diff options
| author | Miklos Szeredi <mszeredi@redhat.com> | 2026-05-28 10:58:24 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-06-27 11:07:41 +0100 |
| commit | 39a2b95e008665c14f84e50ed411d898df7cd11b (patch) | |
| tree | 6177b418b8604f6b0121a7d9f803bab6e37e71e2 /tools/lib/python/kdoc/python_version.py | |
| parent | b28b12be6e8910489e6800ed93ea4d41dfe19683 (diff) | |
| download | linux-39a2b95e008665c14f84e50ed411d898df7cd11b.tar.gz linux-39a2b95e008665c14f84e50ed411d898df7cd11b.tar.bz2 linux-39a2b95e008665c14f84e50ed411d898df7cd11b.zip | |
virtiofs: fix UAF on submount umount
commit 06b41351779e9289e8785694ade9042ae85e41ea upstream.
iput() called from fuse_release_end() can Oops if the super block has
already been destroyed. Normally this is prevented by waiting for
num_waiting to go down to zero before commencing with super block shutdown.
This only works, however, for the last submount instance, as the wait
counter is per connection, not per superblock.
Revert to using synchronous release requests for the auto_submounts case,
which is virtiofs only at this time.
Reported-by: Aurélien Bombo <abombo@microsoft.com>
Reported-by: Zhihao Cheng <chengzhihao1@huawei.com>
Cc: Greg Kurz <gkurz@redhat.com>
Closes: https://github.com/kata-containers/kata-containers/issues/12589
Fixes: 26e5c67deb2e ("fuse: fix livelock in synchronous file put from fuseblk workers")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kurz <gkurz@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'tools/lib/python/kdoc/python_version.py')
0 files changed, 0 insertions, 0 deletions