From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Tahsin Erdogan <tahsin@google.com>,
Miklos Szeredi <mszeredi@redhat.com>
Subject: [PATCH 4.4 15/42] fuse: clear FR_PENDING flag when moving requests out of pending queue
Date: Tue, 24 Jan 2017 08:55:25 +0100 [thread overview]
Message-ID: <20170124075509.936004441@linuxfoundation.org> (raw)
In-Reply-To: <20170124075509.299412838@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tahsin Erdogan <tahsin@google.com>
commit a8a86d78d673b1c99fe9b0064739fde9e9774184 upstream.
fuse_abort_conn() moves requests from pending list to a temporary list
before canceling them. This operation races with request_wait_answer()
which also tries to remove the request after it gets a fatal signal. It
checks FR_PENDING flag to determine whether the request is still in the
pending list.
Make fuse_abort_conn() clear FR_PENDING flag so that request_wait_answer()
does not remove the request from temporary list.
This bug causes an Oops when trying to delete an already deleted list entry
in end_requests().
Fixes: ee314a870e40 ("fuse: abort: no fc->lock needed for request ending")
Signed-off-by: Tahsin Erdogan <tahsin@google.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -2083,7 +2083,6 @@ static void end_requests(struct fuse_con
struct fuse_req *req;
req = list_entry(head->next, struct fuse_req, list);
req->out.h.error = -ECONNABORTED;
- clear_bit(FR_PENDING, &req->flags);
clear_bit(FR_SENT, &req->flags);
list_del_init(&req->list);
request_end(fc, req);
@@ -2161,6 +2160,8 @@ void fuse_abort_conn(struct fuse_conn *f
spin_lock(&fiq->waitq.lock);
fiq->connected = 0;
list_splice_init(&fiq->pending, &to_end2);
+ list_for_each_entry(req, &to_end2, list)
+ clear_bit(FR_PENDING, &req->flags);
while (forget_pending(fiq))
kfree(dequeue_forget(fiq, 1, NULL));
wake_up_all_locked(&fiq->waitq);
next prev parent reply other threads:[~2017-01-24 7:56 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20170124075830epcas1p296b07d21649bc2441732496425ef6977@epcas1p2.samsung.com>
2017-01-24 7:55 ` [PATCH 4.4 00/42] 4.4.45-stable review Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 01/42] ftrace/x86: Set ftrace_stub to weak to prevent gcc from using short jumps to it Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 02/42] IB/mlx5: Wait for all async command completions to complete Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 03/42] IB/mlx4: Set traffic class in AH Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 04/42] IB/mlx4: Fix out-of-range array index in destroy qp flow Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 05/42] IB/mlx4: Fix port query for 56Gb Ethernet links Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 06/42] IB/mlx4: When no DMFS for IPoIB, dont allow NET_IF QPs Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 07/42] IB/IPoIB: Remove cant use GFP_NOIO warning Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 08/42] perf scripting: Avoid leaking the scripting_context variable Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 09/42] ARM: dts: imx31: fix clock control module interrupts description Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 11/42] ARM: dts: imx31: fix AVIC base address Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 12/42] tmpfs: clear S_ISGID when setting posix ACLs Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 13/42] x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 14/42] svcrpc: dont leak contexts on PROC_DESTROY Greg Kroah-Hartman
2017-01-24 7:55 ` Greg Kroah-Hartman [this message]
2017-01-24 7:55 ` [PATCH 4.4 16/42] PCI: Enumerate switches below PCI-to-PCIe bridges Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 17/42] HID: corsair: fix DMA buffers on stack Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 18/42] HID: corsair: fix control-transfer error handling Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 19/42] mmc: mxs-mmc: Fix additional cycles after transmission stop Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 20/42] ieee802154: atusb: do not use the stack for buffers to make them DMA able Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 21/42] mtd: nand: xway: disable module support Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 22/42] x86/ioapic: Restore IO-APIC irq_chip retrigger callback Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 23/42] qla2xxx: Fix crash due to null pointer access Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 24/42] ubifs: Fix journal replay wrt. xattr nodes Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 25/42] clocksource/exynos_mct: Clear interrupt when cpu is shut down Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 26/42] svcrdma: avoid duplicate dma unmapping during error recovery Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 27/42] ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 28/42] ceph: fix bad endianness handling in parse_reply_info_extra Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 29/42] ARM: dts: da850-evm: fix read access to SPI flash Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 30/42] arm64/ptrace: Preserve previous registers for short regset write Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 31/42] arm64/ptrace: Preserve previous registers for short regset write - 2 Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 32/42] arm64/ptrace: Preserve previous registers for short regset write - 3 Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 33/42] arm64/ptrace: Avoid uninitialised struct padding in fpr_set() Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 34/42] arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 35/42] ARM: dts: imx6qdl-nitrogen6_max: fix sgtl5000 pinctrl init Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 36/42] ARM: ux500: fix prcmu_is_cpu_in_wfi() calculation Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 37/42] ARM: 8613/1: Fix the uaccess crash on PB11MPCore Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 38/42] [media] blackfin: check devm_pinctrl_get() for errors Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 39/42] [media] ite-cir: initialize use_demodulator before using it Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 40/42] dmaengine: pl330: Fix runtime PM support for terminated transfers Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 41/42] selftest/powerpc: Wrong PMC initialized in pmc56_overflow test Greg Kroah-Hartman
2017-01-24 7:55 ` [PATCH 4.4 42/42] arm64: avoid returning from bad_mode Greg Kroah-Hartman
2017-01-24 18:26 ` [PATCH 4.4 00/42] 4.4.45-stable review Shuah Khan
2017-01-24 19:08 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170124075509.936004441@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mszeredi@redhat.com \
--cc=stable@vger.kernel.org \
--cc=tahsin@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).