When the refcnt of a cslist is equal to 0, it indicates that the cslist has been dropped and is going to be freed. In such cases, let's trigger a BUG_ON to prevent use after free.
https://pmc.acronis.work/browse/VSTOR-76384 Signed-off-by: Yuriy Vasilev <yuriy.vasi...@virtuozzo.com> --- fs/fuse/kio/pcs/pcs_map.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/fuse/kio/pcs/pcs_map.c b/fs/fuse/kio/pcs/pcs_map.c index dcab125797b4..8f7dcb311f9f 100644 --- a/fs/fuse/kio/pcs/pcs_map.c +++ b/fs/fuse/kio/pcs/pcs_map.c @@ -91,7 +91,7 @@ static inline void cslist_get(struct pcs_cs_list * csl) { TRACE("csl:%p csl->map:%p refcnt:%d\n", csl, csl->map, atomic_read(&csl->refcnt)); - atomic_inc(&csl->refcnt); + BUG_ON(!atomic_inc_not_zero(&csl->refcnt)); } static inline void cslist_put(struct pcs_cs_list * csl) { -- 2.34.1 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
