releases/5.10.50/fuse-check-connected-before-queueing-on-fpq-io.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 80ef08670d4c28a06a3de954bd350368780bcfef Mon Sep 17 00:00:00 2001
 From: Miklos Szeredi <mszeredi@redhat.com>
 Date: Tue, 22 Jun 2021 09:15:35 +0200
 Subject: fuse: check connected before queueing on fpq->io

 From: Miklos Szeredi <mszeredi@redhat.com>

 commit 80ef08670d4c28a06a3de954bd350368780bcfef upstream.

 A request could end up on the fpq->io list after fuse_abort_conn() has
 reset fpq->connected and aborted requests on that list:

 Thread-1			  Thread-2
 ========			  ========
 ->fuse_simple_request()           ->shutdown
   ->__fuse_request_send()
     ->queue_request()		->fuse_abort_conn()
 ->fuse_dev_do_read()                ->acquire(fpq->lock)
   ->wait_for(fpq->lock) 	  ->set err to all req's in fpq->io
 				  ->release(fpq->lock)
   ->acquire(fpq->lock)
   ->add req to fpq->io

 After the userspace copy is done the request will be ended, but
 req->out.h.error will remain uninitialized.  Also the copy might block
 despite being already aborted.

 Fix both issues by not allowing the request to be queued on the fpq->io
 list after fuse_abort_conn() has processed this list.

 Reported-by: Pradeep P V K <pragalla@codeaurora.org>
 Fixes: fd22d62ed0c3 ("fuse: no fc->lock for iqueue parts")
 Cc: <stable@vger.kernel.org> # v4.2
 Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  fs/fuse/dev.c |    9 +++++++++
  1 file changed, 9 insertions(+)

 --- a/fs/fuse/dev.c
 +++ b/fs/fuse/dev.c
 @@ -1276,6 +1276,15 @@ static ssize_t fuse_dev_do_read(struct f
  		goto restart;
  	}
  	spin_lock(&fpq->lock);
 +	/*
 +	 *  Must not put request on fpq->io queue after having been shut down by
 +	 *  fuse_abort_conn()
 +	 */
 +	if (!fpq->connected) {
 +		req->out.h.error = err = -ECONNABORTED;
 +		goto out_end;
 +
 +	}
  	list_add(&req->list, &fpq->io);
  	spin_unlock(&fpq->lock);
  	cs->req = req;
	From 80ef08670d4c28a06a3de954bd350368780bcfef Mon Sep 17 00:00:00 2001
	From: Miklos Szeredi <mszeredi@redhat.com>
	Date: Tue, 22 Jun 2021 09:15:35 +0200
	Subject: fuse: check connected before queueing on fpq->io

	From: Miklos Szeredi <mszeredi@redhat.com>

	commit 80ef08670d4c28a06a3de954bd350368780bcfef upstream.

	A request could end up on the fpq->io list after fuse_abort_conn() has
	reset fpq->connected and aborted requests on that list:

	Thread-1 Thread-2
	======== ========
	->fuse_simple_request() ->shutdown
	->__fuse_request_send()
	->queue_request() ->fuse_abort_conn()
	->fuse_dev_do_read() ->acquire(fpq->lock)
	->wait_for(fpq->lock) ->set err to all req's in fpq->io
	->release(fpq->lock)
	->acquire(fpq->lock)
	->add req to fpq->io

	After the userspace copy is done the request will be ended, but
	req->out.h.error will remain uninitialized. Also the copy might block
	despite being already aborted.

	Fix both issues by not allowing the request to be queued on the fpq->io
	list after fuse_abort_conn() has processed this list.

	Reported-by: Pradeep P V K <pragalla@codeaurora.org>
	Fixes: fd22d62ed0c3 ("fuse: no fc->lock for iqueue parts")
	Cc: <stable@vger.kernel.org> # v4.2
	Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	fs/fuse/dev.c \| 9 +++++++++
	1 file changed, 9 insertions(+)

	--- a/fs/fuse/dev.c
	+++ b/fs/fuse/dev.c
	@@ -1276,6 +1276,15 @@ static ssize_t fuse_dev_do_read(struct f
	goto restart;
	}
	spin_lock(&fpq->lock);
	+ /*
	+ * Must not put request on fpq->io queue after having been shut down by
	+ * fuse_abort_conn()
	+ */
	+ if (!fpq->connected) {
	+ req->out.h.error = err = -ECONNABORTED;
	+ goto out_end;
	+
	+ }
	list_add(&req->list, &fpq->io);
	spin_unlock(&fpq->lock);
	cs->req = req;