[Devel] [PATCH RHEL8 COMMIT] fs/fuse kio: NULL pointer dereference in case of dead map

Konstantin Khorenko khorenko at virtuozzo.com
Thu Oct 15 10:37:38 MSK 2020 

The commit is pushed to "branch-rh8-4.18.0-193.6.3.vz8.4.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-193.6.3.vz8.4.13
------>
commit fe33682080a60969d2782f32ea7b98a1857fec64
Author: Ildar Ismagilov <Ildar.Ismagilov at acronis.com>
Date:   Thu Oct 15 10:37:38 2020 +0300

    fs/fuse kio: NULL pointer dereference in case of dead map
    
    Inside fuse_map_resolve() there is dereference m->mapping,
    which can be NULL in case of map dead.
    
    https://pmc.acronis.com/browse/VSTOR-34510
    
    Signed-off-by: Ildar Ismagilov <Ildar.Ismagilov at acronis.com>
    Acked-by: Andrey Zaitsev <azaitsev at virtuozzo.com>
---
 fs/fuse/kio/pcs/pcs_fuse_kdirect.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/fs/fuse/kio/pcs/pcs_fuse_kdirect.c b/fs/fuse/kio/pcs/pcs_fuse_kdirect.c
index d4cb1b87fadf..7c703b6bf8fc 100644
--- a/fs/fuse/kio/pcs/pcs_fuse_kdirect.c
+++ b/fs/fuse/kio/pcs/pcs_fuse_kdirect.c
@@ -514,8 +514,8 @@ static void fuse_complete_map_work(struct work_struct *w)
 
 int fuse_map_resolve(struct pcs_map_entry *m, int direction)
 {
-	struct pcs_dentry_info *di = pcs_dentry_from_mapping(m->mapping);
-	struct fuse_conn *fc = pcs_cluster_from_cc(di->cluster)->fc;
+	struct pcs_dentry_info *di;
+	struct fuse_conn *fc;
 	struct fuse_io_args *ia;
 	struct fuse_ioctl_in *inarg;
 	struct fuse_ioctl_out *outarg;
@@ -524,10 +524,22 @@ int fuse_map_resolve(struct pcs_map_entry *m, int direction)
 	size_t map_sz;
 	int err;
 
+	spin_lock(&m->lock);
+
+	if (m->state & PCS_MAP_DEAD) {
+		spin_unlock(&m->lock);
+		pcs_map_put(m);
+		return 0;
+	}
+	di = pcs_dentry_from_mapping(m->mapping);
+	fc = pcs_cluster_from_cc(di->cluster)->fc;
+
 	DTRACE("enter m: " MAP_FMT ", dir:%d \n", MAP_ARGS(m),	direction);
 
 	BUG_ON(!(m->state & PCS_MAP_RESOLVING));
 
+	spin_unlock(&m->lock);
+
 	map_sz = sizeof(*map_ioc) + MAX_CS_CNT * sizeof(struct pcs_cs_info);
 	map_ioc = kzalloc(map_sz, GFP_NOIO);
 	if (!map_ioc)

More information about the Devel mailing list