Re: [PATCH (resend)] fuse: Fix oops at process_init_reply().

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Miklos Szeredi <miklos@szeredi.hu>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
	linux-fsdevel@vger.kernel.org,
	syzbot <syzbot+b62f08f4d5857755e3bc@syzkaller.appspotmail.com>
Subject: Re: [PATCH (resend)] fuse: Fix oops at process_init_reply().
Date: Wed, 18 Jul 2018 13:35:03 +0200	[thread overview]
Message-ID: <CAJfpegtyZ0f-UETts0rYgkpeNE1QWRNyHGBE7GgROHAb2-Kzyg@mail.gmail.com> (raw)
In-Reply-To: <20180718104412.GQ30522@ZenIV.linux.org.uk>

On Wed, Jul 18, 2018 at 12:44 PM, Al Viro <viro@zeniv.linux.org.uk> wrote:
> On Wed, Jul 18, 2018 at 07:07:18PM +0900, Tetsuo Handa wrote:
>> syzbot is hitting NULL pointer dereference at process_init_reply() [1].
>> This is because deactivate_locked_super() is called before response for
>> initial request is processed. Fix this by protecting process_init_reply()
>> using fc->killsb.
>
> IDGI... why is FUSE_INIT asynchronous in the first place?  What's the point
> returning a superblock before FUSE_INIT completes, seeing that things like
> fuse_get_req() block until that one is over?

Very very old story.  Basically one of the design decisions was to
make usrespace fs initialization be completely serial like this:

fd = open("/dev/fuse", ...);
mount(..., "fuse", ...);
read(fd, request_buf, ...);
/* First request is always going to be FUSE_INIT */
write(fd, reply_buf, ...);
...

In hindsight it was a bad decision, but we are pretty much stuck with
it at this point, at least for backward compatibility with all current
fuse userspace code.

Thanks,
Miklos

     prev parent reply	other threads:[~2018-07-18 12:12 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-07-18 10:07 [PATCH (resend)] fuse: Fix oops at process_init_reply() Tetsuo Handa
2018-07-18 10:44 ` Al Viro
2018-07-18 10:51   ` Tetsuo Handa
2018-07-20  8:41     ` Miklos Szeredi
2018-07-18 11:35   ` Miklos Szeredi [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAJfpegtyZ0f-UETts0rYgkpeNE1QWRNyHGBE7GgROHAb2-Kzyg@mail.gmail.com \
    --to=miklos@szeredi.hu \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=syzbot+b62f08f4d5857755e3bc@syzkaller.appspotmail.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).