[Devel] [PATCH RHEL7 COMMIT] fs/fuse kio_pcs: fix NULL pointer dereference in cs_keep_waiting()

Fri Jun 15 15:06:28 MSK 2018

The commit is pushed to "branch-rh7-3.10.0-693.21.1.vz7.50.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-693.21.1.vz7.50.9
------>
commit c997dde0dd6e7083d7ab5a9d1bd930f338bad55f
Author: Pavel Butsykin <pbutsykin at virtuozzo.com>
Date:   Fri Jun 15 15:06:28 2018 +0300

    fs/fuse kio_pcs: fix NULL pointer dereference in cs_keep_waiting()
    
    This function reads ireq->ts_sent before checking ireq for NULL.
    
    Signed-off-by: Pavel Butsykin <pbutsykin at virtuozzo.com>
    Reviewed-by: Kirill Tkhai <ktkhai at virtuozzo.com>
    Acked-by: Alexey Kuznetsov <kuznet at virtuozzo.com>
---
 fs/fuse/kio/pcs/pcs_cs.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/fs/fuse/kio/pcs/pcs_cs.c b/fs/fuse/kio/pcs/pcs_cs.c
index 8345e92c4570..41c4d63d4058 100644
--- a/fs/fuse/kio/pcs/pcs_cs.c
+++ b/fs/fuse/kio/pcs/pcs_cs.c
@@ -620,9 +620,13 @@ static void cs_keep_waiting(struct pcs_rpc *ep, struct pcs_msg *req, struct pcs_
 	who = lookup_and_lock_cs(cs->css, &h->xid.origin);
 	if (who) {
 		struct pcs_int_request *ireq = req->private2;
-		abs_time_t lat = ktime_to_ms(ktime_sub(ktime_get(), ireq->ts_sent));
-		if (ireq)
+		abs_time_t lat;
+		if (ireq) {
+			lat = ktime_to_ms(ktime_sub(ktime_get(), ireq->ts_sent));
+			cs_update_io_latency(who, lat);
+
 			ireq->wait_origin = h->xid.origin;
+		}
 
 		if (!who->cwr_state) {
 			DTRACE("Congestion window on CS" NODE_FMT " reducing %d/%d/%d", NODE_ARGS(h->xid.origin),
@@ -637,7 +641,7 @@ static void cs_keep_waiting(struct pcs_rpc *ep, struct pcs_msg *req, struct pcs_
 			if (who->in_flight >= who->eff_cwnd)
 				who->cwr_state = 1;
 		}
-		cs_update_io_latency(who, lat);
+
 		if (ireq && ireq->type == PCS_IREQ_IOCHUNK && !pcs_req_direction(ireq->iochunk.cmd)) {
 			/* Force CS reselection */
 			pcs_map_force_reselect(who);
