This is a note to let you know that I've just added the patch titled fuse: fix leaked notify reply to the 4.19-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: fuse-fix-leaked-notify-reply.patch and it can be found in the queue-4.19 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 7fabaf303458fcabb694999d6fa772cc13d4e217 Mon Sep 17 00:00:00 2001 From: Miklos Szeredi <mszeredi@xxxxxxxxxx> Date: Fri, 9 Nov 2018 15:52:16 +0100 Subject: fuse: fix leaked notify reply From: Miklos Szeredi <mszeredi@xxxxxxxxxx> commit 7fabaf303458fcabb694999d6fa772cc13d4e217 upstream. fuse_request_send_notify_reply() may fail if the connection was reset for some reason (e.g. fs was unmounted). Don't leak request reference in this case. Besides leaking memory, this resulted in fc->num_waiting not being decremented and hence fuse_wait_aborted() left in a hanging and unkillable state. Fixes: 2d45ba381a74 ("fuse: add retrieve request") Fixes: b8f95e5d13f5 ("fuse: umount should wait for all requests") Reported-and-tested-by: syzbot+6339eda9cb4ebbc4c37b@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Miklos Szeredi <mszeredi@xxxxxxxxxx> Cc: <stable@xxxxxxxxxxxxxxx> #v2.6.36 Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/fuse/dev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -1724,8 +1724,10 @@ static int fuse_retrieve(struct fuse_con req->in.args[1].size = total_len; err = fuse_request_send_notify_reply(fc, req, outarg->notify_unique); - if (err) + if (err) { fuse_retrieve_end(fc, req); + fuse_put_request(fc, req); + } return err; } Patches currently in stable-queue which might be from mszeredi@xxxxxxxxxx are queue-4.19/fuse-fix-possibly-missed-wake-up-after-abort.patch queue-4.19/fuse-set-fr_sent-while-locked.patch queue-4.19/ovl-check-whiteout-in-ovl_create_over_whiteout.patch queue-4.19/fuse-fix-use-after-free-in-fuse_direct_io.patch queue-4.19/fuse-fix-leaked-notify-reply.patch queue-4.19/ovl-fix-recursive-oi-lock-in-ovl_link.patch queue-4.19/ovl-fix-error-handling-in-ovl_verify_set_fh.patch queue-4.19/vfs-fix-figetbsz-ioctl-on-an-overlayfs-file.patch queue-4.19/ovl-automatically-enable-redirect_dir-on-metacopy-on.patch queue-4.19/fuse-fix-use-after-free-in-fuse_dev_do_read.patch queue-4.19/fuse-fix-use-after-free-in-fuse_dev_do_write.patch queue-4.19/fuse-fix-blocked_waitq-wakeup.patch