| Message ID | 20250407115111.25535-1-xiangsheng.hou@mediatek.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [RESEND] virtiofs: add filesystem context source name check | expand |
On Mon, Apr 07, 2025 at 07:50:49PM +0800, Xiangsheng Hou wrote: > In certain scenarios, for example, during fuzz testing, the source > name may be NULL, which could lead to a kernel panic. Therefore, an > extra check for the source name should be added. Oha, that's not great and easily reproducible: [13344.588906] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN [13344.602350] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [13344.610367] CPU: 8 UID: 0 PID: 1427 Comm: anon_inode_test Not tainted 6.15.0-rc1-gb96146cd957f #21 PREEMPT(undef) [13344.617410] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)/Incus, BIOS unknown 2/2/2022 [13344.621368] RIP: 0010:strcmp+0x5b/0xb0 [13344.624462] Code: fa 48 c1 e8 03 83 e2 07 42 0f b6 04 28 38 d0 7f 04 84 c0 75 50 48 89 f0 48 89 f2 0f b6 6b ff 4c 8d 66 01 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28 38 d0 7f 04 84 c0 75 24 41 3a 6c 24 ff 74 ae 19 c0 [13344.635506] RSP: 0018:ffffc900050dfd28 EFLAGS: 00010246 [13344.638112] RAX: 0000000000000000 RBX: ffff8881918158a9 RCX: fffff52000a1bf86 [13344.640726] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881918158a8 [13344.643279] RBP: 0000000000000069 R08: 0000000000000000 R09: fffffbfff2aa7c82 [13344.646722] R10: ffffc900050dfd58 R11: 0000000000000000 R12: 0000000000000001 [13344.648844] R13: dffffc0000000000 R14: ffff8881e2110ce0 R15: dffffc0000000000 [13344.651382] FS: 00007f891cf53740(0000) GS:ffff88843fd42000(0000) knlGS:0000000000000000 [13344.654257] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [13344.656296] CR2: 000055dfec6997d8 CR3: 00000001cbf21006 CR4: 0000000000770ef0 [13344.658863] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [13344.661325] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [13344.662722] PKRU: 55555554 [13344.663266] Call Trace: [13344.663776] <TASK> [13344.664303] virtio_fs_get_tree+0xc4/0x1060 [13344.665237] ? rcu_is_watching+0x12/0xb0 [13344.666047] ? cap_capable+0x170/0x320 [13344.666802] vfs_get_tree+0x87/0x2f0 [13344.667540] vfs_cmd_create+0xb2/0x240 [13344.668317] __x64_sys_fsconfig+0x629/0x9f0 [13344.669143] ? vfs_cmd_create+0x240/0x240 [13344.669956] ? rcu_is_watching+0x12/0xb0 [13344.670738] ? syscall_trace_enter+0x129/0x230 [13344.671617] do_syscall_64+0x74/0x190 [13344.672354] entry_SYSCALL_64_after_hwframe+0x4b/0x53 This needs to be backported to all LTS kernels. > Signed-off-by: Xiangsheng Hou <xiangsheng.hou@mediatek.com> > --- > fs/fuse/virtio_fs.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c > index 2c7b24cb67ad..53c2626e90e7 100644 > --- a/fs/fuse/virtio_fs.c > +++ b/fs/fuse/virtio_fs.c > @@ -1669,6 +1669,9 @@ static int virtio_fs_get_tree(struct fs_context *fsc) > unsigned int virtqueue_size; > int err = -EIO; > > + if (!fsc->source) > + return invalf(fsc, "No source specified"); > + > /* This gets a reference on virtio_fs object. This ptr gets installed > * in fc->iq->priv. Once fuse_conn is going away, it calls ->put() > * to drop the reference to this object. > -- > 2.46.0 >
On Mon, 07 Apr 2025 19:50:49 +0800, Xiangsheng Hou wrote: > In certain scenarios, for example, during fuzz testing, the source > name may be NULL, which could lead to a kernel panic. Therefore, an > extra check for the source name should be added. > > Applied to the vfs.fixes branch of the vfs/vfs.git tree. Patches in the vfs.fixes branch should appear in linux-next soon. Please report any outstanding bugs that were missed during review in a new review to the original patch series allowing us to drop it. It's encouraged to provide Acked-bys and Reviewed-bys even though the patch has now been applied. If possible patch trailers will be updated. Note that commit hashes shown below are subject to change due to rebase, trailer updates or similar. If in doubt, please check the listed branch. tree: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git branch: vfs.fixes [1/1] virtiofs: add filesystem context source name check https://git.kernel.org/vfs/vfs/c/a94fd938df2b
On Mon, 7 Apr 2025 at 13:51, Xiangsheng Hou <xiangsheng.hou@mediatek.com> wrote: > > In certain scenarios, for example, during fuzz testing, the source > name may be NULL, which could lead to a kernel panic. Therefore, an > extra check for the source name should be added. > > Signed-off-by: Xiangsheng Hou <xiangsheng.hou@mediatek.com> Acked-by: Miklos Szeredi <mszeredi@redhat.com> Thanks, Miklos
diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c index 2c7b24cb67ad..53c2626e90e7 100644 --- a/fs/fuse/virtio_fs.c +++ b/fs/fuse/virtio_fs.c @@ -1669,6 +1669,9 @@ static int virtio_fs_get_tree(struct fs_context *fsc) unsigned int virtqueue_size; int err = -EIO; + if (!fsc->source) + return invalf(fsc, "No source specified"); + /* This gets a reference on virtio_fs object. This ptr gets installed * in fc->iq->priv. Once fuse_conn is going away, it calls ->put() * to drop the reference to this object.
In certain scenarios, for example, during fuzz testing, the source name may be NULL, which could lead to a kernel panic. Therefore, an extra check for the source name should be added. Signed-off-by: Xiangsheng Hou <xiangsheng.hou@mediatek.com> --- fs/fuse/virtio_fs.c | 3 +++ 1 file changed, 3 insertions(+)