[RHEL7,COMMIT] fuse kio: Stop self-abuse of rpc counter in rpc_queue_work()

Submitted by Konstantin Khorenko on Oct. 18, 2018, 12:01 p.m.

Details

Message ID 201810181201.w9IC1XGq030032@finist-ce7.sw.ru
State New
Series "Order rpc destroy with rpc_queue_work()"
Headers show

Commit Message

Konstantin Khorenko Oct. 18, 2018, 12:01 p.m.
The commit is pushed to "branch-rh7-3.10.0-862.14.4.vz7.72.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-862.14.4.vz7.72.11
------>
commit ccd016fb513cd6ec799953585da61ba53b42d075
Author: Kirill Tkhai <ktkhai@virtuozzo.com>
Date:   Thu Oct 18 15:01:33 2018 +0300

    fuse kio: Stop self-abuse of rpc counter in rpc_queue_work()
    
    These useless get and put do not protect from anything,
    since the work may become executing after last user put
    counter in parallel. Remove them to avoid shooting of
    BUG_ON() in pcs_rpc_get().
    
    Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
    Reviewed-by: Pavel Butsykin <pbutsykin@virtuozzo.com>
    
    =====================
    Patchset description:
    
    Order rpc destroy with rpc_queue_work()
    
    Prevents use-after-free from work function.
    
    https://pmc.acronis.com/browse/VSTOR-16236
    
    Kirill Tkhai (3):
          fuse kio: Stop self-abuse of rpc counter in rpc_queue_work()
          fuse kio: Check for null ep in pcs_rpc_deaccount_msg()
          fuse kio: Move abort & destroy block up in pcs_rpc_send()
    
    Pavel Butsykin (1):
          fs/fuse kio_pcs: flush rpc work inside pcs_rpc_destroy()
---
 fs/fuse/kio/pcs/pcs_rpc.c | 3 ---
 1 file changed, 3 deletions(-)

Patch hide | download patch | download mbox

diff --git a/fs/fuse/kio/pcs/pcs_rpc.c b/fs/fuse/kio/pcs/pcs_rpc.c
index 7ef69a842ce8..27156a507a84 100644
--- a/fs/fuse/kio/pcs/pcs_rpc.c
+++ b/fs/fuse/kio/pcs/pcs_rpc.c
@@ -847,7 +847,6 @@  static void rpc_queue_work(struct work_struct *w)
 	struct pcs_rpc *ep = pcs_rpc_from_work(w);
 	int repeat;
 
-	pcs_rpc_get(ep);
 again:
 	spin_lock(&ep->q_lock);
 	list_splice_tail_init(&ep->input_queue, &input_q);
@@ -893,8 +892,6 @@  static void rpc_queue_work(struct work_struct *w)
 	mutex_unlock(&ep->mutex);
 	if (repeat)
 		goto again;
-	pcs_rpc_put(ep);
-
 }
 
 struct pcs_rpc * pcs_rpc_alloc_ep(void)