Commit 5ab2ed0a authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'fuse-fixes-5.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse 

Pull fuse fixes from Miklos Szeredi:
 "Syzbot discovered a race in case of reusing the fuse sb (introduced in
  this cycle).

  Fix it by doing the s_fs_info initialization at the proper place"

* tag 'fuse-fixes-5.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse:
  fuse: clean up error exits in fuse_fill_super()
  fuse: always initialize sb->s_fs_info
  fuse: clean up fuse_mount destruction
  fuse: get rid of fuse_put_super()
  fuse: check s_root when destroying sb
parents 477b4e80 964d32e5

fs/fuse/fuse_i.h

+3 −0
Original line number Diff line number Diff line
@@ -1121,6 +1121,9 @@ int fuse_init_fs_context_submount(struct fs_context *fsc); 
 */

void fuse_conn_destroy(struct fuse_mount *fm);



/* Drop the connection and free the fuse mount */

void fuse_mount_destroy(struct fuse_mount *fm);



/**

 * Add connection to control filesystem

 */

fs/fuse/inode.c

+39 −48
Original line number Diff line number Diff line
@@ -457,14 +457,6 @@ static void fuse_send_destroy(struct fuse_mount *fm) 
	}

}



static void fuse_put_super(struct super_block *sb)

{

	struct fuse_mount *fm = get_fuse_mount_super(sb);



	fuse_conn_put(fm->fc);

	kfree(fm);

}



static void convert_fuse_statfs(struct kstatfs *stbuf, struct fuse_kstatfs *attr)

{

	stbuf->f_type    = FUSE_SUPER_MAGIC;
@@ -1003,7 +995,6 @@ static const struct super_operations fuse_super_operations = { 
	.evict_inode	= fuse_evict_inode,

	.write_inode	= fuse_write_inode,

	.drop_inode	= generic_delete_inode,

	.put_super	= fuse_put_super,

	.umount_begin	= fuse_umount_begin,

	.statfs		= fuse_statfs,

	.sync_fs	= fuse_sync_fs,
@@ -1424,20 +1415,17 @@ static int fuse_get_tree_submount(struct fs_context *fsc) 
	if (!fm)

		return -ENOMEM;



	fm->fc = fuse_conn_get(fc);

	fsc->s_fs_info = fm;

	sb = sget_fc(fsc, NULL, set_anon_super_fc);

	if (IS_ERR(sb)) {

		kfree(fm);

	if (fsc->s_fs_info)

		fuse_mount_destroy(fm);

	if (IS_ERR(sb))

		return PTR_ERR(sb);

	}

	fm->fc = fuse_conn_get(fc);



	/* Initialize superblock, making @mp_fi its root */

	err = fuse_fill_super_submount(sb, mp_fi);

	if (err) {

		fuse_conn_put(fc);

		kfree(fm);

		sb->s_fs_info = NULL;

		deactivate_locked_super(sb);

		return err;

	}
@@ -1569,8 +1557,6 @@ static int fuse_fill_super(struct super_block *sb, struct fs_context *fsc) 
{

	struct fuse_fs_context *ctx = fsc->fs_private;

	int err;

	struct fuse_conn *fc;

	struct fuse_mount *fm;



	if (!ctx->file || !ctx->rootmode_present ||

	    !ctx->user_id_present || !ctx->group_id_present)
@@ -1580,42 +1566,18 @@ static int fuse_fill_super(struct super_block *sb, struct fs_context *fsc) 
	 * Require mount to happen from the same user namespace which

	 * opened /dev/fuse to prevent potential attacks.

	 */

	err = -EINVAL;

	if ((ctx->file->f_op != &fuse_dev_operations) ||

	    (ctx->file->f_cred->user_ns != sb->s_user_ns))

		goto err;

		return -EINVAL;

	ctx->fudptr = &ctx->file->private_data;



	fc = kmalloc(sizeof(*fc), GFP_KERNEL);

	err = -ENOMEM;

	if (!fc)

		goto err;



	fm = kzalloc(sizeof(*fm), GFP_KERNEL);

	if (!fm) {

		kfree(fc);

		goto err;

	}



	fuse_conn_init(fc, fm, sb->s_user_ns, &fuse_dev_fiq_ops, NULL);

	fc->release = fuse_free_conn;



	sb->s_fs_info = fm;



	err = fuse_fill_super_common(sb, ctx);

	if (err)

		goto err_put_conn;

		return err;

	/* file->private_data shall be visible on all CPUs after this */

	smp_mb();

	fuse_send_init(get_fuse_mount_super(sb));

	return 0;



 err_put_conn:

	fuse_conn_put(fc);

	kfree(fm);

	sb->s_fs_info = NULL;

 err:

	return err;

}



/*
@@ -1637,22 +1599,40 @@ static int fuse_get_tree(struct fs_context *fsc) 
{

	struct fuse_fs_context *ctx = fsc->fs_private;

	struct fuse_dev *fud;

	struct fuse_conn *fc;

	struct fuse_mount *fm;

	struct super_block *sb;

	int err;



	fc = kmalloc(sizeof(*fc), GFP_KERNEL);

	if (!fc)

		return -ENOMEM;



	fm = kzalloc(sizeof(*fm), GFP_KERNEL);

	if (!fm) {

		kfree(fc);

		return -ENOMEM;

	}



	fuse_conn_init(fc, fm, fsc->user_ns, &fuse_dev_fiq_ops, NULL);

	fc->release = fuse_free_conn;



	fsc->s_fs_info = fm;



	if (ctx->fd_present)

		ctx->file = fget(ctx->fd);



	if (IS_ENABLED(CONFIG_BLOCK) && ctx->is_bdev) {

		err = get_tree_bdev(fsc, fuse_fill_super);

		goto out_fput;

		goto out;

	}

	/*

	 * While block dev mount can be initialized with a dummy device fd

	 * (found by device name), normal fuse mounts can't

	 */

	err = -EINVAL;

	if (!ctx->file)

		return -EINVAL;

		goto out;



	/*

	 * Allow creating a fuse mount with an already initialized fuse
@@ -1668,7 +1648,9 @@ static int fuse_get_tree(struct fs_context *fsc) 
	} else {

		err = get_tree_nodev(fsc, fuse_fill_super);

	}

out_fput:

out:

	if (fsc->s_fs_info)

		fuse_mount_destroy(fm);

	if (ctx->file)

		fput(ctx->file);

	return err;
@@ -1747,17 +1729,25 @@ static void fuse_sb_destroy(struct super_block *sb) 
	struct fuse_mount *fm = get_fuse_mount_super(sb);

	bool last;



	if (fm) {

	if (sb->s_root) {

		last = fuse_mount_remove(fm);

		if (last)

			fuse_conn_destroy(fm);

	}

}



void fuse_mount_destroy(struct fuse_mount *fm)

{

	fuse_conn_put(fm->fc);

	kfree(fm);

}

EXPORT_SYMBOL(fuse_mount_destroy);



static void fuse_kill_sb_anon(struct super_block *sb)

{

	fuse_sb_destroy(sb);

	kill_anon_super(sb);

	fuse_mount_destroy(get_fuse_mount_super(sb));

}



static struct file_system_type fuse_fs_type = {
@@ -1775,6 +1765,7 @@ static void fuse_kill_sb_blk(struct super_block *sb) 
{

	fuse_sb_destroy(sb);

	kill_block_super(sb);

	fuse_mount_destroy(get_fuse_mount_super(sb));

}



static struct file_system_type fuseblk_fs_type = {

fs/fuse/virtio_fs.c

+4 −8
Original line number Diff line number Diff line
@@ -1394,12 +1394,13 @@ static void virtio_kill_sb(struct super_block *sb) 
	bool last;



	/* If mount failed, we can still be called without any fc */

	if (fm) {

	if (sb->s_root) {

		last = fuse_mount_remove(fm);

		if (last)

			virtio_fs_conn_destroy(fm);

	}

	kill_anon_super(sb);

	fuse_mount_destroy(fm);

}



static int virtio_fs_test_super(struct super_block *sb,
@@ -1455,19 +1456,14 @@ static int virtio_fs_get_tree(struct fs_context *fsc) 


	fsc->s_fs_info = fm;

	sb = sget_fc(fsc, virtio_fs_test_super, set_anon_super_fc);

	if (fsc->s_fs_info) {

		fuse_conn_put(fc);

		kfree(fm);

	}

	if (fsc->s_fs_info)

		fuse_mount_destroy(fm);

	if (IS_ERR(sb))

		return PTR_ERR(sb);



	if (!sb->s_root) {

		err = virtio_fs_fill_super(sb, fsc);

		if (err) {

			fuse_conn_put(fc);

			kfree(fm);

			sb->s_fs_info = NULL;

			deactivate_locked_super(sb);

			return err;

		}