Re: [fuse:fs_fuse_split 5/5] fs/fuse/virtio_fs.c:1458 virtio_fs_get_tree() error: uninitialized symbol 'fc'.

Miklos Szeredi <mszeredi@xxxxxxxxxx> · Mon, 15 Feb 2021 13:48:00 +0100

Hi Dan,

Thanks for the report.

Note that the mailing list for fuse kernel development is
<linux-fsdevel@xxxxxxxxxxxxxxx> as indicated in MAINTAINERS, while
<fuse-devel@xxxxxxxxxxxxxxxxxxxxx> is for userspace development.

On Mon, Feb 15, 2021 at 12:31 PM Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
>
> tree:   https://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse.git fs_fuse_split
> head:   674d5faded4c40245ea02240e731aa82c7ab4c9e
> commit: 674d5faded4c40245ea02240e731aa82c7ab4c9e [5/5] fuse: alloc initial fuse_conn and fuse_mount
> config: i386-randconfig-m021-20210209 (attached as .config)
> compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
>
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@xxxxxxxxx>
> Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
>
> New smatch warnings:
> fs/fuse/virtio_fs.c:1458 virtio_fs_get_tree() error: uninitialized symbol 'fc'.
>
> Old smatch warnings:
> fs/fuse/virtio_fs.c:1444 virtio_fs_get_tree() error: double free of 'fm'
>
> vim +/fc +1458 fs/fuse/virtio_fs.c
>
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1405  static int virtio_fs_get_tree(struct fs_context *fsc)
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1406  {
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1407         struct virtio_fs *fs;
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1408         struct super_block *sb;
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1409         struct fuse_conn *fc;
> fcee216beb9c15 Max Reitz       2020-05-06  1410         struct fuse_mount *fm;
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1411         int err;
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1412
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1413         /* This gets a reference on virtio_fs object. This ptr gets installed
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1414          * in fc->iq->priv. Once fuse_conn is going away, it calls ->put()
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1415          * to drop the reference to this object.
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1416          */
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1417         fs = virtio_fs_find_instance(fsc->source);
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1418         if (!fs) {
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1419                 pr_info("virtio-fs: tag <%s> not found\n", fsc->source);
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1420                 return -EINVAL;
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1421         }
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1422
> 833c5a42e28bee Miklos Szeredi  2020-11-11  1423         err = -ENOMEM;
> 674d5faded4c40 Miklos Szeredi  2021-02-11  1424         fm = fuse_conn_new(get_user_ns(current_user_ns()), &virtio_fs_fiq_ops, fs, NULL, NULL);
> 833c5a42e28bee Miklos Szeredi  2020-11-11  1425         if (!fm)
> 833c5a42e28bee Miklos Szeredi  2020-11-11  1426                 goto out_err;
>
> "fc" not initialized on this path.

Yep, thanks.

>
> 674d5faded4c40 Miklos Szeredi  2021-02-11  1427         fc = fm->fc;
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1428         fc->delete_stale = true;
> bf109c64040f5b Max Reitz       2020-04-21  1429         fc->auto_submounts = true;
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1430
> fcee216beb9c15 Max Reitz       2020-05-06  1431         fsc->s_fs_info = fm;
> b19d3d00d662cf Miklos Szeredi  2020-11-11  1432         sb = sget_fc(fsc, virtio_fs_test_super, set_anon_super_fc);
> 514b5e3ff45e6c Miklos Szeredi  2020-11-11  1433         if (fsc->s_fs_info) {
> 514b5e3ff45e6c Miklos Szeredi  2020-11-11  1434                 fuse_conn_put(fc);
> 514b5e3ff45e6c Miklos Szeredi  2020-11-11  1435                 kfree(fm);
>
> The error handling in this function is very confusing...

fsc->s_fs_info is non-NULL if sget_fc() didn't take ownership of the
object.  Which can be an error, or it can be the case of an existing
sb being reused.

Needs a comment.  Will do in a separate patch.

> 514b5e3ff45e6c Miklos Szeredi  2020-11-11  1436         }
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1437         if (IS_ERR(sb))
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1438                 return PTR_ERR(sb);
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1439
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1440         if (!sb->s_root) {
> 1dd539577c42b6 Vivek Goyal     2020-08-19  1441                 err = virtio_fs_fill_super(sb, fsc);
> a62a8ef9d97da2 Stefan Hajnoczi 2018-06-12  1442                 if (err) {
> 514b5e3ff45e6c Miklos Szeredi  2020-11-11  1443                         fuse_conn_put(fc);
> 514b5e3ff45e6c Miklos Szeredi  2020-11-11  1444                         kfree(fm);
>
> Smatch doesn't complain about a double free so presumably the earlier
> kfree(fm) is done IFF sb is an error pointer.

Correct, !sb->s_root implies that this is a new sb, not a reused one
(in which case the earlier kfree() would trigger).

Thanks,
Miklos