[Devel] [PATCH RHEL8 COMMIT] fuse: fix fiemap looping

Konstantin Khorenko khorenko at virtuozzo.com
Mon Jun 21 12:57:51 MSK 2021


The commit is pushed to "branch-rh8-4.18.0-240.1.1.vz8.5.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-240.1.1.vz8.5.46
------>
commit e314899f22b62b0e721dcec9322c428646af0620
Author: Alexey Kuznetsov <kuznet at acronis.com>
Date:   Sun Jun 20 19:42:48 2021 +0000

    fuse: fix fiemap looping
    
    Well, the function returns size on success.
    
    Together with previous bug fixed in "[RHEL8] fuse: memory leakage"
    this resulted in instant death of machine with aggressive oom killing.
    It took long time to figure this out, very inconvenient situation,
    when working with remote access.
    
    In the scope of https://jira.sw.ru/browse/PSBM-129289
    
    Signed-off-by: Alexey Kuznetsov <kuznet at acronis.com>
---
 fs/fuse/file.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 0120ea3bc9e8..69d48750a641 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -3874,6 +3874,7 @@ static int fuse_request_fiemap(struct inode *inode, u32 cur_max,
 	int err;
 	int npages = 0;
 	int allocated = 0;
+	int out_size;
 
 	err = 0;
 	spin_lock(&fi->lock);
@@ -3951,8 +3952,10 @@ static int fuse_request_fiemap(struct inode *inode, u32 cur_max,
 	}
 
 	err = fuse_simple_request(fc, &ap.args);
-	if (err)
+	if (err < 0)
 		goto out;
+	out_size = err;
+	err = 0;
 
 	if (cur_max == 0) {
 		dest->fi_extents_mapped += ofiemap.fm_mapped_extents;
@@ -3972,6 +3975,11 @@ static int fuse_request_fiemap(struct inode *inode, u32 cur_max,
 			goto out;
 		}
 
+		if (ofiemap.fm_mapped_extents * sizeof(struct fiemap_extent) > out_size) {
+			err = -EIO;
+			goto out;
+		}
+
 		for (i = 0; i < ofiemap.fm_mapped_extents; i++) {
 			copy_fiemap_extent(&fe, ap.pages, i);
 			err = fiemap_fill_next_extent(dest, fe.fe_logical,


More information about the Devel mailing list