From e2653bd53a98412ff2fc6fa6a6ed3934da04a3f3 Mon Sep 17 00:00:00 2001
From: Miklos Szeredi <mszeredi@redhat.com>
Date: Thu, 24 Jan 2019 10:40:15 +0100
Subject: fuse: fix leaked aux requests

Auxiliary requests chained on req->misc.write.next may be leaked on
truncate.  Free these as well if the parent request was truncated off.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
---
 fs/fuse/file.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'fs/fuse')

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index b0c32a74082f..ee59599f4947 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1494,6 +1494,7 @@ static void fuse_send_writepage(struct fuse_conn *fc, struct fuse_req *req,
 __releases(fc->lock)
 __acquires(fc->lock)
 {
+	struct fuse_req *aux, *next;
 	struct fuse_inode *fi = get_fuse_inode(req->inode);
 	struct fuse_write_in *inarg = &req->misc.write.in;
 	__u64 data_size = req->num_pages * PAGE_SIZE;
@@ -1520,6 +1521,15 @@ __acquires(fc->lock)
  out_free:
 	fuse_writepage_finish(fc, req);
 	spin_unlock(&fc->lock);
+
+	/* After fuse_writepage_finish() aux request list is private */
+	for (aux = req->misc.write.next; aux; aux = next) {
+		next = aux->misc.write.next;
+		aux->misc.write.next = NULL;
+		fuse_writepage_free(fc, aux);
+		fuse_put_request(fc, aux);
+	}
+
 	fuse_writepage_free(fc, req);
 	fuse_put_request(fc, req);
 	spin_lock(&fc->lock);
-- 
cgit