This is a note to let you know that I've just added the patch titled
fuse: fix leaked notify reply
to the 4.19-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
fuse-fix-leaked-notify-reply.patch
and it can be found in the queue-4.19 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 7fabaf303458fcabb694999d6fa772cc13d4e217 Mon Sep 17 00:00:00 2001
From: Miklos Szeredi <mszeredi@xxxxxxxxxx>
Date: Fri, 9 Nov 2018 15:52:16 +0100
Subject: fuse: fix leaked notify reply
From: Miklos Szeredi <mszeredi@xxxxxxxxxx>
commit 7fabaf303458fcabb694999d6fa772cc13d4e217 upstream.
fuse_request_send_notify_reply() may fail if the connection was reset for
some reason (e.g. fs was unmounted). Don't leak request reference in this
case. Besides leaking memory, this resulted in fc->num_waiting not being
decremented and hence fuse_wait_aborted() left in a hanging and unkillable
state.
Fixes: 2d45ba381a74 ("fuse: add retrieve request")
Fixes: b8f95e5d13f5 ("fuse: umount should wait for all requests")
Reported-and-tested-by: syzbot+6339eda9cb4ebbc4c37b@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Miklos Szeredi <mszeredi@xxxxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx> #v2.6.36
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/fuse/dev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1724,8 +1724,10 @@ static int fuse_retrieve(struct fuse_con
req->in.args[1].size = total_len;
err = fuse_request_send_notify_reply(fc, req, outarg->notify_unique);
- if (err)
+ if (err) {
fuse_retrieve_end(fc, req);
+ fuse_put_request(fc, req);
+ }
return err;
}
Patches currently in stable-queue which might be from mszeredi@xxxxxxxxxx are
queue-4.19/fuse-fix-possibly-missed-wake-up-after-abort.patch
queue-4.19/fuse-set-fr_sent-while-locked.patch
queue-4.19/ovl-check-whiteout-in-ovl_create_over_whiteout.patch
queue-4.19/fuse-fix-use-after-free-in-fuse_direct_io.patch
queue-4.19/fuse-fix-leaked-notify-reply.patch
queue-4.19/ovl-fix-recursive-oi-lock-in-ovl_link.patch
queue-4.19/ovl-fix-error-handling-in-ovl_verify_set_fh.patch
queue-4.19/vfs-fix-figetbsz-ioctl-on-an-overlayfs-file.patch
queue-4.19/ovl-automatically-enable-redirect_dir-on-metacopy-on.patch
queue-4.19/fuse-fix-use-after-free-in-fuse_dev_do_read.patch
queue-4.19/fuse-fix-use-after-free-in-fuse_dev_do_write.patch
queue-4.19/fuse-fix-blocked_waitq-wakeup.patch
