date:20181214

[Devel] [PATCH] fs/fuse kio: missed clean di->size.op in failed shrink request

2018-12-14 Thread Pavel Butsykin

The state di->size.op is set to PCS_SIZE_SHRINK in order to postpone all read
requests during shrink request execution. But, if the shrink request fails in
__fuse_request_send(), then di->size.op is never cleaned up and it remains
PCS_SIZE_SHRINK forever, and pending read requests can remain hanging
indefinitely.

To fix this we can reuse req->end that actually _pcs_shrink_end() which already
has everything we need to cleanup shrink request.

There is no need to make a similar fix for ms since req->end callback is no
where used for sync(no background) requests except kio.

#VSTOR-18947

Signed-off-by: Pavel Butsykin 
---
 fs/fuse/dev.c  | 4 
 fs/fuse/kio/pcs/pcs_fuse_kdirect.c | 5 +++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index ce75d218025b..6fcbb117aa9c 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -543,9 +543,13 @@ static void __fuse_request_send(struct fuse_conn *fc, 
struct fuse_req *req,
if (!fiq->connected) {
spin_unlock(>waitq.lock);
req->out.h.error = -ENOTCONN;
+   if (req->end)
+   req->end(fc, req);
} else if (ff && test_bit(FUSE_S_FAIL_IMMEDIATELY, >ff_state)) {
spin_unlock(>waitq.lock);
req->out.h.error = -EIO;
+   if (req->end)
+   req->end(fc, req);
} else {
req->in.h.unique = fuse_get_unique(fiq);
queue_request(fiq, req);
diff --git a/fs/fuse/kio/pcs/pcs_fuse_kdirect.c 
b/fs/fuse/kio/pcs/pcs_fuse_kdirect.c
index 3b1d819792b2..de54fedeb5e4 100644
--- a/fs/fuse/kio/pcs/pcs_fuse_kdirect.c
+++ b/fs/fuse/kio/pcs/pcs_fuse_kdirect.c
@@ -992,8 +992,9 @@ static void kpcs_setattr_end(struct fuse_conn *fc, struct 
fuse_req *req)
u64 old_size;
 
BUG_ON(req->in.h.opcode != FUSE_SETATTR);
-   TRACE("update size: ino:%lu old_sz:%lld new:%lld\n",
- req->io_inode->i_ino, di->fileinfo.attr.size, outarg->attr.size);
+   TRACE("update size: ino:%lu old_sz:%lld new:%lld, error: %d\n",
+ req->io_inode->i_ino, di->fileinfo.attr.size, outarg->attr.size,
+ req->out.h.error);
 
if (req->out.h.error)
goto fail;
-- 
2.15.1

___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

[Devel] [PATCH RH7] vhost: do not try to access device IOTLB when not initialized

2018-12-14 Thread Pavel Tikhomirov

We have GPF when Kasan checks umem->umem_tree before dereferencing it
later in vhost_umem_interval_tree_iter_first, and it is zero.

https://jira.sw.ru/browse/PSBM-90313

MS commit 6f3180afbb22 ("vhost: do not try to access device IOTLB when
not initialized")

The code will try to access dev->iotlb when processing
VHOST_IOTLB_INVALIDATE even if it was not initialized which may lead
to NULL pointer dereference. Fixes this by check dev->iotlb before.

Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API")
Signed-off-by: Jason Wang 
Acked-by: Michael S. Tsirkin 
Signed-off-by: David S. Miller 
Signed-off-by: Pavel Tikhomirov 
---
 drivers/vhost/vhost.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index 412585876c38..9828070ef279 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -997,6 +997,10 @@ static int vhost_process_iotlb_msg(struct vhost_dev *dev,
vhost_iotlb_notify_vq(dev, msg);
break;
case VHOST_IOTLB_INVALIDATE:
+   if (!dev->iotlb) {
+   ret = -EFAULT;
+   break;
+   }
vhost_vq_meta_reset(dev);
vhost_del_umem_range(dev->iotlb, msg->iova,
 msg->iova + msg->size - 1);
-- 
2.17.1

___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

[Devel] [PATCH] fs/fuse kio: missed clean di->size.op in failed shrink request

[Devel] [PATCH RH7] vhost: do not try to access device IOTLB when not initialized

2 matches

Site Navigation

Mail list logo

Footer information