[Virtio-fs] [PATCH] virtiofsd: sync FUSE_DESTROY with session destroy
Eryu Guan
eguan at linux.alibaba.com
Fri Dec 20 02:46:34 UTC 2019
On Wed, Dec 18, 2019 at 05:22:58PM +0800, Eryu Guan wrote:
> Normally on guest shutdown, guest umounts virtiofs (FUSE_DESTROY) and
> waits for umount to return then cleans up virtio device.
>
> But if guest gets killed, for whatever reason, right after sending
> FUSE_DESTROY, it's possible that virtiofsd cleans up session and virtio
> dev first, then fv_queue_worker() wants to send reply to guest and hits
> abort() in fuse_send_msg(), because fuse_lowlevel_is_virtio() returns
> false.
>
> Fix it by acquiring se->init_rwlock first in fuse_session_destroy() to
> wait for inflight FUSE_DESTROY to be completed, then clean up session
> and virtio dev.
>
> Reported-by: Qingming Su <qingming.su at linux.alibaba.com>
> Signed-off-by: Eryu Guan <eguan at linux.alibaba.com>
Please ignore it for now, use-after-free is still possible. We need to
make sure all fv_queue_thread()s and fv_queue_worker()s exit before
virtio_loop() returns. I'll send a v2 patch.
Thanks,
Eryu
More information about the Virtio-fs
mailing list