From: Vivek Goyal <vgoyal@redhat.com>
To: Chirantan Ekbote <chirantan@chromium.org>
Cc: Miklos Szeredi <miklos@szeredi.hu>,
Suleiman Souhlal <suleiman@chromium.org>,
virtio-fs@redhat.com, linux-fsdevel@vger.kernel.org,
Dylan Reid <dgreid@chromium.org>
Subject: Re: [Virtio-fs] [PATCH 1/2] fuse: virtiofs: Fix nullptr dereference
Date: Mon, 27 Apr 2020 13:58:14 -0400 [thread overview]
Message-ID: <20200427175814.GC146096@redhat.com> (raw)
In-Reply-To: <20200424062540.23679-1-chirantan@chromium.org>
On Fri, Apr 24, 2020 at 03:25:39PM +0900, Chirantan Ekbote wrote:
> virtiofs device implementations are allowed to provide more than one
> request queue. In this case `fsvq->fud` would not be initialized,
> leading to a nullptr dereference later during driver initialization.
>
> Make sure that `fsvq->fud` is initialized for all request queues even if
> the driver doesn't use them.
>
> Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
> ---
> fs/fuse/virtio_fs.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c
> index bade747689033..d3c38222a7e4e 100644
> --- a/fs/fuse/virtio_fs.c
> +++ b/fs/fuse/virtio_fs.c
> @@ -1066,10 +1066,13 @@ static int virtio_fs_fill_super(struct super_block *sb)
> }
>
> err = -ENOMEM;
> - /* Allocate fuse_dev for hiprio and notification queues */
> - for (i = 0; i < VQ_REQUEST; i++) {
> + /* Allocate fuse_dev for all queues except the first request queue. */
> + for (i = 0; i < fs->nvqs; i++) {
> struct virtio_fs_vq *fsvq = &fs->vqs[i];
>
> + if (i == VQ_REQUEST)
> + continue;
> +
These special conditions of initializing fuse device for one queue
fusing fill_super_common() and rest of the queues outside of it, are
bothering me. I am proposing a separate patch where all fuse device
initialization/cleanup is done by the caller. It makes code look
cleaner and easier to understand.
Vivek
> fsvq->fud = fuse_dev_alloc();
> if (!fsvq->fud)
> goto err_free_fuse_devs;
> --
> 2.26.2.303.gf8c07b1a785-goog
>
WARNING: multiple messages have this Message-ID (diff)
From: Vivek Goyal <vgoyal@redhat.com>
To: Chirantan Ekbote <chirantan@chromium.org>
Cc: Miklos Szeredi <miklos@szeredi.hu>,
Stefan Hajnoczi <stefanha@redhat.com>,
linux-fsdevel@vger.kernel.org, virtio-fs@redhat.com,
Dylan Reid <dgreid@chromium.org>,
Suleiman Souhlal <suleiman@chromium.org>
Subject: Re: [PATCH 1/2] fuse: virtiofs: Fix nullptr dereference
Date: Mon, 27 Apr 2020 13:58:14 -0400 [thread overview]
Message-ID: <20200427175814.GC146096@redhat.com> (raw)
In-Reply-To: <20200424062540.23679-1-chirantan@chromium.org>
On Fri, Apr 24, 2020 at 03:25:39PM +0900, Chirantan Ekbote wrote:
> virtiofs device implementations are allowed to provide more than one
> request queue. In this case `fsvq->fud` would not be initialized,
> leading to a nullptr dereference later during driver initialization.
>
> Make sure that `fsvq->fud` is initialized for all request queues even if
> the driver doesn't use them.
>
> Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
> ---
> fs/fuse/virtio_fs.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c
> index bade747689033..d3c38222a7e4e 100644
> --- a/fs/fuse/virtio_fs.c
> +++ b/fs/fuse/virtio_fs.c
> @@ -1066,10 +1066,13 @@ static int virtio_fs_fill_super(struct super_block *sb)
> }
>
> err = -ENOMEM;
> - /* Allocate fuse_dev for hiprio and notification queues */
> - for (i = 0; i < VQ_REQUEST; i++) {
> + /* Allocate fuse_dev for all queues except the first request queue. */
> + for (i = 0; i < fs->nvqs; i++) {
> struct virtio_fs_vq *fsvq = &fs->vqs[i];
>
> + if (i == VQ_REQUEST)
> + continue;
> +
These special conditions of initializing fuse device for one queue
fusing fill_super_common() and rest of the queues outside of it, are
bothering me. I am proposing a separate patch where all fuse device
initialization/cleanup is done by the caller. It makes code look
cleaner and easier to understand.
Vivek
> fsvq->fud = fuse_dev_alloc();
> if (!fsvq->fud)
> goto err_free_fuse_devs;
> --
> 2.26.2.303.gf8c07b1a785-goog
>
next prev parent reply other threads:[~2020-04-27 17:58 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-24 6:25 [Virtio-fs] [PATCH 1/2] fuse: virtiofs: Fix nullptr dereference Chirantan Ekbote
2020-04-24 6:25 ` Chirantan Ekbote
2020-04-24 6:25 ` [Virtio-fs] [PATCH 2/2] fuse: virtiofs: Add basic multiqueue support Chirantan Ekbote
2020-04-24 6:25 ` Chirantan Ekbote
2020-04-27 15:19 ` [Virtio-fs] " Stefan Hajnoczi
2020-04-27 15:19 ` Stefan Hajnoczi
2020-04-27 15:22 ` [Virtio-fs] " Stefan Hajnoczi
2020-04-27 15:22 ` Stefan Hajnoczi
2020-05-01 7:14 ` [Virtio-fs] " Chirantan Ekbote
2020-05-01 7:14 ` Chirantan Ekbote
2020-05-01 15:47 ` [Virtio-fs] " Stefan Hajnoczi
2020-05-01 15:47 ` Stefan Hajnoczi
2020-05-07 8:10 ` [Virtio-fs] " Chirantan Ekbote
2020-05-07 8:10 ` Chirantan Ekbote
2020-06-02 9:29 ` [Virtio-fs] " Stefan Hajnoczi
2020-06-02 9:29 ` Stefan Hajnoczi
2020-04-27 14:38 ` [Virtio-fs] [PATCH 1/2] fuse: virtiofs: Fix nullptr dereference Stefan Hajnoczi
2020-04-27 14:38 ` Stefan Hajnoczi
2020-04-27 17:58 ` Vivek Goyal [this message]
2020-04-27 17:58 ` Vivek Goyal
2020-04-28 8:53 ` [Virtio-fs] " Stefan Hajnoczi
2020-04-28 8:53 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200427175814.GC146096@redhat.com \
--to=vgoyal@redhat.com \
--cc=chirantan@chromium.org \
--cc=dgreid@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=suleiman@chromium.org \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.