On Wed, Jul 18, 2018 at 12:51 PM, Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote: > On 2018/07/18 19:44, Al Viro wrote: >> On Wed, Jul 18, 2018 at 07:07:18PM +0900, Tetsuo Handa wrote: >>> syzbot is hitting NULL pointer dereference at process_init_reply() [1]. >>> This is because deactivate_locked_super() is called before response for >>> initial request is processed. Fix this by protecting process_init_reply() >>> using fc->killsb. >> >> IDGI... why is FUSE_INIT asynchronous in the first place? What's the point >> returning a superblock before FUSE_INIT completes, seeing that things like >> fuse_get_req() block until that one is over? >> > I don't know... > > What we can say is that async initialization is prone to races like > https://syzkaller.appspot.com/bug?id=b61716c2020c98e885af88c7de5896425947313f . Yep, turns out to be a can of worms when looking closely: it is assumed that all requests are finished by the time fuse_abort_conn() returns. Turns out to be not true... Thanks, Miklos
