Re: [Virtio-fs] [PATCH] virtio-fs: fix kill_sb panic

[Vivek Goyal <vgoyal@redhat.com>]

On Thu, Jun 06, 2019 at 02:52:47PM +0800, Peng Tao wrote:
> ->kill_sb might be called when mount fails, in which case
> sb->s_fs_info is NULL and virtio-fs will panic like:
> 
> [ 1493.415267] BUG: unable to handle kernel NULL pointer dereference at 0000000000000148
> [ 1493.416881] #PF error: [normal kernel read fault]
> [ 1493.417785] PGD 0 P4D 0
> [ 1493.418284] Oops: 0000 [#1] SMP PTI
> [ 1493.418968] CPU: 1 PID: 7635 Comm: mount Not tainted 5.1.0+ #21
> [ 1493.420125] RIP: 0010:virtio_kill_sb+0x12/0x100
> [ 1493.421009] Code: 00 00 00 00 00 00 83 c5 01 41 3b 2c 24 72 ad 5b 5d 41 5c 41 5d c3 66 90 41 56 49 89 fe 41 55 41 54 55 53 48 8b 87 28 07 00 00 <4c> 8b a8 48 01 00 00 49 8b 6d 18 48 89 ef e8 7b 3e 6c 00 c6 85 70
> [ 1493.424599] RSP: 0018:ffffc9000054bd88 EFLAGS: 00010286
> [ 1493.425617] RAX: 0000000000000000 RBX: ffff88807a67a000 RCX: 0000000000000006
> [ 1493.426987] RDX: 0000000000000006 RSI: ffff888073a0cc48 RDI: ffff88807a67a000
> [ 1493.428376] RBP: ffffffff8229f3c0 R08: 0000000000000000 R09: 0000000000000000
> [ 1493.429752] R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff812f8a00
> [ 1493.431136] R13: 0000000000000000 R14: ffff88807a67a000 R15: 0000000000000020
> [ 1493.432518] FS:  00007f2ea867b080(0000) GS:ffff88807da00000(0000) knlGS:0000000000000000
> [ 1493.434044] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 1493.435127] CR2: 0000000000000148 CR3: 0000000076098003 CR4: 00000000003606a0
> [ 1493.436480] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 1493.437826] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [ 1493.439181] Call Trace:
> [ 1493.439669]  ? virtio_fs_hiprio_dispatch_work+0x210/0x210
> [ 1493.440705]  deactivate_locked_super+0x35/0x60
> [ 1493.441641]  mount_nodev+0x53/0x90
> [ 1493.442299]  legacy_get_tree+0x1f/0x40
> [ 1493.443019]  vfs_get_tree+0x20/0xe0
> [ 1493.443709]  do_mount+0xa1b/0xdd0
> [ 1493.444356]  ? memdup_user+0x39/0x60
> [ 1493.445042]  ksys_mount+0x89/0xb0
> [ 1493.445685]  __x64_sys_mount+0x1c/0x20
> [ 1493.446408]  do_syscall_64+0x288/0x429
> [ 1493.447141]  ? trace_hardirqs_off_thunk+0x1a/0x1c
> [ 1493.448068]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> 
> Signed-off-by: Peng Tao <tao.peng@linux.alibaba.com>
> ---

Thanks Peng Tao. I had removed that code which was cheking if fc is
there or not. I was not sure why that check is there. 

Good to know that kill_sb will be invoked even if mount failed and then
fc can be null. 

Will merge this patch.

Vivek

>  fs/fuse/virtio_fs.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c
> index e5955a6..d94fe72 100644
> --- a/fs/fuse/virtio_fs.c
> +++ b/fs/fuse/virtio_fs.c
> @@ -1115,8 +1115,14 @@ static int virtio_fs_fill_super(struct super_block *sb, void *data,
>  static void virtio_kill_sb(struct super_block *sb)
>  {
>  	struct fuse_conn *fc = get_fuse_conn_super(sb);
> -	struct virtio_fs *vfs = fc->iq.priv;
> -	struct virtio_fs_vq *fsvq = &vfs->vqs[VQ_HIPRIO];
> +	struct virtio_fs *vfs;
> +	struct virtio_fs_vq *fsvq;
> +
> +	if (!fc)
> +		return fuse_kill_sb_anon(sb);
> +
> +	vfs = fc->iq.priv;
> +	fsvq = &vfs->vqs[VQ_HIPRIO];
>  
>  	/* Stop forget queue. Soon destroy will be sent */
>  	spin_lock(&fsvq->lock);
> -- 
> 1.8.3.1
>