[Devel] [PATCH VZ9 1/4] fs/fuse kio: do not allow getting cslist when refcnt is equal to 0
Alexey Kuznetsov
kuznet at acronis.com
Wed Nov 29 13:43:46 MSK 2023
Ack to all.
Also I would add rcu_dereference to urgent_whitelist around deref of cs.
Also, could you try to figure out what is rcu_dereference_protected?
As I see it, the module uses it totally wrong, which
"will result in infrequent but very ugly failures" according to comments
to this function. :-) I do not think it is a bug, but it looks like
we used to violate some basic conventions.
On Wed, Nov 29, 2023 at 6:15 PM Yuriy Vasilev
<yuriy.vasilev at virtuozzo.com> wrote:
>
> When the refcnt of a cslist is equal to 0, it indicates that the cslist
> has been dropped and is going to be freed. In such cases, let's trigger
> a BUG_ON to prevent use after free.
>
> https://pmc.acronis.work/browse/VSTOR-76384
>
> Signed-off-by: Yuriy Vasilev <yuriy.vasilev at virtuozzo.com>
> ---
> fs/fuse/kio/pcs/pcs_map.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/fuse/kio/pcs/pcs_map.h b/fs/fuse/kio/pcs/pcs_map.h
> index f990c9f9defa..cadc106d45c1 100644
> --- a/fs/fuse/kio/pcs/pcs_map.h
> +++ b/fs/fuse/kio/pcs/pcs_map.h
> @@ -236,7 +236,7 @@ static inline void cslist_get(struct pcs_cs_list * csl)
> {
> TRACE("csl:%p csl->map:%p refcnt:%d\n", csl, csl->map, atomic_read(&csl->refcnt));
>
> - atomic_inc(&csl->refcnt);
> + BUG_ON(!atomic_inc_not_zero(&csl->refcnt));
> }
>
> static inline void cslist_put(struct pcs_cs_list * csl)
> --
> 2.34.1
>
> _______________________________________________
> Devel mailing list
> Devel at openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
More information about the Devel
mailing list