<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs/fuse/inode.c, branch linux-3.16.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>fuse: Fix oops at process_init_reply()</title>
<updated>2018-12-16T22:08:26+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@redhat.com</email>
</author>
<published>2018-07-26T14:13:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=84dd9744f4adb87b5a830b3097047a3f0099ccf5'/>
<id>84dd9744f4adb87b5a830b3097047a3f0099ccf5</id>
<content type='text'>
commit e8f3bd773d22f488724dffb886a1618da85c2966 upstream.

syzbot is hitting NULL pointer dereference at process_init_reply().
This is because deactivate_locked_super() is called before response for
initial request is processed.

Fix this by aborting and waiting for all requests (including FUSE_INIT)
before resetting fc-&gt;sb.

Original patch by Tetsuo Handa &lt;penguin-kernel@I-love.SKAURA.ne.jp&gt;.

Reported-by: syzbot &lt;syzbot+b62f08f4d5857755e3bc@syzkaller.appspotmail.com&gt;
Fixes: e27c9d3877a0 ("fuse: fuse: add time_gran to INIT_OUT")
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
[bwh: Backported to 3.16:
 - Drop second argument to fuse_abort_conn()
 - fuse_wait_aborted() is not needed]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit e8f3bd773d22f488724dffb886a1618da85c2966 upstream.

syzbot is hitting NULL pointer dereference at process_init_reply().
This is because deactivate_locked_super() is called before response for
initial request is processed.

Fix this by aborting and waiting for all requests (including FUSE_INIT)
before resetting fc-&gt;sb.

Original patch by Tetsuo Handa &lt;penguin-kernel@I-love.SKAURA.ne.jp&gt;.

Reported-by: syzbot &lt;syzbot+b62f08f4d5857755e3bc@syzkaller.appspotmail.com&gt;
Fixes: e27c9d3877a0 ("fuse: fuse: add time_gran to INIT_OUT")
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
[bwh: Backported to 3.16:
 - Drop second argument to fuse_abort_conn()
 - fuse_wait_aborted() is not needed]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fuse: flush requests on umount</title>
<updated>2018-12-16T22:08:25+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@suse.cz</email>
</author>
<published>2014-12-12T08:49:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=779b6307f009684be663066d377504dce4cb58c7'/>
<id>779b6307f009684be663066d377504dce4cb58c7</id>
<content type='text'>
commit 580640ba5d331eb5631a5de46941c98f5ed90886 upstream.

Use fuse_abort_conn() instead of fuse_conn_kill() in fuse_put_super().
This flushes and aborts requests still on any queues.  But since we've
already reset fc-&gt;connected, those requests would not be useful anyway and
would be flushed when the fuse device is closed.

Next patches will rely on requests being flushed before the superblock is
destroyed.

Use fuse_abort_conn() in cuse_process_init_reply() too, since it makes no
difference there, and we can get rid of fuse_conn_kill().

Signed-off-by: Miklos Szeredi &lt;mszeredi@suse.cz&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 580640ba5d331eb5631a5de46941c98f5ed90886 upstream.

Use fuse_abort_conn() instead of fuse_conn_kill() in fuse_put_super().
This flushes and aborts requests still on any queues.  But since we've
already reset fc-&gt;connected, those requests would not be useful anyway and
would be flushed when the fuse device is closed.

Next patches will rely on requests being flushed before the superblock is
destroyed.

Use fuse_abort_conn() in cuse_process_init_reply() too, since it makes no
difference there, and we can get rid of fuse_conn_kill().

Signed-off-by: Miklos Szeredi &lt;mszeredi@suse.cz&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fuse: don't wake up reserved req in fuse_conn_kill()</title>
<updated>2018-12-16T22:08:25+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@suse.cz</email>
</author>
<published>2014-12-12T08:49:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0ab98f5465a1b8155ab398d3cb39b05acc1d2035'/>
<id>0ab98f5465a1b8155ab398d3cb39b05acc1d2035</id>
<content type='text'>
commit 0c4dd4ba1426c599072511dcf95a15ee5e12725b upstream.

Waking up reserved_req_waitq from fuse_conn_kill() doesn't make sense since
we aren't chaging ff-&gt;reserved_req here, which is what this waitqueue
signals.

Signed-off-by: Miklos Szeredi &lt;mszeredi@suse.cz&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 0c4dd4ba1426c599072511dcf95a15ee5e12725b upstream.

Waking up reserved_req_waitq from fuse_conn_kill() doesn't make sense since
we aren't chaging ff-&gt;reserved_req here, which is what this waitqueue
signals.

Signed-off-by: Miklos Szeredi &lt;mszeredi@suse.cz&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fuse: don't keep dead fuse_conn at fuse_fill_super().</title>
<updated>2018-11-20T18:05:06+00:00</updated>
<author>
<name>Tetsuo Handa</name>
<email>penguin-kernel@I-love.SAKURA.ne.jp</email>
</author>
<published>2018-05-01T04:12:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a9d417e85323a22add91a28a95302ef6dbe1fc6b'/>
<id>a9d417e85323a22add91a28a95302ef6dbe1fc6b</id>
<content type='text'>
commit 543b8f8662fe6d21f19958b666ab0051af9db21a upstream.

syzbot is reporting use-after-free at fuse_kill_sb_blk() [1].
Since sb-&gt;s_fs_info field is not cleared after fc was released by
fuse_conn_put() when initialization failed, fuse_kill_sb_blk() finds
already released fc and tries to hold the lock. Fix this by clearing
sb-&gt;s_fs_info field after calling fuse_conn_put().

[1] https://syzkaller.appspot.com/bug?id=a07a680ed0a9290585ca424546860464dd9658db

Signed-off-by: Tetsuo Handa &lt;penguin-kernel@I-love.SAKURA.ne.jp&gt;
Reported-by: syzbot &lt;syzbot+ec3986119086fe4eec97@syzkaller.appspotmail.com&gt;
Fixes: 3b463ae0c626 ("fuse: invalidation reverse calls")
Cc: John Muir &lt;john@jmuir.com&gt;
Cc: Csaba Henk &lt;csaba@gluster.com&gt;
Cc: Anand Avati &lt;avati@redhat.com&gt;
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 543b8f8662fe6d21f19958b666ab0051af9db21a upstream.

syzbot is reporting use-after-free at fuse_kill_sb_blk() [1].
Since sb-&gt;s_fs_info field is not cleared after fc was released by
fuse_conn_put() when initialization failed, fuse_kill_sb_blk() finds
already released fc and tries to hold the lock. Fix this by clearing
sb-&gt;s_fs_info field after calling fuse_conn_put().

[1] https://syzkaller.appspot.com/bug?id=a07a680ed0a9290585ca424546860464dd9658db

Signed-off-by: Tetsuo Handa &lt;penguin-kernel@I-love.SAKURA.ne.jp&gt;
Reported-by: syzbot &lt;syzbot+ec3986119086fe4eec97@syzkaller.appspotmail.com&gt;
Fixes: 3b463ae0c626 ("fuse: invalidation reverse calls")
Cc: John Muir &lt;john@jmuir.com&gt;
Cc: Csaba Henk &lt;csaba@gluster.com&gt;
Cc: Anand Avati &lt;avati@redhat.com&gt;
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fuse: fix wrong assignment of -&gt;flags in fuse_send_init()</title>
<updated>2016-11-20T01:17:01+00:00</updated>
<author>
<name>Wei Fang</name>
<email>fangwei1@huawei.com</email>
</author>
<published>2016-07-25T13:17:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=791b24806c15b458eba1cc1c145c9d52770c4bd6'/>
<id>791b24806c15b458eba1cc1c145c9d52770c4bd6</id>
<content type='text'>
commit 9446385f05c9af25fed53dbed3cc75763730be52 upstream.

FUSE_HAS_IOCTL_DIR should be assigned to -&gt;flags, it may be a typo.

Signed-off-by: Wei Fang &lt;fangwei1@huawei.com&gt;
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Fixes: 69fe05c90ed5 ("fuse: add missing INIT flags")
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 9446385f05c9af25fed53dbed3cc75763730be52 upstream.

FUSE_HAS_IOCTL_DIR should be assigned to -&gt;flags, it may be a typo.

Signed-off-by: Wei Fang &lt;fangwei1@huawei.com&gt;
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Fixes: 69fe05c90ed5 ("fuse: add missing INIT flags")
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sysfs: Create mountpoints with sysfs_create_mount_point</title>
<updated>2015-08-20T17:24:03+00:00</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@xmission.com</email>
</author>
<published>2015-08-20T16:52:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b8ad501a4d34e99d8a448a34e144402d9a501b8b'/>
<id>b8ad501a4d34e99d8a448a34e144402d9a501b8b</id>
<content type='text'>
commit f9bb48825a6b5d02f4cabcc78967c75db903dcdc upstream.

This allows for better documentation in the code and
it allows for a simpler and fully correct version of
fs_fully_visible to be written.

The mount points converted and their filesystems are:
/sys/hypervisor/s390/       s390_hypfs
/sys/kernel/config/         configfs
/sys/kernel/debug/          debugfs
/sys/firmware/efi/efivars/  efivarfs
/sys/fs/fuse/connections/   fusectl
/sys/fs/pstore/             pstore
/sys/kernel/tracing/        tracefs
/sys/fs/cgroup/             cgroup
/sys/kernel/security/       securityfs
/sys/fs/selinux/            selinuxfs
/sys/fs/smackfs/            smackfs

Acked-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Seth Forshee &lt;seth.forshee@canonical.com&gt;
Signed-off-by: Luis Henriques &lt;luis.henriques@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f9bb48825a6b5d02f4cabcc78967c75db903dcdc upstream.

This allows for better documentation in the code and
it allows for a simpler and fully correct version of
fs_fully_visible to be written.

The mount points converted and their filesystems are:
/sys/hypervisor/s390/       s390_hypfs
/sys/kernel/config/         configfs
/sys/kernel/debug/          debugfs
/sys/firmware/efi/efivars/  efivarfs
/sys/fs/fuse/connections/   fusectl
/sys/fs/pstore/             pstore
/sys/kernel/tracing/        tracefs
/sys/fs/cgroup/             cgroup
/sys/kernel/security/       securityfs
/sys/fs/selinux/            selinuxfs
/sys/fs/smackfs/            smackfs

Acked-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Seth Forshee &lt;seth.forshee@canonical.com&gt;
Signed-off-by: Luis Henriques &lt;luis.henriques@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fuse: initialize fc-&gt;release before calling it</title>
<updated>2015-07-15T09:01:04+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@suse.cz</email>
</author>
<published>2015-07-01T14:25:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ceab5a8714d9f4faea61322eb9307adcf36c6555'/>
<id>ceab5a8714d9f4faea61322eb9307adcf36c6555</id>
<content type='text'>
commit 0ad0b3255a08020eaf50e34ef0d6df5bdf5e09ed upstream.

fc-&gt;release is called from fuse_conn_put() which was used in the error
cleanup before fc-&gt;release was initialized.

[Jeremiah Mahler &lt;jmmahler@gmail.com&gt;: assign fc-&gt;release after calling
fuse_conn_init(fc) instead of before.]

Signed-off-by: Miklos Szeredi &lt;mszeredi@suse.cz&gt;
Fixes: a325f9b92273 ("fuse: update fuse_conn_init() and separate out fuse_conn_kill()")
Signed-off-by: Luis Henriques &lt;luis.henriques@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 0ad0b3255a08020eaf50e34ef0d6df5bdf5e09ed upstream.

fc-&gt;release is called from fuse_conn_put() which was used in the error
cleanup before fc-&gt;release was initialized.

[Jeremiah Mahler &lt;jmmahler@gmail.com&gt;: assign fc-&gt;release after calling
fuse_conn_init(fc) instead of before.]

Signed-off-by: Miklos Szeredi &lt;mszeredi@suse.cz&gt;
Fixes: a325f9b92273 ("fuse: update fuse_conn_init() and separate out fuse_conn_kill()")
Signed-off-by: Luis Henriques &lt;luis.henriques@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fuse: add FUSE_NO_OPEN_SUPPORT flag to INIT</title>
<updated>2014-07-22T14:37:43+00:00</updated>
<author>
<name>Andrew Gallagher</name>
<email>andrewjcg@fb.com</email>
</author>
<published>2014-07-22T14:37:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d7afaec0b564f0609e116f562983b8e72fc3e9c9'/>
<id>d7afaec0b564f0609e116f562983b8e72fc3e9c9</id>
<content type='text'>
Here some additional changes to set a capability flag so that clients can
detect when it's appropriate to return -ENOSYS from open.

This amends the following commit introduced in 3.14:

  7678ac50615d  fuse: support clients that don't implement 'open'

However we can only add the flag to 3.15 and later since there was no
protocol version update in 3.14.

Signed-off-by: Miklos Szeredi &lt;mszeredi@suse.cz&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v3.15+
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Here some additional changes to set a capability flag so that clients can
detect when it's appropriate to return -ENOSYS from open.

This amends the following commit introduced in 3.14:

  7678ac50615d  fuse: support clients that don't implement 'open'

However we can only add the flag to 3.15 and later since there was no
protocol version update in 3.14.

Signed-off-by: Miklos Szeredi &lt;mszeredi@suse.cz&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v3.15+
</pre>
</div>
</content>
</entry>
<entry>
<title>fuse: s_time_gran fix</title>
<updated>2014-07-22T14:37:42+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@suse.cz</email>
</author>
<published>2014-07-22T14:37:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a800bad36619ce47ac0222004635448e6c91ff72'/>
<id>a800bad36619ce47ac0222004635448e6c91ff72</id>
<content type='text'>
Default s_time_gran is 1, don't overwrite that if userspace didn't
explicitly specify one.

Signed-off-by: Miklos Szeredi &lt;mszeredi@suse.cz&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v3.15+
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Default s_time_gran is 1, don't overwrite that if userspace didn't
explicitly specify one.

Signed-off-by: Miklos Szeredi &lt;mszeredi@suse.cz&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v3.15+
</pre>
</div>
</content>
</entry>
<entry>
<title>fuse: handle large user and group ID</title>
<updated>2014-07-07T13:28:51+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@suse.cz</email>
</author>
<published>2014-07-07T13:28:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=233a01fa9c4c7c41238537e8db8434667ff28a2f'/>
<id>233a01fa9c4c7c41238537e8db8434667ff28a2f</id>
<content type='text'>
If the number in "user_id=N" or "group_id=N" mount options was larger than
INT_MAX then fuse returned EINVAL.

Fix this to handle all valid uid/gid values.

Signed-off-by: Miklos Szeredi &lt;mszeredi@suse.cz&gt;
Cc: stable@vger.kernel.org
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If the number in "user_id=N" or "group_id=N" mount options was larger than
INT_MAX then fuse returned EINVAL.

Fix this to handle all valid uid/gid values.

Signed-off-by: Miklos Szeredi &lt;mszeredi@suse.cz&gt;
Cc: stable@vger.kernel.org
</pre>
</div>
</content>
</entry>
</feed>
