linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 0/2] fuse: Fix missing fuse_copy_finish in dev_uring.c
@ 2025-10-21 20:46 Bernd Schubert
  2025-10-21 20:46 ` [PATCH 1/2] fuse: missing copy_finish in fuse-over-io-uring argument copies Bernd Schubert
  2025-10-21 20:46 ` [PATCH 2/2] fuse: Fix whitespace for fuse_uring_args_to_ring() comment Bernd Schubert
  0 siblings, 2 replies; 6+ messages in thread
From: Bernd Schubert @ 2025-10-21 20:46 UTC (permalink / raw)
  To: Miklos Szeredi
  Cc: Luis Henriques, Joanne Koong, Miklos Szeredi, linux-fsdevel,
	Bernd Schubert, Cheng Ding, stable

Both argument copies in dev_uring.c miss fuse_copy_finish.

Signed-off-by: Bernd Schubert <bschubert@ddn.com>
---
Bernd Schubert (1):
      fuse: Fix whitespace for fuse_uring_args_to_ring() comment

Cheng Ding (1):
      fuse: missing copy_finish in fuse-over-io-uring argument copies

 fs/fuse/dev.c        |  2 +-
 fs/fuse/dev_uring.c  | 18 ++++++++++++------
 fs/fuse/fuse_dev_i.h |  1 +
 3 files changed, 14 insertions(+), 7 deletions(-)
---
base-commit: 6548d364a3e850326831799d7e3ea2d7bb97ba08
change-id: 20251021-io-uring-fixes-copy-finish-07ae602e2ab1

Best regards,
-- 
Bernd Schubert <bschubert@ddn.com>


^ permalink raw reply	[flat|nested] 6+ messages in thread
* [PATCH 1/2] fuse: missing copy_finish in fuse-over-io-uring argument copies
  2025-10-21 20:46 [PATCH 0/2] fuse: Fix missing fuse_copy_finish in dev_uring.c Bernd Schubert
@ 2025-10-21 20:46 ` Bernd Schubert
  2025-10-31 21:30   ` Joanne Koong
  2025-10-21 20:46 ` [PATCH 2/2] fuse: Fix whitespace for fuse_uring_args_to_ring() comment Bernd Schubert
  1 sibling, 1 reply; 6+ messages in thread
From: Bernd Schubert @ 2025-10-21 20:46 UTC (permalink / raw)
  To: Miklos Szeredi
  Cc: Luis Henriques, Joanne Koong, Miklos Szeredi, linux-fsdevel,
	Bernd Schubert, Cheng Ding, stable

From: Cheng Ding <cding@ddn.com>

Fix a possible reference count leak of payload pages during
fuse argument copies.

Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support")
Cc: <stable@vger.kernel.org> # v6.14
Signed-off-by: Cheng Ding <cding@ddn.com>
Signed-off-by: Bernd Schubert <bschubert@ddn.com>
---
 fs/fuse/dev.c        |  2 +-
 fs/fuse/dev_uring.c  | 12 +++++++++---
 fs/fuse/fuse_dev_i.h |  1 +
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 132f38619d70720ce74eedc002a7b8f31e760a61..49b18d7accb39927e49bc3814ad2c3e51db84bb4 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -846,7 +846,7 @@ void fuse_copy_init(struct fuse_copy_state *cs, bool write,
 }
 
 /* Unmap and put previous page of userspace buffer */
-static void fuse_copy_finish(struct fuse_copy_state *cs)
+void fuse_copy_finish(struct fuse_copy_state *cs)
 {
 	if (cs->currbuf) {
 		struct pipe_buffer *buf = cs->currbuf;
diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c
index f6b12aebb8bbe7d255980593b75b5fb5af9c669e..3721c2d91627f5438b6997df3de63734704e56ff 100644
--- a/fs/fuse/dev_uring.c
+++ b/fs/fuse/dev_uring.c
@@ -598,7 +598,9 @@ static int fuse_uring_copy_from_ring(struct fuse_ring *ring,
 	cs.is_uring = true;
 	cs.req = req;
 
-	return fuse_copy_out_args(&cs, args, ring_in_out.payload_sz);
+	err = fuse_copy_out_args(&cs, args, ring_in_out.payload_sz);
+	fuse_copy_finish(&cs);
+	return err;
 }
 
  /*
@@ -651,13 +653,17 @@ static int fuse_uring_args_to_ring(struct fuse_ring *ring, struct fuse_req *req,
 			     (struct fuse_arg *)in_args, 0);
 	if (err) {
 		pr_info_ratelimited("%s fuse_copy_args failed\n", __func__);
-		return err;
+		goto copy_finish;
 	}
 
 	ent_in_out.payload_sz = cs.ring.copied_sz;
 	err = copy_to_user(&ent->headers->ring_ent_in_out, &ent_in_out,
 			   sizeof(ent_in_out));
-	return err ? -EFAULT : 0;
+	if (err)
+		err = -EFAULT;
+copy_finish:
+	fuse_copy_finish(&cs);
+	return err;
 }
 
 static int fuse_uring_copy_to_ring(struct fuse_ring_ent *ent,
diff --git a/fs/fuse/fuse_dev_i.h b/fs/fuse/fuse_dev_i.h
index 6e8373f970409e83efdc5d5cfc3d943a8948d3a7..134bf44aff0d39ae8d5d47cf1518efcf2f1cfc23 100644
--- a/fs/fuse/fuse_dev_i.h
+++ b/fs/fuse/fuse_dev_i.h
@@ -62,6 +62,7 @@ void fuse_dev_end_requests(struct list_head *head);
 
 void fuse_copy_init(struct fuse_copy_state *cs, bool write,
 			   struct iov_iter *iter);
+void fuse_copy_finish(struct fuse_copy_state *cs);
 int fuse_copy_args(struct fuse_copy_state *cs, unsigned int numargs,
 		   unsigned int argpages, struct fuse_arg *args,
 		   int zeroing);

-- 
2.43.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread
* [PATCH 2/2] fuse: Fix whitespace for fuse_uring_args_to_ring() comment
  2025-10-21 20:46 [PATCH 0/2] fuse: Fix missing fuse_copy_finish in dev_uring.c Bernd Schubert
  2025-10-21 20:46 ` [PATCH 1/2] fuse: missing copy_finish in fuse-over-io-uring argument copies Bernd Schubert
@ 2025-10-21 20:46 ` Bernd Schubert
  2025-11-11 13:46   ` Miklos Szeredi
  1 sibling, 1 reply; 6+ messages in thread
From: Bernd Schubert @ 2025-10-21 20:46 UTC (permalink / raw)
  To: Miklos Szeredi
  Cc: Luis Henriques, Joanne Koong, Miklos Szeredi, linux-fsdevel,
	Bernd Schubert

The function comment accidentally got wrong indentation.

Signed-off-by: Bernd Schubert <bschubert@ddn.com>
---
 fs/fuse/dev_uring.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c
index 3721c2d91627f5438b6997df3de63734704e56ff..670964862fb1ed4f3ce8712a1f828e6a5702fab4 100644
--- a/fs/fuse/dev_uring.c
+++ b/fs/fuse/dev_uring.c
@@ -603,9 +603,9 @@ static int fuse_uring_copy_from_ring(struct fuse_ring *ring,
 	return err;
 }
 
- /*
-  * Copy data from the req to the ring buffer
-  */
+/*
+ * Copy data from the req to the ring buffer
+ */
 static int fuse_uring_args_to_ring(struct fuse_ring *ring, struct fuse_req *req,
 				   struct fuse_ring_ent *ent)
 {

-- 
2.43.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] fuse: missing copy_finish in fuse-over-io-uring argument copies
  2025-10-21 20:46 ` [PATCH 1/2] fuse: missing copy_finish in fuse-over-io-uring argument copies Bernd Schubert
@ 2025-10-31 21:30   ` Joanne Koong
  2025-11-11 13:44     ` Miklos Szeredi
  0 siblings, 1 reply; 6+ messages in thread
From: Joanne Koong @ 2025-10-31 21:30 UTC (permalink / raw)
  To: Bernd Schubert
  Cc: Miklos Szeredi, Luis Henriques, Miklos Szeredi, linux-fsdevel,
	Cheng Ding, stable

On Tue, Oct 21, 2025 at 1:46 PM Bernd Schubert <bschubert@ddn.com> wrote:
>
> From: Cheng Ding <cding@ddn.com>
>
> Fix a possible reference count leak of payload pages during
> fuse argument copies.
>
> Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support")
> Cc: <stable@vger.kernel.org> # v6.14
> Signed-off-by: Cheng Ding <cding@ddn.com>
> Signed-off-by: Bernd Schubert <bschubert@ddn.com>
> ---
>  fs/fuse/dev.c        |  2 +-
>  fs/fuse/dev_uring.c  | 12 +++++++++---
>  fs/fuse/fuse_dev_i.h |  1 +
>  3 files changed, 11 insertions(+), 4 deletions(-)
>
> diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
> index 132f38619d70720ce74eedc002a7b8f31e760a61..49b18d7accb39927e49bc3814ad2c3e51db84bb4 100644
> --- a/fs/fuse/dev.c
> +++ b/fs/fuse/dev.c
> @@ -846,7 +846,7 @@ void fuse_copy_init(struct fuse_copy_state *cs, bool write,
>  }
>
>  /* Unmap and put previous page of userspace buffer */
> -static void fuse_copy_finish(struct fuse_copy_state *cs)
> +void fuse_copy_finish(struct fuse_copy_state *cs)
>  {
>         if (cs->currbuf) {
>                 struct pipe_buffer *buf = cs->currbuf;
> diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c
> index f6b12aebb8bbe7d255980593b75b5fb5af9c669e..3721c2d91627f5438b6997df3de63734704e56ff 100644
> --- a/fs/fuse/dev_uring.c
> +++ b/fs/fuse/dev_uring.c
> @@ -598,7 +598,9 @@ static int fuse_uring_copy_from_ring(struct fuse_ring *ring,
>         cs.is_uring = true;
>         cs.req = req;
>
> -       return fuse_copy_out_args(&cs, args, ring_in_out.payload_sz);
> +       err = fuse_copy_out_args(&cs, args, ring_in_out.payload_sz);
> +       fuse_copy_finish(&cs);
> +       return err;
>  }
>
>   /*
> @@ -651,13 +653,17 @@ static int fuse_uring_args_to_ring(struct fuse_ring *ring, struct fuse_req *req,
>                              (struct fuse_arg *)in_args, 0);
>         if (err) {
>                 pr_info_ratelimited("%s fuse_copy_args failed\n", __func__);
> -               return err;
> +               goto copy_finish;
>         }
>
>         ent_in_out.payload_sz = cs.ring.copied_sz;
>         err = copy_to_user(&ent->headers->ring_ent_in_out, &ent_in_out,
>                            sizeof(ent_in_out));
> -       return err ? -EFAULT : 0;
> +       if (err)
> +               err = -EFAULT;
> +copy_finish:
> +       fuse_copy_finish(&cs);
> +       return err;
>  }

nit: this could just be

--- a/fs/fuse/dev_uring.c
+++ b/fs/fuse/dev_uring.c
@@ -649,6 +649,7 @@ static int fuse_uring_args_to_ring(struct
fuse_ring *ring, struct fuse_req *req,
        /* copy the payload */
        err = fuse_copy_args(&cs, num_args, args->in_pages,
                             (struct fuse_arg *)in_args, 0);
+       fuse_copy_finish(&cs);
        if (err) {
                pr_info_ratelimited("%s fuse_copy_args failed\n", __func__);
                return err;

>

Reviewed-by: Joanne Koong <joannelkoong@gmail.com>

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] fuse: missing copy_finish in fuse-over-io-uring argument copies
  2025-10-31 21:30   ` Joanne Koong
@ 2025-11-11 13:44     ` Miklos Szeredi
  0 siblings, 0 replies; 6+ messages in thread
From: Miklos Szeredi @ 2025-11-11 13:44 UTC (permalink / raw)
  To: Joanne Koong
  Cc: Bernd Schubert, Luis Henriques, Miklos Szeredi, linux-fsdevel,
	Cheng Ding, stable

On Fri, 31 Oct 2025 at 22:30, Joanne Koong <joannelkoong@gmail.com> wrote:

> --- a/fs/fuse/dev_uring.c
> +++ b/fs/fuse/dev_uring.c
> @@ -649,6 +649,7 @@ static int fuse_uring_args_to_ring(struct
> fuse_ring *ring, struct fuse_req *req,
>         /* copy the payload */
>         err = fuse_copy_args(&cs, num_args, args->in_pages,
>                              (struct fuse_arg *)in_args, 0);
> +       fuse_copy_finish(&cs);
>         if (err) {
>                 pr_info_ratelimited("%s fuse_copy_args failed\n", __func__);
>                 return err;
>

Applied this variant.

Thanks,
Miklos

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH 2/2] fuse: Fix whitespace for fuse_uring_args_to_ring() comment
  2025-10-21 20:46 ` [PATCH 2/2] fuse: Fix whitespace for fuse_uring_args_to_ring() comment Bernd Schubert
@ 2025-11-11 13:46   ` Miklos Szeredi
  0 siblings, 0 replies; 6+ messages in thread
From: Miklos Szeredi @ 2025-11-11 13:46 UTC (permalink / raw)
  To: Bernd Schubert; +Cc: Luis Henriques, Joanne Koong, linux-fsdevel

On Tue, 21 Oct 2025 at 22:47, Bernd Schubert <bschubert@ddn.com> wrote:
>
> The function comment accidentally got wrong indentation.
>
> Signed-off-by: Bernd Schubert <bschubert@ddn.com>

Applied, thanks.

Miklos

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-11-11 13:46 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-21 20:46 [PATCH 0/2] fuse: Fix missing fuse_copy_finish in dev_uring.c Bernd Schubert
2025-10-21 20:46 ` [PATCH 1/2] fuse: missing copy_finish in fuse-over-io-uring argument copies Bernd Schubert
2025-10-31 21:30   ` Joanne Koong
2025-11-11 13:44     ` Miklos Szeredi
2025-10-21 20:46 ` [PATCH 2/2] fuse: Fix whitespace for fuse_uring_args_to_ring() comment Bernd Schubert
2025-11-11 13:46   ` Miklos Szeredi

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).