[Devel] [PATCH RHEL10 COMMIT] fs/fuse kio: fix NULL pointer dereference

Fri, 17 Oct 2025 21:47:01 -0700 

The commit is pushed to "branch-rh10-6.12.0-55.13.1.2.x.vz10-ovz" and will 
appear at [email protected]:openvz/vzkernel.git
after rh10-6.12.0-55.13.1.2.9.vz10
------>
commit 6ad8f969e0b7cccff484de59c7b373d0d85a50f5
Author: Liu Kui <[email protected]>
Date:   Tue Sep 30 20:21:59 2025 +0800

    fs/fuse kio: fix NULL pointer dereference
    
    Avoid dereference the 'rpc->clnt_cs' pointer directly as it's not
    protected. It can be set to NULL, or the referenced memory could
    have been freed.
    
    https://virtuozzo.atlassian.net/browse/VSTOR-116467
    
    Signed-off-by: Liu Kui <[email protected]>
    Acked-by: Alexey Kuznetsov <[email protected]>
    
    Feature: vStorage
---
 fs/fuse/kio/pcs/pcs_cs.c       | 15 ++++++++-------
 fs/fuse/kio/pcs/pcs_cs.h       |  2 +-
 fs/fuse/kio/pcs/pcs_rpc_clnt.c |  2 +-
 3 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/fs/fuse/kio/pcs/pcs_cs.c b/fs/fuse/kio/pcs/pcs_cs.c
index dc1c80507fee9..5b8b7b2f9a26b 100644
--- a/fs/fuse/kio/pcs/pcs_cs.c
+++ b/fs/fuse/kio/pcs/pcs_cs.c
@@ -833,13 +833,14 @@ void pcs_cs_submit(struct pcs_cs *cs, struct 
pcs_int_request *ireq)
        do_cs_submit(cs, ireq);
 }
 
-void cs_handle_congestion(struct pcs_cs *cs, struct pcs_rpc_hdr *h)
+void cs_handle_congestion(struct pcs_rpc *ep, struct pcs_rpc_hdr *h)
 {
+       struct pcs_cluster_core *cc = cc_from_rpc(ep->eng);
        struct pcs_cs *who;
 
-       FUSE_KTRACE(cc_from_csset(cs->css)->fc, "Received congestion 
notification from CS" NODE_FMT, NODE_ARGS(h->xid.origin));
+       FUSE_KTRACE(cc->fc, "Received congestion notification from CS" 
NODE_FMT, NODE_ARGS(h->xid.origin));
 
-       who = lookup_and_lock_cs(cs->css, h->xid.origin.val);
+       who = lookup_and_lock_cs(&cc->css, h->xid.origin.val);
        if (unlikely(!who))
                return;
 
@@ -892,11 +893,11 @@ static int may_reroute(struct pcs_cs_list *csl, 
PCS_NODE_ID_T cs_id)
 void cs_keep_waiting(struct pcs_rpc *ep, struct pcs_msg *req, struct pcs_msg 
*msg)
 {
        struct pcs_rpc_hdr *h = (struct pcs_rpc_hdr *)msg_inline_head(msg);
-       struct pcs_cs *cs = ep->clnt_cs;
+       struct pcs_cluster_core *cc = cc_from_rpc(ep->eng);
        struct pcs_cs *who;
 
        /* Some CS reported it cannot complete local IO in time, close 
congestion window */
-       who = lookup_and_lock_cs(cs->css, h->xid.origin.val);
+       who = lookup_and_lock_cs(&cc->css, h->xid.origin.val);
        if (who) {
                struct pcs_int_request *ireq = req->private2;
                abs_time_t lat = 0; /* GCC bug */
@@ -908,7 +909,7 @@ void cs_keep_waiting(struct pcs_rpc *ep, struct pcs_msg 
*req, struct pcs_msg *ms
                }
 
                if (!who->cwr_state) {
-                       FUSE_KTRACE(cc_from_csset(cs->css)->fc, "Congestion 
window on CS" NODE_FMT " reducing %d/%d/%d", NODE_ARGS(h->xid.origin),
+                       FUSE_KTRACE(cc->fc, "Congestion window on CS" NODE_FMT 
" reducing %d/%d/%d", NODE_ARGS(h->xid.origin),
                                    who->in_flight, who->eff_cwnd, who->cwnd);
                        if (who->cwnd >= PCS_CS_INIT_CWND)
                                who->ssthresh = who->cwnd;
@@ -936,7 +937,7 @@ void cs_keep_waiting(struct pcs_rpc *ep, struct pcs_msg 
*req, struct pcs_msg *ms
                            && may_reroute(ireq->iochunk.csl, h->xid.origin)) {
                                ireq->iochunk.banned_cs = h->xid.origin;
                                spin_unlock(&who->lock);
-                               FUSE_KTRACE(ireq->cc->fc, "Canceling read on 
CS" NODE_FMT, NODE_ARGS(h->xid.origin));
+                               FUSE_KTRACE(cc->fc, "Canceling read on CS" 
NODE_FMT, NODE_ARGS(h->xid.origin));
                                pcs_rpc_cancel_request(req);
                                return;
                        }
diff --git a/fs/fuse/kio/pcs/pcs_cs.h b/fs/fuse/kio/pcs/pcs_cs.h
index 1fdc502663584..c41c5cc0075e0 100644
--- a/fs/fuse/kio/pcs/pcs_cs.h
+++ b/fs/fuse/kio/pcs/pcs_cs.h
@@ -240,7 +240,7 @@ int pcs_csa_csl_write_submit_single(struct pcs_int_request 
* ireq, int idx);
 void pcs_csa_relay_iotimes(struct pcs_int_request * ireq,  struct pcs_cs_iohdr 
* h, PCS_NODE_ID_T cs_id);
 void pcs_csa_cs_detach(struct pcs_cs * cs);
 
-void cs_handle_congestion(struct pcs_cs *cs, struct pcs_rpc_hdr *h);
+void cs_handle_congestion(struct pcs_rpc *ep, struct pcs_rpc_hdr *h);
 struct pcs_msg *cs_get_hdr(struct pcs_rpc *ep, struct pcs_rpc_hdr *h);
 void cs_keep_waiting(struct pcs_rpc *ep, struct pcs_msg *req, struct pcs_msg 
*msg);
 
diff --git a/fs/fuse/kio/pcs/pcs_rpc_clnt.c b/fs/fuse/kio/pcs/pcs_rpc_clnt.c
index 078cd4e16dc84..df1b1a9baca89 100644
--- a/fs/fuse/kio/pcs/pcs_rpc_clnt.c
+++ b/fs/fuse/kio/pcs/pcs_rpc_clnt.c
@@ -23,7 +23,7 @@ static int clnt_input(struct pcs_rpc *ep, struct pcs_msg *msg)
        switch (h->type) {
        case PCS_CS_CONG_NOTIFY:
                if (ep->clnt_cs)
-                       cs_handle_congestion(ep->clnt_cs, h);
+                       cs_handle_congestion(ep, h);
 
                if (ep->clnt_krpc)
                        krpc_handle_congestion(ep, msg);
_______________________________________________
Devel mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to