Acknowledged On Fri, May 30, 2025 at 7:41 AM Liu Kui <kui....@virtuozzo.com> wrote: > > This is an ancient bug that was never tested. For FIEMAP request, > its iochunk.size could be much larger than the size of actual msg > flying around. And its accounting weight should be PCS_CS_HOLE_WEIGHT, > just like WRITE_HOLE or WRITE_ZERO, instead of its iochunk.size. > Otherwise it'll make cs->in_flight overflow, crashing the kernel. > > Fixes: #ASUP-1567 > https://virtuozzo.atlassian.net/browse/ASUP-1567 > > Signed-off-by: Liu Kui <kui....@virtuozzo.com> > --- > fs/fuse/kio/pcs/pcs_map.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/fs/fuse/kio/pcs/pcs_map.c b/fs/fuse/kio/pcs/pcs_map.c > index fc707c9dcb65..ce390ab5990c 100644 > --- a/fs/fuse/kio/pcs/pcs_map.c > +++ b/fs/fuse/kio/pcs/pcs_map.c > @@ -1450,7 +1450,8 @@ static void pcs_cs_deaccount(struct pcs_int_request > *ireq, struct pcs_cs * cs, i > spin_lock(&cs->lock); > if (ireq->type == PCS_IREQ_IOCHUNK) { > if (ireq->iochunk.cmd == PCS_REQ_T_WRITE_HOLE || > - ireq->iochunk.cmd == PCS_REQ_T_WRITE_ZERO) > + ireq->iochunk.cmd == PCS_REQ_T_WRITE_ZERO || > + ireq->iochunk.cmd == PCS_REQ_T_FIEMAP) > cost = PCS_CS_HOLE_WEIGHT; > else > cost = (ireq->flags & IREQ_F_RND_WEIGHT) ? 512*1024 : > cong_roundup(ireq->iochunk.size); > @@ -2063,7 +2064,9 @@ static int pcs_cslist_submit_read(struct > pcs_int_request *ireq, struct pcs_cs_li > > sreq->flags &= ~(IREQ_F_RND_WEIGHT | IREQ_F_SEQ); > BUG_ON(sreq->flags & IREQ_F_SEQ_READ); > - if (pcs_flow_sequential(sreq->iochunk.flow)) { > + if (ireq->iochunk.cmd != PCS_REQ_T_READ) { > + weight = PCS_CS_HOLE_WEIGHT; > + } else if (pcs_flow_sequential(sreq->iochunk.flow)) { > sreq->flags |= IREQ_F_SEQ_READ | IREQ_F_SEQ; > atomic_inc(&csl->seq_read_in_flight); > weight = cong_roundup(sreq->iochunk.size); > -- > 2.39.5 (Apple Git-154)
_______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
