[Devel] [PATCH VZ9] fs/fuse kio: fix NULL pointer dereference

Alexey Kuznetsov kuznet at virtuozzo.com
Tue Sep 30 19:21:04 MSK 2025 

Ack. Looks safe and the danger is real.

On Tue, Sep 30, 2025 at 8:26 PM Liu Kui <kui.liu at virtuozzo.com> wrote:
>
> Avoid dereference the 'rpc->clnt_cs' pointer directly as it's not
> protected. It can be set to NULL, or the referenced memory could
> have been freed.
>
> Relates to: #VSTOR-116467
> https://virtuozzo.atlassian.net/browse/VSTOR-116467
>
> Signed-off-by: Liu Kui <kui.liu at virtuozzo.com>
> ---
>  fs/fuse/kio/pcs/pcs_cs.c       | 15 ++++++++-------
>  fs/fuse/kio/pcs/pcs_cs.h       |  2 +-
>  fs/fuse/kio/pcs/pcs_rpc_clnt.c |  2 +-
>  3 files changed, 10 insertions(+), 9 deletions(-)
>
> diff --git a/fs/fuse/kio/pcs/pcs_cs.c b/fs/fuse/kio/pcs/pcs_cs.c
> index df80d8a87796..8c1fdce6a2f2 100644
> --- a/fs/fuse/kio/pcs/pcs_cs.c
> +++ b/fs/fuse/kio/pcs/pcs_cs.c
> @@ -833,13 +833,14 @@ void pcs_cs_submit(struct pcs_cs *cs, struct pcs_int_request *ireq)
>         do_cs_submit(cs, ireq);
>  }
>
> -void cs_handle_congestion(struct pcs_cs *cs, struct pcs_rpc_hdr *h)
> +void cs_handle_congestion(struct pcs_rpc *ep, struct pcs_rpc_hdr *h)
>  {
> +       struct pcs_cluster_core *cc = cc_from_rpc(ep->eng);
>         struct pcs_cs *who;
>
> -       FUSE_KTRACE(cc_from_csset(cs->css)->fc, "Received congestion notification from CS" NODE_FMT, NODE_ARGS(h->xid.origin));
> +       FUSE_KTRACE(cc->fc, "Received congestion notification from CS" NODE_FMT, NODE_ARGS(h->xid.origin));
>
> -       who = lookup_and_lock_cs(cs->css, h->xid.origin.val);
> +       who = lookup_and_lock_cs(&cc->css, h->xid.origin.val);
>         if (unlikely(!who))
>                 return;
>
> @@ -892,11 +893,11 @@ static int may_reroute(struct pcs_cs_list *csl, PCS_NODE_ID_T cs_id)
>  void cs_keep_waiting(struct pcs_rpc *ep, struct pcs_msg *req, struct pcs_msg *msg)
>  {
>         struct pcs_rpc_hdr *h = (struct pcs_rpc_hdr *)msg_inline_head(msg);
> -       struct pcs_cs *cs = ep->clnt_cs;
> +       struct pcs_cluster_core *cc = cc_from_rpc(ep->eng);
>         struct pcs_cs *who;
>
>         /* Some CS reported it cannot complete local IO in time, close congestion window */
> -       who = lookup_and_lock_cs(cs->css, h->xid.origin.val);
> +       who = lookup_and_lock_cs(&cc->css, h->xid.origin.val);
>         if (who) {
>                 struct pcs_int_request *ireq = req->private2;
>                 abs_time_t lat = 0; /* GCC bug */
> @@ -908,7 +909,7 @@ void cs_keep_waiting(struct pcs_rpc *ep, struct pcs_msg *req, struct pcs_msg *ms
>                 }
>
>                 if (!who->cwr_state) {
> -                       FUSE_KTRACE(cc_from_csset(cs->css)->fc, "Congestion window on CS" NODE_FMT " reducing %d/%d/%d", NODE_ARGS(h->xid.origin),
> +                       FUSE_KTRACE(cc->fc, "Congestion window on CS" NODE_FMT " reducing %d/%d/%d", NODE_ARGS(h->xid.origin),
>                                     who->in_flight, who->eff_cwnd, who->cwnd);
>                         if (who->cwnd >= PCS_CS_INIT_CWND)
>                                 who->ssthresh = who->cwnd;
> @@ -936,7 +937,7 @@ void cs_keep_waiting(struct pcs_rpc *ep, struct pcs_msg *req, struct pcs_msg *ms
>                             && may_reroute(ireq->iochunk.csl, h->xid.origin)) {
>                                 ireq->iochunk.banned_cs = h->xid.origin;
>                                 spin_unlock(&who->lock);
> -                               FUSE_KTRACE(ireq->cc->fc, "Canceling read on CS" NODE_FMT, NODE_ARGS(h->xid.origin));
> +                               FUSE_KTRACE(cc->fc, "Canceling read on CS" NODE_FMT, NODE_ARGS(h->xid.origin));
>                                 pcs_rpc_cancel_request(req);
>                                 return;
>                         }
> diff --git a/fs/fuse/kio/pcs/pcs_cs.h b/fs/fuse/kio/pcs/pcs_cs.h
> index 1fdc50266358..c41c5cc0075e 100644
> --- a/fs/fuse/kio/pcs/pcs_cs.h
> +++ b/fs/fuse/kio/pcs/pcs_cs.h
> @@ -240,7 +240,7 @@ int pcs_csa_csl_write_submit_single(struct pcs_int_request * ireq, int idx);
>  void pcs_csa_relay_iotimes(struct pcs_int_request * ireq,  struct pcs_cs_iohdr * h, PCS_NODE_ID_T cs_id);
>  void pcs_csa_cs_detach(struct pcs_cs * cs);
>
> -void cs_handle_congestion(struct pcs_cs *cs, struct pcs_rpc_hdr *h);
> +void cs_handle_congestion(struct pcs_rpc *ep, struct pcs_rpc_hdr *h);
>  struct pcs_msg *cs_get_hdr(struct pcs_rpc *ep, struct pcs_rpc_hdr *h);
>  void cs_keep_waiting(struct pcs_rpc *ep, struct pcs_msg *req, struct pcs_msg *msg);
>
> diff --git a/fs/fuse/kio/pcs/pcs_rpc_clnt.c b/fs/fuse/kio/pcs/pcs_rpc_clnt.c
> index eb1c3515dc3a..e0f9acb7ed63 100644
> --- a/fs/fuse/kio/pcs/pcs_rpc_clnt.c
> +++ b/fs/fuse/kio/pcs/pcs_rpc_clnt.c
> @@ -23,7 +23,7 @@ static int clnt_input(struct pcs_rpc *ep, struct pcs_msg *msg)
>         switch (h->type) {
>         case PCS_CS_CONG_NOTIFY:
>                 if (ep->clnt_cs)
> -                       cs_handle_congestion(ep->clnt_cs, h);
> +                       cs_handle_congestion(ep, h);
>
>                 if (ep->clnt_krpc)
>                         krpc_handle_congestion(ep, msg);
> --
> 2.39.5 (Apple Git-154)

More information about the Devel mailing list