commit 2d07d4d1bba3b141941682fa36cacbe12bbb143b

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse:
fuse: fix poll notify
fuse: destroy bdi on umount
fuse: fuse_fill_super error handling cleanup
fuse: fix missing fput on error
fuse: fix NULL deref in fuse_file_alloc()

Linus Torvalds 17 years ago 2d07d4d1 3386c05b

+30 -18

3 changed files

expand all

unified split

fuse

dev.c

file.c

inode.c

+11 -5

fs/fuse/dev.c

··· 281 fc->blocked = 0; 282 wake_up_all(&fc->blocked_waitq); 283 } 284 - if (fc->num_background == FUSE_CONGESTION_THRESHOLD) { 285 clear_bdi_congested(&fc->bdi, READ); 286 clear_bdi_congested(&fc->bdi, WRITE); 287 } ··· 826 struct fuse_copy_state *cs) 827 { 828 struct fuse_notify_poll_wakeup_out outarg; 829 - int err; 830 831 if (size != sizeof(outarg)) 832 - return -EINVAL; 833 834 err = fuse_copy_one(cs, &outarg, sizeof(outarg)); 835 if (err) 836 - return err; 837 838 return fuse_notify_poll_wakeup(fc, &outarg); 839 } 840 841 static int fuse_notify(struct fuse_conn *fc, enum fuse_notify_code code, ··· 851 return fuse_notify_poll(fc, size, cs); 852 853 default: 854 return -EINVAL; 855 } 856 } ··· 930 */ 931 if (!oh.unique) { 932 err = fuse_notify(fc, oh.error, nbytes - sizeof(oh), &cs); 933 - fuse_copy_finish(&cs); 934 return err ? err : nbytes; 935 } 936

··· 281 fc->blocked = 0; 282 wake_up_all(&fc->blocked_waitq); 283 } 284 + if (fc->num_background == FUSE_CONGESTION_THRESHOLD && 285 + fc->connected) { 286 clear_bdi_congested(&fc->bdi, READ); 287 clear_bdi_congested(&fc->bdi, WRITE); 288 } ··· 825 struct fuse_copy_state *cs) 826 { 827 struct fuse_notify_poll_wakeup_out outarg; 828 + int err = -EINVAL; 829 830 if (size != sizeof(outarg)) 831 + goto err; 832 833 err = fuse_copy_one(cs, &outarg, sizeof(outarg)); 834 if (err) 835 + goto err; 836 837 + fuse_copy_finish(cs); 838 return fuse_notify_poll_wakeup(fc, &outarg); 839 + 840 + err: 841 + fuse_copy_finish(cs); 842 + return err; 843 } 844 845 static int fuse_notify(struct fuse_conn *fc, enum fuse_notify_code code, ··· 845 return fuse_notify_poll(fc, size, cs); 846 847 default: 848 + fuse_copy_finish(cs); 849 return -EINVAL; 850 } 851 } ··· 923 */ 924 if (!oh.unique) { 925 err = fuse_notify(fc, oh.error, nbytes - sizeof(oh), &cs); 926 return err ? err : nbytes; 927 } 928

+1 -1

fs/fuse/file.c

··· 54 ff->reserved_req = fuse_request_alloc(); 55 if (!ff->reserved_req) { 56 kfree(ff); 57 - ff = NULL; 58 } else { 59 INIT_LIST_HEAD(&ff->write_entry); 60 atomic_set(&ff->count, 0);

··· 54 ff->reserved_req = fuse_request_alloc(); 55 if (!ff->reserved_req) { 56 kfree(ff); 57 + return NULL; 58 } else { 59 INIT_LIST_HEAD(&ff->write_entry); 60 atomic_set(&ff->count, 0);

+18 -12

fs/fuse/inode.c

··· 292 list_del(&fc->entry); 293 fuse_ctl_remove_conn(fc); 294 mutex_unlock(&fuse_mutex); 295 fuse_conn_put(fc); 296 } 297 ··· 533 if (fc->destroy_req) 534 fuse_request_free(fc->destroy_req); 535 mutex_destroy(&fc->inst_mutex); 536 - bdi_destroy(&fc->bdi); 537 fc->release(fc); 538 } 539 } ··· 805 int err; 806 int is_bdev = sb->s_bdev != NULL; 807 808 if (sb->s_flags & MS_MANDLOCK) 809 - return -EINVAL; 810 811 if (!parse_fuse_opt((char *) data, &d, is_bdev)) 812 - return -EINVAL; 813 814 if (is_bdev) { 815 #ifdef CONFIG_BLOCK 816 if (!sb_set_blocksize(sb, d.blksize)) 817 - return -EINVAL; 818 #endif 819 } else { 820 sb->s_blocksize = PAGE_CACHE_SIZE; ··· 828 sb->s_export_op = &fuse_export_operations; 829 830 file = fget(d.fd); 831 if (!file) 832 - return -EINVAL; 833 834 if (file->f_op != &fuse_dev_operations) 835 - return -EINVAL; 836 837 fc = kmalloc(sizeof(*fc), GFP_KERNEL); 838 if (!fc) 839 - return -ENOMEM; 840 841 err = fuse_conn_init(fc, sb); 842 if (err) { 843 kfree(fc); 844 - return err; 845 } 846 847 fc->release = fuse_free_conn; ··· 858 err = -ENOMEM; 859 root = fuse_get_root_inode(sb, d.rootmode); 860 if (!root) 861 - goto err; 862 863 root_dentry = d_alloc_root(root); 864 if (!root_dentry) { 865 iput(root); 866 - goto err; 867 } 868 869 init_req = fuse_request_alloc(); ··· 907 fuse_request_free(init_req); 908 err_put_root: 909 dput(root_dentry); 910 - err: 911 - fput(file); 912 fuse_conn_put(fc); 913 return err; 914 } 915

··· 292 list_del(&fc->entry); 293 fuse_ctl_remove_conn(fc); 294 mutex_unlock(&fuse_mutex); 295 + bdi_destroy(&fc->bdi); 296 fuse_conn_put(fc); 297 } 298 ··· 532 if (fc->destroy_req) 533 fuse_request_free(fc->destroy_req); 534 mutex_destroy(&fc->inst_mutex); 535 fc->release(fc); 536 } 537 } ··· 805 int err; 806 int is_bdev = sb->s_bdev != NULL; 807 808 + err = -EINVAL; 809 if (sb->s_flags & MS_MANDLOCK) 810 + goto err; 811 812 if (!parse_fuse_opt((char *) data, &d, is_bdev)) 813 + goto err; 814 815 if (is_bdev) { 816 #ifdef CONFIG_BLOCK 817 + err = -EINVAL; 818 if (!sb_set_blocksize(sb, d.blksize)) 819 + goto err; 820 #endif 821 } else { 822 sb->s_blocksize = PAGE_CACHE_SIZE; ··· 826 sb->s_export_op = &fuse_export_operations; 827 828 file = fget(d.fd); 829 + err = -EINVAL; 830 if (!file) 831 + goto err; 832 833 if (file->f_op != &fuse_dev_operations) 834 + goto err_fput; 835 836 fc = kmalloc(sizeof(*fc), GFP_KERNEL); 837 + err = -ENOMEM; 838 if (!fc) 839 + goto err_fput; 840 841 err = fuse_conn_init(fc, sb); 842 if (err) { 843 kfree(fc); 844 + goto err_fput; 845 } 846 847 fc->release = fuse_free_conn; ··· 854 err = -ENOMEM; 855 root = fuse_get_root_inode(sb, d.rootmode); 856 if (!root) 857 + goto err_put_conn; 858 859 root_dentry = d_alloc_root(root); 860 if (!root_dentry) { 861 iput(root); 862 + goto err_put_conn; 863 } 864 865 init_req = fuse_request_alloc(); ··· 903 fuse_request_free(init_req); 904 err_put_root: 905 dput(root_dentry); 906 + err_put_conn: 907 fuse_conn_put(fc); 908 + err_fput: 909 + fput(file); 910 + err: 911 return err; 912 } 913