fuse: check aborted connection before adding requests to pending list for resending

There is a race condition where inflight requests will not be aborted if
they are in the middle of being re-sent when the connection is aborted.

If fuse_resend has already moved all the requests in the fpq->processing
lists to its private queue ("to_queue") and then the connection starts
and finishes aborting, these requests will be added to the pending queue
and remain on it indefinitely.

Fixes: 760eac73f9f6 ("fuse: Introduce a new notification type for resend pending requests")
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Jingbo Xu <jefflexu@linux.alibaba.com>
Cc: <stable@vger.kernel.org> # v6.9
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 9eb191b5c4de124b3b469f5487beebbaf7630eb3..a11461ef6022c5bfdd3422d988d22f203aa422ea 100644 (file)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -31,6 +31,8 @@ MODULE_ALIAS("devname:fuse");
 
 static struct kmem_cache *fuse_req_cachep;
 
+static void end_requests(struct list_head *head);
+
 static struct fuse_dev *fuse_get_dev(struct file *file)
 {
        /*
@@ -1820,6 +1822,13 @@ static void fuse_resend(struct fuse_conn *fc)
        }
 
        spin_lock(&fiq->lock);
+       if (!fiq->connected) {
+               spin_unlock(&fiq->lock);
+               list_for_each_entry(req, &to_queue, list)
+                       clear_bit(FR_PENDING, &req->flags);
+               end_requests(&to_queue);
+               return;
+       }
        /* iq and pq requests are both oldest to newest */
        list_splice(&to_queue, &fiq->pending);
        fiq->ops->wake_pending_and_unlock(fiq);