|
smp_mb();
|
||||||
fuse_send_init(get_fuse_mount_super(sb));
|
fuse_send_init(get_fuse_mount_super(sb));
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
err_put_conn:
|
|
||||||
fuse_conn_put(fc);
|
|
||||||
kfree(fm);
|
|
||||||
sb->s_fs_info = NULL;
|
|
||||||
err:
|
|
||||||
return err;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -1637,22 +1599,40 @@ static int fuse_get_tree(struct fs_context *fsc)
|
||||||
{
|
{
|
||||||
struct fuse_fs_context *ctx = fsc->fs_private;
|
struct fuse_fs_context *ctx = fsc->fs_private;
|
||||||
struct fuse_dev *fud;
|
struct fuse_dev *fud;
|
||||||
|
struct fuse_conn *fc;
|
||||||
|
struct fuse_mount *fm;
|
||||||
struct super_block *sb;
|
struct super_block *sb;
|
||||||
int err;
|
int err;
|
||||||
|
|
||||||
|
fc = kmalloc(sizeof(*fc), GFP_KERNEL);
|
||||||
|
if (!fc)
|
||||||
|
return -ENOMEM;
|
||||||
|
|
||||||
|
fm = kzalloc(sizeof(*fm), GFP_KERNEL);
|
||||||
|
if (!fm) {
|
||||||
|
kfree(fc);
|
||||||
|
return -ENOMEM;
|
||||||
|
}
|
||||||
|
|
||||||
|
fuse_conn_init(fc, fm, fsc->user_ns, &fuse_dev_fiq_ops, NULL);
|
||||||
|
fc->release = fuse_free_conn;
|
||||||
|
|
||||||
|
fsc->s_fs_info = fm;
|
||||||
|
|
||||||
if (ctx->fd_present)
|
if (ctx->fd_present)
|
||||||
ctx->file = fget(ctx->fd);
|
ctx->file = fget(ctx->fd);
|
||||||
|
|
||||||
if (IS_ENABLED(CONFIG_BLOCK) && ctx->is_bdev) {
|
if (IS_ENABLED(CONFIG_BLOCK) && ctx->is_bdev) {
|
||||||
err = get_tree_bdev(fsc, fuse_fill_super);
|
err = get_tree_bdev(fsc, fuse_fill_super);
|
||||||
goto out_fput;
|
goto out;
|
||||||
}
|
}
|
||||||
/*
|
/*
|
||||||
* While block dev mount can be initialized with a dummy device fd
|
* While block dev mount can be initialized with a dummy device fd
|
||||||
* (found by device name), normal fuse mounts can't
|
* (found by device name), normal fuse mounts can't
|
||||||
*/
|
*/
|
||||||
|
err = -EINVAL;
|
||||||
if (!ctx->file)
|
if (!ctx->file)
|
||||||
return -EINVAL;
|
goto out;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Allow creating a fuse mount with an already initialized fuse
|
* Allow creating a fuse mount with an already initialized fuse
|
||||||
|
@ -1668,7 +1648,9 @@ static int fuse_get_tree(struct fs_context *fsc)
|
||||||
} else {
|
} else {
|
||||||
err = get_tree_nodev(fsc, fuse_fill_super);
|
err = get_tree_nodev(fsc, fuse_fill_super);
|
||||||
}
|
}
|
||||||
out_fput:
|
out:
|
||||||
|
if (fsc->s_fs_info)
|
||||||
|
fuse_mount_destroy(fm);
|
||||||
if (ctx->file)
|
if (ctx->file)
|
||||||
fput(ctx->file);
|
fput(ctx->file);
|
||||||
return err;
|
return err;
|
||||||
|
@ -1747,17 +1729,25 @@ static void fuse_sb_destroy(struct super_block *sb)
|
||||||
struct fuse_mount *fm = get_fuse_mount_super(sb);
|
struct fuse_mount *fm = get_fuse_mount_super(sb);
|
||||||
bool last;
|
bool last;
|
||||||
|
|
||||||
if (fm) {
|
if (sb->s_root) {
|
||||||
last = fuse_mount_remove(fm);
|
last = fuse_mount_remove(fm);
|
||||||
if (last)
|
if (last)
|
||||||
fuse_conn_destroy(fm);
|
fuse_conn_destroy(fm);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void fuse_mount_destroy(struct fuse_mount *fm)
|
||||||
|
{
|
||||||
|
fuse_conn_put(fm->fc);
|
||||||
|
kfree(fm);
|
||||||
|
}
|
||||||
|
EXPORT_SYMBOL(fuse_mount_destroy);
|
||||||
|
|
||||||
static void fuse_kill_sb_anon(struct super_block *sb)
|
static void fuse_kill_sb_anon(struct super_block *sb)
|
||||||
{
|
{
|
||||||
fuse_sb_destroy(sb);
|
fuse_sb_destroy(sb);
|
||||||
kill_anon_super(sb);
|
kill_anon_super(sb);
|
||||||
|
fuse_mount_destroy(get_fuse_mount_super(sb));
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct file_system_type fuse_fs_type = {
|
static struct file_system_type fuse_fs_type = {
|
||||||
|
@ -1775,6 +1765,7 @@ static void fuse_kill_sb_blk(struct super_block *sb)
|
||||||
{
|
{
|
||||||
fuse_sb_destroy(sb);
|
fuse_sb_destroy(sb);
|
||||||
kill_block_super(sb);
|
kill_block_super(sb);
|
||||||
|
fuse_mount_destroy(get_fuse_mount_super(sb));
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct file_system_type fuseblk_fs_type = {
|
static struct file_system_type fuseblk_fs_type = {
|
||||||
|
|
|
@ -1394,12 +1394,13 @@ static void virtio_kill_sb(struct super_block *sb)
|
||||||
bool last;
|
bool last;
|
||||||
|
|
||||||
/* If mount failed, we can still be called without any fc */
|
/* If mount failed, we can still be called without any fc */
|
||||||
if (fm) {
|
if (sb->s_root) {
|
||||||
last = fuse_mount_remove(fm);
|
last = fuse_mount_remove(fm);
|
||||||
if (last)
|
if (last)
|
||||||
virtio_fs_conn_destroy(fm);
|
virtio_fs_conn_destroy(fm);
|
||||||
}
|
}
|
||||||
kill_anon_super(sb);
|
kill_anon_super(sb);
|
||||||
|
fuse_mount_destroy(fm);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int virtio_fs_test_super(struct super_block *sb,
|
static int virtio_fs_test_super(struct super_block *sb,
|
||||||
|
@ -1455,19 +1456,14 @@ static int virtio_fs_get_tree(struct fs_context *fsc)
|
||||||
|
|
||||||
fsc->s_fs_info = fm;
|
fsc->s_fs_info = fm;
|
||||||
sb = sget_fc(fsc, virtio_fs_test_super, set_anon_super_fc);
|
sb = sget_fc(fsc, virtio_fs_test_super, set_anon_super_fc);
|
||||||
if (fsc->s_fs_info) {
|
if (fsc->s_fs_info)
|
||||||
fuse_conn_put(fc);
|
fuse_mount_destroy(fm);
|
||||||
kfree(fm);
|
|
||||||
}
|
|
||||||
if (IS_ERR(sb))
|
if (IS_ERR(sb))
|
||||||
return PTR_ERR(sb);
|
return PTR_ERR(sb);
|
||||||
|
|
||||||
if (!sb->s_root) {
|
if (!sb->s_root) {
|
||||||
err = virtio_fs_fill_super(sb, fsc);
|
err = virtio_fs_fill_super(sb, fsc);
|
||||||
if (err) {
|
if (err) {
|
||||||
fuse_conn_put(fc);
|
|
||||||
kfree(fm);
|
|
||||||
sb->s_fs_info = NULL;
|
|
||||||
deactivate_locked_super(sb);
|
deactivate_locked_super(sb);
|
||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue