[RHEL7,COMMIT] fuse kio: Stop self-abuse of rpc counter in rpc_queue_work()

Submitted by Konstantin Khorenko on Oct. 18, 2018, 12:01 p.m.


Message ID 201810181201.w9IC1XGq030032@finist-ce7.sw.ru
State New
Series "Order rpc destroy with rpc_queue_work()"
Headers show

Commit Message

Konstantin Khorenko Oct. 18, 2018, 12:01 p.m.
The commit is pushed to "branch-rh7-3.10.0-862.14.4.vz7.72.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-862.14.4.vz7.72.11
commit ccd016fb513cd6ec799953585da61ba53b42d075
Author: Kirill Tkhai <ktkhai@virtuozzo.com>
Date:   Thu Oct 18 15:01:33 2018 +0300

    fuse kio: Stop self-abuse of rpc counter in rpc_queue_work()
    These useless get and put do not protect from anything,
    since the work may become executing after last user put
    counter in parallel. Remove them to avoid shooting of
    BUG_ON() in pcs_rpc_get().
    Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
    Reviewed-by: Pavel Butsykin <pbutsykin@virtuozzo.com>
    Patchset description:
    Order rpc destroy with rpc_queue_work()
    Prevents use-after-free from work function.
    Kirill Tkhai (3):
          fuse kio: Stop self-abuse of rpc counter in rpc_queue_work()
          fuse kio: Check for null ep in pcs_rpc_deaccount_msg()
          fuse kio: Move abort & destroy block up in pcs_rpc_send()
    Pavel Butsykin (1):
          fs/fuse kio_pcs: flush rpc work inside pcs_rpc_destroy()
 fs/fuse/kio/pcs/pcs_rpc.c | 3 ---
 1 file changed, 3 deletions(-)

Patch hide | download patch | download mbox

diff --git a/fs/fuse/kio/pcs/pcs_rpc.c b/fs/fuse/kio/pcs/pcs_rpc.c
index 7ef69a842ce8..27156a507a84 100644
--- a/fs/fuse/kio/pcs/pcs_rpc.c
+++ b/fs/fuse/kio/pcs/pcs_rpc.c
@@ -847,7 +847,6 @@  static void rpc_queue_work(struct work_struct *w)
 	struct pcs_rpc *ep = pcs_rpc_from_work(w);
 	int repeat;
-	pcs_rpc_get(ep);
 	list_splice_tail_init(&ep->input_queue, &input_q);
@@ -893,8 +892,6 @@  static void rpc_queue_work(struct work_struct *w)
 	if (repeat)
 		goto again;
-	pcs_rpc_put(ep);
 struct pcs_rpc * pcs_rpc_alloc_ep(void)