From: piaojun <piaojun@huawei.com>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: virtio-fs@redhat.com, piaojun@huawei.com, qemu-devel@nongnu.org,
Stefan Hajnoczi <stefanha@redhat.com>
Subject: Re: [Qemu-devel] [Virtio-fs] [PATCH 2/5] virtiofsd: prevent lo_lookup() NULL pointer dereference
Date: Tue, 30 Jul 2019 08:34:00 +0800 [thread overview]
Message-ID: <5D3F9078.2070607@huawei.com> (raw)
In-Reply-To: <20190729154118.GA21560@stefanha-x1.localdomain>
On 2019/7/29 23:41, Stefan Hajnoczi wrote:
> On Mon, Jul 29, 2019 at 08:35:36PM +0800, piaojun wrote:
>> Hi Stefan,
>>
>> On 2019/7/26 17:11, Stefan Hajnoczi wrote:
>>> Most lo_do_lookup() have already checked that the parent inode exists.
>>> lo_lookup() hasn't and can therefore hit a NULL pointer dereference when
>>> lo_inode(req, parent) returns NULL.
>>>
>>> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
>>> ---
>>> contrib/virtiofsd/passthrough_ll.c | 4 ++++
>>> 1 file changed, 4 insertions(+)
>>>
>>> diff --git a/contrib/virtiofsd/passthrough_ll.c b/contrib/virtiofsd/passthrough_ll.c
>>> index 9ae1381618..277a17fc03 100644
>>> --- a/contrib/virtiofsd/passthrough_ll.c
>>> +++ b/contrib/virtiofsd/passthrough_ll.c
>>> @@ -766,6 +766,10 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
>>> struct lo_data *lo = lo_data(req);
>>> struct lo_inode *inode, *dir = lo_inode(req, parent);
>>>
>>> + if (!dir) {
>>> + return EBADF;
>>> + }
>>> +
>>
>> I worry about that dir will be released or set NULL just after NULL
>> checking. Or could we use some lock to prevent the simultaneity?
>
> Yes, I agree. I haven't audited lo_inode yet, but it needs a refcount
> and/or lock to ensure accesses are safe. I'll do that and other things
> in a separate patch series.
>
> Stefan
OK, that sounds good.
Jun
>
next prev parent reply other threads:[~2019-07-30 0:34 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-26 9:10 [Virtio-fs] [PATCH 0/5] virtiofsd: multithreading preparation Stefan Hajnoczi
2019-07-26 9:10 ` [Qemu-devel] " Stefan Hajnoczi
2019-07-26 9:10 ` [Virtio-fs] [PATCH 1/5] virtiofsd: skip unnecessary vu_queue_get_avail_bytes() Stefan Hajnoczi
2019-07-26 9:10 ` [Qemu-devel] " Stefan Hajnoczi
2019-07-26 21:35 ` [Virtio-fs] " Liu Bo
2019-07-26 21:35 ` [Qemu-devel] " Liu Bo
2019-07-31 16:50 ` Dr. David Alan Gilbert
2019-07-31 16:50 ` [Qemu-devel] " Dr. David Alan Gilbert
2019-07-26 9:11 ` [Virtio-fs] [PATCH 2/5] virtiofsd: prevent lo_lookup() NULL pointer dereference Stefan Hajnoczi
2019-07-26 9:11 ` [Qemu-devel] " Stefan Hajnoczi
2019-07-26 21:26 ` [Virtio-fs] " Liu Bo
2019-07-26 21:26 ` [Qemu-devel] " Liu Bo
2019-07-29 8:15 ` Stefan Hajnoczi
2019-07-29 8:15 ` [Qemu-devel] " Stefan Hajnoczi
2019-07-28 2:06 ` piaojun
2019-07-29 12:35 ` piaojun
2019-07-29 15:41 ` [Virtio-fs] [Qemu-devel] " Stefan Hajnoczi
2019-07-29 15:41 ` [Qemu-devel] [Virtio-fs] " Stefan Hajnoczi
2019-07-30 0:34 ` piaojun [this message]
2019-07-26 9:11 ` [Virtio-fs] [PATCH 3/5] virtiofsd: make lo_release() atomic Stefan Hajnoczi
2019-07-26 9:11 ` [Qemu-devel] " Stefan Hajnoczi
2019-07-31 16:56 ` [Virtio-fs] " Dr. David Alan Gilbert
2019-07-31 16:56 ` [Qemu-devel] " Dr. David Alan Gilbert
2019-07-26 9:11 ` [Virtio-fs] [PATCH 4/5] virtiofsd: drop lo_dirp->fd field Stefan Hajnoczi
2019-07-26 9:11 ` [Qemu-devel] " Stefan Hajnoczi
2019-07-31 17:27 ` [Virtio-fs] " Dr. David Alan Gilbert
2019-07-31 17:27 ` [Qemu-devel] " Dr. David Alan Gilbert
2019-08-01 9:07 ` [Virtio-fs] " Stefan Hajnoczi
2019-08-01 9:07 ` [Qemu-devel] " Stefan Hajnoczi
2019-07-26 9:11 ` [Virtio-fs] [PATCH 5/5] virtiofsd: prevent races with lo_dirp_put() Stefan Hajnoczi
2019-07-26 9:11 ` [Qemu-devel] " Stefan Hajnoczi
2019-07-31 17:44 ` [Virtio-fs] " Dr. David Alan Gilbert
2019-07-31 17:44 ` [Qemu-devel] " Dr. David Alan Gilbert
2019-08-01 9:15 ` [Virtio-fs] " Stefan Hajnoczi
2019-08-01 9:15 ` [Qemu-devel] " Stefan Hajnoczi
2019-08-01 11:14 ` [Virtio-fs] " Dr. David Alan Gilbert
2019-08-01 11:14 ` [Qemu-devel] " Dr. David Alan Gilbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5D3F9078.2070607@huawei.com \
--to=piaojun@huawei.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
--cc=stefanha@redhat.com \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.