[RHEL7,COMMIT] fuse kio: Check for null ep in pcs_rpc_deaccount_msg()

Submitted by Konstantin Khorenko on Oct. 18, 2018, 12:01 p.m.

Details

Message ID 201810181201.w9IC1XfJ030088@finist-ce7.sw.ru
State New
Series "Order rpc destroy with rpc_queue_work()"
Headers show

Commit Message

Konstantin Khorenko Oct. 18, 2018, 12:01 p.m.
The commit is pushed to "branch-rh7-3.10.0-862.14.4.vz7.72.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-862.14.4.vz7.72.11
------>
commit f50eded8e1d0427cd2aa5b9885cde8cae60de5be
Author: Kirill Tkhai <ktkhai@virtuozzo.com>
Date:   Thu Oct 18 15:01:33 2018 +0300

    fuse kio: Check for null ep in pcs_rpc_deaccount_msg()
    
    This is the only msg->done() callback related function,
    which does not check for ep != NULL. Despite all the
    creators of a msg with such msg->destruct() method
    (it's called in order msg->done --> msg->destruct())
    take ep counter before they create such type the msg,
    add a explicit check for that to catch hidden msg
    cloning and other not obvious actions on msg.
    
    Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
    Reviewed-by: Pavel Butsykin <pbutsykin@virtuozzo.com>
    
    =====================
    Patchset description:
    
    Order rpc destroy with rpc_queue_work()
    
    Prevents use-after-free from work function.
    
    https://pmc.acronis.com/browse/VSTOR-16236
    
    Kirill Tkhai (3):
          fuse kio: Stop self-abuse of rpc counter in rpc_queue_work()
          fuse kio: Check for null ep in pcs_rpc_deaccount_msg()
          fuse kio: Move abort & destroy block up in pcs_rpc_send()
    
    Pavel Butsykin (1):
          fs/fuse kio_pcs: flush rpc work inside pcs_rpc_destroy()
---
 fs/fuse/kio/pcs/pcs_rpc.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/fs/fuse/kio/pcs/pcs_rpc.c b/fs/fuse/kio/pcs/pcs_rpc.c
index 27156a507a84..8c76bb44f0a2 100644
--- a/fs/fuse/kio/pcs/pcs_rpc.c
+++ b/fs/fuse/kio/pcs/pcs_rpc.c
@@ -1083,7 +1083,10 @@  static int rpc_check_memlimit(struct pcs_rpc * ep)
 
 void pcs_rpc_deaccount_msg(struct pcs_msg * msg)
 {
-	struct pcs_rpc * ep = msg->rpc;
+	struct pcs_rpc *ep = msg->rpc;
+
+	if (WARN_ON_ONCE(!ep))
+		return;
 
 	msg->rpc = NULL;
 	ep->eng->msg_count--;