From: Greg Kurz <gkurz@redhat.com>
To: Miklos Szeredi <mszeredi@redhat.com>
Cc: fuse-devel@lists.linux.dev,
"Aurélien Bombo" <abombo@microsoft.com>,
stable@vger.kernel.org
Subject: Re: [PATCH] virtiofs: fix UAF on submount umount
Date: Thu, 28 May 2026 17:43:18 +0200 [thread overview]
Message-ID: <20260528174318.2d97e373@bahia> (raw)
In-Reply-To: <20260528142306.1792392-1-mszeredi@redhat.com>
On Thu, 28 May 2026 16:23:05 +0200
Miklos Szeredi <mszeredi@redhat.com> wrote:
> iput() called from fuse_release_end() can Oops if the super block has
> already been destroyed. Normally this is prevented by waiting for
> num_waiting to go down to zero before commencing with super block shutdown.
>
> This only works, however, for the last submount instance, as the wait
> counter is per connection, not per superblock.
>
> Revert to using synchronous release requests for the auto_submounts case,
> which is virtiofs only at this time.
>
> Reported-by: Aurélien Bombo <abombo@microsoft.com>
> Cc: Greg Kurz <gkurz@redhat.com>
> Closes: https://github.com/kata-containers/kata-containers/issues/12589
> Fixes: 26e5c67deb2e ("fuse: fix livelock in synchronous file put from fuseblk workers")
> Cc: stable@vger.kernel.org
> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
> ---
Great thanks for the quick fix Miklos !
FWIW
Reviewed-by: Greg Kurz <gkurz@redhat.com>
> fs/fuse/file.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/fs/fuse/file.c b/fs/fuse/file.c
> index 3bdab8d03373..e8833e2a6610 100644
> --- a/fs/fuse/file.c
> +++ b/fs/fuse/file.c
> @@ -380,8 +380,14 @@ void fuse_file_release(struct inode *inode, struct fuse_file *ff,
> * aio and closes the fd before the aio completes. Since aio takes its
> * own ref to the file, the IO completion has to drop the ref, which is
> * how the fuse server can end up closing its clients' files.
> + *
> + * Exception is virtio-fs, which is not affected by the above (server is
> + * on host, cannot close open files in guest). Virtio-fs needs sync
> + * release, because the num_waiting mechanism to wait for all requests
> + * before commencing with fs shutdown doesn't work if submounts are
> + * used.
> */
> - fuse_file_put(ff, false);
> + fuse_file_put(ff, ff->fm->fc->auto_submounts);
> }
>
> void fuse_release_common(struct file *file, bool isdir)
prev parent reply other threads:[~2026-05-28 15:43 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-28 14:23 [PATCH] virtiofs: fix UAF on submount umount Miklos Szeredi
2026-05-28 15:43 ` Greg Kurz [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260528174318.2d97e373@bahia \
--to=gkurz@redhat.com \
--cc=abombo@microsoft.com \
--cc=fuse-devel@lists.linux.dev \
--cc=mszeredi@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.