Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse:
fuse: fix poll notify
fuse: destroy bdi on umount
fuse: fuse_fill_super error handling cleanup
fuse: fix missing fput on error
fuse: fix NULL deref in fuse_file_alloc()
+11
-5
fs/fuse/dev.c
+11
-5
fs/fuse/dev.c
···
281
281
fc->blocked = 0;
282
282
wake_up_all(&fc->blocked_waitq);
283
283
}
284
-
if (fc->num_background == FUSE_CONGESTION_THRESHOLD) {
284
+
if (fc->num_background == FUSE_CONGESTION_THRESHOLD &&
285
+
fc->connected) {
285
286
clear_bdi_congested(&fc->bdi, READ);
286
287
clear_bdi_congested(&fc->bdi, WRITE);
287
288
}
···
826
825
struct fuse_copy_state *cs)
827
826
{
828
827
struct fuse_notify_poll_wakeup_out outarg;
829
-
int err;
828
+
int err = -EINVAL;
830
829
831
830
if (size != sizeof(outarg))
832
-
return -EINVAL;
831
+
goto err;
833
832
834
833
err = fuse_copy_one(cs, &outarg, sizeof(outarg));
835
834
if (err)
836
-
return err;
835
+
goto err;
837
836
837
+
fuse_copy_finish(cs);
838
838
return fuse_notify_poll_wakeup(fc, &outarg);
839
+
840
+
err:
841
+
fuse_copy_finish(cs);
842
+
return err;
839
843
}
840
844
841
845
static int fuse_notify(struct fuse_conn *fc, enum fuse_notify_code code,
···
851
845
return fuse_notify_poll(fc, size, cs);
852
846
853
847
default:
848
+
fuse_copy_finish(cs);
854
849
return -EINVAL;
855
850
}
856
851
}
···
930
923
*/
931
924
if (!oh.unique) {
932
925
err = fuse_notify(fc, oh.error, nbytes - sizeof(oh), &cs);
933
-
fuse_copy_finish(&cs);
934
926
return err ? err : nbytes;
935
927
}
936
928
+1
-1
fs/fuse/file.c
+1
-1
fs/fuse/file.c
+18
-12
fs/fuse/inode.c
+18
-12
fs/fuse/inode.c
···
292
292
list_del(&fc->entry);
293
293
fuse_ctl_remove_conn(fc);
294
294
mutex_unlock(&fuse_mutex);
295
+
bdi_destroy(&fc->bdi);
295
296
fuse_conn_put(fc);
296
297
}
297
298
···
533
532
if (fc->destroy_req)
534
533
fuse_request_free(fc->destroy_req);
535
534
mutex_destroy(&fc->inst_mutex);
536
-
bdi_destroy(&fc->bdi);
537
535
fc->release(fc);
538
536
}
539
537
}
···
805
805
int err;
806
806
int is_bdev = sb->s_bdev != NULL;
807
807
808
+
err = -EINVAL;
808
809
if (sb->s_flags & MS_MANDLOCK)
809
-
return -EINVAL;
810
+
goto err;
810
811
811
812
if (!parse_fuse_opt((char *) data, &d, is_bdev))
812
-
return -EINVAL;
813
+
goto err;
813
814
814
815
if (is_bdev) {
815
816
#ifdef CONFIG_BLOCK
817
+
err = -EINVAL;
816
818
if (!sb_set_blocksize(sb, d.blksize))
817
-
return -EINVAL;
819
+
goto err;
818
820
#endif
819
821
} else {
820
822
sb->s_blocksize = PAGE_CACHE_SIZE;
···
828
826
sb->s_export_op = &fuse_export_operations;
829
827
830
828
file = fget(d.fd);
829
+
err = -EINVAL;
831
830
if (!file)
832
-
return -EINVAL;
831
+
goto err;
833
832
834
833
if (file->f_op != &fuse_dev_operations)
835
-
return -EINVAL;
834
+
goto err_fput;
836
835
837
836
fc = kmalloc(sizeof(*fc), GFP_KERNEL);
837
+
err = -ENOMEM;
838
838
if (!fc)
839
-
return -ENOMEM;
839
+
goto err_fput;
840
840
841
841
err = fuse_conn_init(fc, sb);
842
842
if (err) {
843
843
kfree(fc);
844
-
return err;
844
+
goto err_fput;
845
845
}
846
846
847
847
fc->release = fuse_free_conn;
···
858
854
err = -ENOMEM;
859
855
root = fuse_get_root_inode(sb, d.rootmode);
860
856
if (!root)
861
-
goto err;
857
+
goto err_put_conn;
862
858
863
859
root_dentry = d_alloc_root(root);
864
860
if (!root_dentry) {
865
861
iput(root);
866
-
goto err;
862
+
goto err_put_conn;
867
863
}
868
864
869
865
init_req = fuse_request_alloc();
···
907
903
fuse_request_free(init_req);
908
904
err_put_root:
909
905
dput(root_dentry);
910
-
err:
911
-
fput(file);
906
+
err_put_conn:
912
907
fuse_conn_put(fc);
908
+
err_fput:
909
+
fput(file);
910
+
err:
913
911
return err;
914
912
}
915
913