On 2018/07/18 19:44, Al Viro wrote: > On Wed, Jul 18, 2018 at 07:07:18PM +0900, Tetsuo Handa wrote: >> syzbot is hitting NULL pointer dereference at process_init_reply() [1]. >> This is because deactivate_locked_super() is called before response for >> initial request is processed. Fix this by protecting process_init_reply() >> using fc->killsb. > > IDGI... why is FUSE_INIT asynchronous in the first place? What's the point > returning a superblock before FUSE_INIT completes, seeing that things like > fuse_get_req() block until that one is over? > I don't know... What we can say is that async initialization is prone to races like https://syzkaller.appspot.com/bug?id=b61716c2020c98e885af88c7de5896425947313f .
