This is an ancient bug that was never tested. For FIEMAP request, its iochunk.size could be much larger than the size of actual msg flying around. And its accounting weight should be PCS_CS_HOLE_WEIGHT, just like WRITE_HOLE or WRITE_ZERO, instead of its iochunk.size. Otherwise it'll make cs->in_flight overflow, crashing the kernel.
Fixes: #ASUP-1567 https://virtuozzo.atlassian.net/browse/ASUP-1567 Signed-off-by: Liu Kui <kui....@virtuozzo.com> --- fs/fuse/kio/pcs/pcs_map.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/fs/fuse/kio/pcs/pcs_map.c b/fs/fuse/kio/pcs/pcs_map.c index fc707c9dcb65..ce390ab5990c 100644 --- a/fs/fuse/kio/pcs/pcs_map.c +++ b/fs/fuse/kio/pcs/pcs_map.c @@ -1450,7 +1450,8 @@ static void pcs_cs_deaccount(struct pcs_int_request *ireq, struct pcs_cs * cs, i spin_lock(&cs->lock); if (ireq->type == PCS_IREQ_IOCHUNK) { if (ireq->iochunk.cmd == PCS_REQ_T_WRITE_HOLE || - ireq->iochunk.cmd == PCS_REQ_T_WRITE_ZERO) + ireq->iochunk.cmd == PCS_REQ_T_WRITE_ZERO || + ireq->iochunk.cmd == PCS_REQ_T_FIEMAP) cost = PCS_CS_HOLE_WEIGHT; else cost = (ireq->flags & IREQ_F_RND_WEIGHT) ? 512*1024 : cong_roundup(ireq->iochunk.size); @@ -2063,7 +2064,9 @@ static int pcs_cslist_submit_read(struct pcs_int_request *ireq, struct pcs_cs_li sreq->flags &= ~(IREQ_F_RND_WEIGHT | IREQ_F_SEQ); BUG_ON(sreq->flags & IREQ_F_SEQ_READ); - if (pcs_flow_sequential(sreq->iochunk.flow)) { + if (ireq->iochunk.cmd != PCS_REQ_T_READ) { + weight = PCS_CS_HOLE_WEIGHT; + } else if (pcs_flow_sequential(sreq->iochunk.flow)) { sreq->flags |= IREQ_F_SEQ_READ | IREQ_F_SEQ; atomic_inc(&csl->seq_read_in_flight); weight = cong_roundup(sreq->iochunk.size); -- 2.39.5 (Apple Git-154) _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
