[Devel] [PATCH RHEL9 COMMIT] fs/fuse kio: fix NULL pointer dereference

Konstantin Khorenko khorenko at virtuozzo.com
Fri Oct 10 02:11:14 MSK 2025 

The commit is pushed to "branch-rh9-5.14.0-427.77.1.vz9.86.x-ovz" and will appear at git at bitbucket.org:openvz/vzkernel.git
after rh9-5.14.0-427.77.1.vz9.86.12
------>
commit 4133ca9b024d9a2fde9bd18b2138cc164fab6302
Author: Liu Kui <kui.liu at virtuozzo.com>
Date:   Tue Sep 30 20:21:59 2025 +0800

    fs/fuse kio: fix NULL pointer dereference
    
    Avoid dereference the 'rpc->clnt_cs' pointer directly as it's not
    protected. It can be set to NULL, or the referenced memory could
    have been freed.
    
    https://virtuozzo.atlassian.net/browse/VSTOR-116467
    
    Signed-off-by: Liu Kui <kui.liu at virtuozzo.com>
    Acked-by: Alexey Kuznetsov <kuznet at virtuozzo.com>
    
    Feature: vStorage
---
 fs/fuse/kio/pcs/pcs_cs.c       | 15 ++++++++-------
 fs/fuse/kio/pcs/pcs_cs.h       |  2 +-
 fs/fuse/kio/pcs/pcs_rpc_clnt.c |  2 +-
 3 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/fs/fuse/kio/pcs/pcs_cs.c b/fs/fuse/kio/pcs/pcs_cs.c
index df80d8a87796f..8c1fdce6a2f2f 100644
--- a/fs/fuse/kio/pcs/pcs_cs.c
+++ b/fs/fuse/kio/pcs/pcs_cs.c
@@ -833,13 +833,14 @@ void pcs_cs_submit(struct pcs_cs *cs, struct pcs_int_request *ireq)
 	do_cs_submit(cs, ireq);
 }
 
-void cs_handle_congestion(struct pcs_cs *cs, struct pcs_rpc_hdr *h)
+void cs_handle_congestion(struct pcs_rpc *ep, struct pcs_rpc_hdr *h)
 {
+	struct pcs_cluster_core *cc = cc_from_rpc(ep->eng);
 	struct pcs_cs *who;
 
-	FUSE_KTRACE(cc_from_csset(cs->css)->fc, "Received congestion notification from CS" NODE_FMT, NODE_ARGS(h->xid.origin));
+	FUSE_KTRACE(cc->fc, "Received congestion notification from CS" NODE_FMT, NODE_ARGS(h->xid.origin));
 
-	who = lookup_and_lock_cs(cs->css, h->xid.origin.val);
+	who = lookup_and_lock_cs(&cc->css, h->xid.origin.val);
 	if (unlikely(!who))
 		return;
 
@@ -892,11 +893,11 @@ static int may_reroute(struct pcs_cs_list *csl, PCS_NODE_ID_T cs_id)
 void cs_keep_waiting(struct pcs_rpc *ep, struct pcs_msg *req, struct pcs_msg *msg)
 {
 	struct pcs_rpc_hdr *h = (struct pcs_rpc_hdr *)msg_inline_head(msg);
-	struct pcs_cs *cs = ep->clnt_cs;
+	struct pcs_cluster_core *cc = cc_from_rpc(ep->eng);
 	struct pcs_cs *who;
 
 	/* Some CS reported it cannot complete local IO in time, close congestion window */
-	who = lookup_and_lock_cs(cs->css, h->xid.origin.val);
+	who = lookup_and_lock_cs(&cc->css, h->xid.origin.val);
 	if (who) {
 		struct pcs_int_request *ireq = req->private2;
 		abs_time_t lat = 0; /* GCC bug */
@@ -908,7 +909,7 @@ void cs_keep_waiting(struct pcs_rpc *ep, struct pcs_msg *req, struct pcs_msg *ms
 		}
 
 		if (!who->cwr_state) {
-			FUSE_KTRACE(cc_from_csset(cs->css)->fc, "Congestion window on CS" NODE_FMT " reducing %d/%d/%d", NODE_ARGS(h->xid.origin),
+			FUSE_KTRACE(cc->fc, "Congestion window on CS" NODE_FMT " reducing %d/%d/%d", NODE_ARGS(h->xid.origin),
 				    who->in_flight, who->eff_cwnd, who->cwnd);
 			if (who->cwnd >= PCS_CS_INIT_CWND)
 				who->ssthresh = who->cwnd;
@@ -936,7 +937,7 @@ void cs_keep_waiting(struct pcs_rpc *ep, struct pcs_msg *req, struct pcs_msg *ms
 			    && may_reroute(ireq->iochunk.csl, h->xid.origin)) {
 				ireq->iochunk.banned_cs = h->xid.origin;
 				spin_unlock(&who->lock);
-				FUSE_KTRACE(ireq->cc->fc, "Canceling read on CS" NODE_FMT, NODE_ARGS(h->xid.origin));
+				FUSE_KTRACE(cc->fc, "Canceling read on CS" NODE_FMT, NODE_ARGS(h->xid.origin));
 				pcs_rpc_cancel_request(req);
 				return;
 			}
diff --git a/fs/fuse/kio/pcs/pcs_cs.h b/fs/fuse/kio/pcs/pcs_cs.h
index 1fdc502663584..c41c5cc0075e0 100644
--- a/fs/fuse/kio/pcs/pcs_cs.h
+++ b/fs/fuse/kio/pcs/pcs_cs.h
@@ -240,7 +240,7 @@ int pcs_csa_csl_write_submit_single(struct pcs_int_request * ireq, int idx);
 void pcs_csa_relay_iotimes(struct pcs_int_request * ireq,  struct pcs_cs_iohdr * h, PCS_NODE_ID_T cs_id);
 void pcs_csa_cs_detach(struct pcs_cs * cs);
 
-void cs_handle_congestion(struct pcs_cs *cs, struct pcs_rpc_hdr *h);
+void cs_handle_congestion(struct pcs_rpc *ep, struct pcs_rpc_hdr *h);
 struct pcs_msg *cs_get_hdr(struct pcs_rpc *ep, struct pcs_rpc_hdr *h);
 void cs_keep_waiting(struct pcs_rpc *ep, struct pcs_msg *req, struct pcs_msg *msg);
 
diff --git a/fs/fuse/kio/pcs/pcs_rpc_clnt.c b/fs/fuse/kio/pcs/pcs_rpc_clnt.c
index eb1c3515dc3ac..e0f9acb7ed63f 100644
--- a/fs/fuse/kio/pcs/pcs_rpc_clnt.c
+++ b/fs/fuse/kio/pcs/pcs_rpc_clnt.c
@@ -23,7 +23,7 @@ static int clnt_input(struct pcs_rpc *ep, struct pcs_msg *msg)
 	switch (h->type) {
 	case PCS_CS_CONG_NOTIFY:
 		if (ep->clnt_cs)
-			cs_handle_congestion(ep->clnt_cs, h);
+			cs_handle_congestion(ep, h);
 
 		if (ep->clnt_krpc)
 			krpc_handle_congestion(ep, msg);

More information about the Devel mailing list