[Devel] [PATCH RHEL7 COMMIT] fuse kio: Check for null ep in pcs_rpc_deaccount_msg()
Konstantin Khorenko
khorenko at virtuozzo.com
Thu Oct 18 15:01:35 MSK 2018
The commit is pushed to "branch-rh7-3.10.0-862.14.4.vz7.72.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-862.14.4.vz7.72.11
------>
commit f50eded8e1d0427cd2aa5b9885cde8cae60de5be
Author: Kirill Tkhai <ktkhai at virtuozzo.com>
Date: Thu Oct 18 15:01:33 2018 +0300
fuse kio: Check for null ep in pcs_rpc_deaccount_msg()
This is the only msg->done() callback related function,
which does not check for ep != NULL. Despite all the
creators of a msg with such msg->destruct() method
(it's called in order msg->done --> msg->destruct())
take ep counter before they create such type the msg,
add a explicit check for that to catch hidden msg
cloning and other not obvious actions on msg.
Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
Reviewed-by: Pavel Butsykin <pbutsykin at virtuozzo.com>
=====================
Patchset description:
Order rpc destroy with rpc_queue_work()
Prevents use-after-free from work function.
https://pmc.acronis.com/browse/VSTOR-16236
Kirill Tkhai (3):
fuse kio: Stop self-abuse of rpc counter in rpc_queue_work()
fuse kio: Check for null ep in pcs_rpc_deaccount_msg()
fuse kio: Move abort & destroy block up in pcs_rpc_send()
Pavel Butsykin (1):
fs/fuse kio_pcs: flush rpc work inside pcs_rpc_destroy()
---
fs/fuse/kio/pcs/pcs_rpc.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/fuse/kio/pcs/pcs_rpc.c b/fs/fuse/kio/pcs/pcs_rpc.c
index 27156a507a84..8c76bb44f0a2 100644
--- a/fs/fuse/kio/pcs/pcs_rpc.c
+++ b/fs/fuse/kio/pcs/pcs_rpc.c
@@ -1083,7 +1083,10 @@ static int rpc_check_memlimit(struct pcs_rpc * ep)
void pcs_rpc_deaccount_msg(struct pcs_msg * msg)
{
- struct pcs_rpc * ep = msg->rpc;
+ struct pcs_rpc *ep = msg->rpc;
+
+ if (WARN_ON_ONCE(!ep))
+ return;
msg->rpc = NULL;
ep->eng->msg_count--;
More information about the Devel
mailing list