On Mon, Jul 29, 2019 at 08:35:36PM +0800, piaojun wrote:
> Hi Stefan,
>
> On 2019/7/26 17:11, Stefan Hajnoczi wrote:
> > Most lo_do_lookup() have already checked that the parent inode exists.
> > lo_lookup() hasn't and can therefore hit a NULL pointer dereference when
> > lo_inode(req, parent) returns NULL.
> >
> > Signed-off-by: Stefan Hajnoczi <stefa...@redhat.com>
> > ---
> > contrib/virtiofsd/passthrough_ll.c | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/contrib/virtiofsd/passthrough_ll.c
> > b/contrib/virtiofsd/passthrough_ll.c
> > index 9ae1381618..277a17fc03 100644
> > --- a/contrib/virtiofsd/passthrough_ll.c
> > +++ b/contrib/virtiofsd/passthrough_ll.c
> > @@ -766,6 +766,10 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t
> > parent, const char *name,
> > struct lo_data *lo = lo_data(req);
> > struct lo_inode *inode, *dir = lo_inode(req, parent);
> >
> > + if (!dir) {
> > + return EBADF;
> > + }
> > +
>
> I worry about that dir will be released or set NULL just after NULL
> checking. Or could we use some lock to prevent the simultaneity?Yes, I agree. I haven't audited lo_inode yet, but it needs a refcount and/or lock to ensure accesses are safe. I'll do that and other things in a separate patch series. Stefan
signature.asc
Description: PGP signature
