| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <lsq.1556377989.28395121@decadent.org.uk>
Date: Sat, 27 Apr 2019 16:13:09 +0100
From: Ben Hutchings <ben@...adent.org.uk>
To: linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC: akpm@...ux-foundation.org, Denis Kirjanov <kda@...ux-powerpc.org>,
"Miklos Szeredi" <mszeredi@...hat.com>,
"Jann Horn" <jannh@...gle.com>
Subject: [PATCH 3.16 044/202] fuse: call pipe_buf_release() under pipe lock
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@...gle.com>
commit 9509941e9c534920ccc4771ae70bd6cbbe79df1c upstream.
Some of the pipe_buf_release() handlers seem to assume that the pipe is
locked - in particular, anon_pipe_buf_release() accesses pipe->tmp_page
without taking any extra locks. From a glance through the callers of
pipe_buf_release(), it looks like FUSE is the only one that calls
pipe_buf_release() without having the pipe locked.
This bug should only lead to a memory leak, nothing terrible.
Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
Signed-off-by: Jann Horn <jannh@...gle.com>
Signed-off-by: Miklos Szeredi <mszeredi@...hat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
fs/fuse/dev.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1978,10 +1978,12 @@ static ssize_t fuse_dev_splice_write(str
ret = fuse_dev_do_write(fc, &cs, len);
+ pipe_lock(pipe);
for (idx = 0; idx < nbuf; idx++) {
struct pipe_buffer *buf = &bufs[idx];
buf->ops->release(pipe, buf);
}
+ pipe_unlock(pipe);
out:
kfree(bufs);
return ret;
Powered by blists - more mailing lists