|
Luis Henriques |
8283ce |
From: Amir Goldstein <amir73il@gmail.com>
|
|
Luis Henriques |
8283ce |
Date: Thu, 4 Mar 2021 11:09:12 +0200
|
|
Luis Henriques |
8283ce |
Subject: fuse: fix live lock in fuse_iget()
|
|
Luis Henriques |
8283ce |
Git-commit: 775c5033a0d164622d9d10dd0f0a5531639ed3ed
|
|
Luis Henriques |
8283ce |
Patch-mainline: v5.12-rc4
|
|
Luis Henriques |
610fda |
References: bsc#1184211 CVE-2021-28950
|
|
Luis Henriques |
8283ce |
|
|
Luis Henriques |
8283ce |
Commit 5d069dbe8aaf ("fuse: fix bad inode") replaced make_bad_inode()
|
|
Luis Henriques |
8283ce |
in fuse_iget() with a private implementation fuse_make_bad().
|
|
Luis Henriques |
8283ce |
|
|
Luis Henriques |
8283ce |
The private implementation fails to remove the bad inode from inode
|
|
Luis Henriques |
8283ce |
cache, so the retry loop with iget5_locked() finds the same bad inode
|
|
Luis Henriques |
8283ce |
and marks it bad forever.
|
|
Luis Henriques |
8283ce |
|
|
Luis Henriques |
8283ce |
kmsg snip:
|
|
Luis Henriques |
8283ce |
|
|
Luis Henriques |
8283ce |
[ ] rcu: INFO: rcu_sched self-detected stall on CPU
|
|
Luis Henriques |
8283ce |
...
|
|
Luis Henriques |
8283ce |
[ ] ? bit_wait_io+0x50/0x50
|
|
Luis Henriques |
8283ce |
[ ] ? fuse_init_file_inode+0x70/0x70
|
|
Luis Henriques |
8283ce |
[ ] ? find_inode.isra.32+0x60/0xb0
|
|
Luis Henriques |
8283ce |
[ ] ? fuse_init_file_inode+0x70/0x70
|
|
Luis Henriques |
8283ce |
[ ] ilookup5_nowait+0x65/0x90
|
|
Luis Henriques |
8283ce |
[ ] ? fuse_init_file_inode+0x70/0x70
|
|
Luis Henriques |
8283ce |
[ ] ilookup5.part.36+0x2e/0x80
|
|
Luis Henriques |
8283ce |
[ ] ? fuse_init_file_inode+0x70/0x70
|
|
Luis Henriques |
8283ce |
[ ] ? fuse_inode_eq+0x20/0x20
|
|
Luis Henriques |
8283ce |
[ ] iget5_locked+0x21/0x80
|
|
Luis Henriques |
8283ce |
[ ] ? fuse_inode_eq+0x20/0x20
|
|
Luis Henriques |
8283ce |
[ ] fuse_iget+0x96/0x1b0
|
|
Luis Henriques |
8283ce |
|
|
Luis Henriques |
8283ce |
Fixes: 5d069dbe8aaf ("fuse: fix bad inode")
|
|
Luis Henriques |
8283ce |
Cc: stable@vger.kernel.org # 5.10+
|
|
Luis Henriques |
8283ce |
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
|
|
Luis Henriques |
8283ce |
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
|
|
Luis Henriques |
8283ce |
Acked-by: Luis Henriques <lhenriques@suse.com>
|
|
Luis Henriques |
8283ce |
---
|
|
Luis Henriques |
8283ce |
fs/fuse/fuse_i.h | 1 +
|
|
Luis Henriques |
8283ce |
1 file changed, 1 insertion(+)
|
|
Luis Henriques |
8283ce |
|
|
Luis Henriques |
8283ce |
diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
|
|
Luis Henriques |
8283ce |
index 68cca8d4db6e..63d97a15ffde 100644
|
|
Luis Henriques |
8283ce |
--- a/fs/fuse/fuse_i.h
|
|
Luis Henriques |
8283ce |
+++ b/fs/fuse/fuse_i.h
|
|
Luis Henriques |
8283ce |
@@ -863,6 +863,7 @@ static inline u64 fuse_get_attr_version(struct fuse_conn *fc)
|
|
Luis Henriques |
8283ce |
|
|
Luis Henriques |
8283ce |
static inline void fuse_make_bad(struct inode *inode)
|
|
Luis Henriques |
8283ce |
{
|
|
Luis Henriques |
8283ce |
+ remove_inode_hash(inode);
|
|
Luis Henriques |
8283ce |
set_bit(FUSE_I_BAD, &get_fuse_inode(inode)->state);
|
|
Luis Henriques |
8283ce |
}
|
|
Luis Henriques |
8283ce |
|
|
Luis Henriques |
8283ce |
|