fuse_ctl_remove_conn() dereferences d_inode(fc->ctl_dentry[i]). If
fuse_ctl_add_dentry() failed to allocate the inode then this field is
NULL and it's not safe to call fuse_ctl_remove_conn().
This patch frees partially initialized dentries in the
fuse_ctl_add_dentry() error case to solve the NULL dereference.
Signed-off-by: Stefan Hajnoczi <[email protected]>
---
I spotted this when reading the code. Compile-tested only.
fs/fuse/control.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/fuse/control.c b/fs/fuse/control.c
index b9ea99c5b5b3..ef3af9c32147 100644
--- a/fs/fuse/control.c
+++ b/fs/fuse/control.c
@@ -211,10 +211,13 @@ static struct dentry *fuse_ctl_add_dentry(struct dentry *parent,
if (!dentry)
return NULL;
- fc->ctl_dentry[fc->ctl_ndents++] = dentry;
inode = new_inode(fuse_control_sb);
- if (!inode)
+ if (!inode) {
+ dput(dentry);
return NULL;
+ }
+
+ fc->ctl_dentry[fc->ctl_ndents++] = dentry;
inode->i_ino = get_next_ino();
inode->i_mode = mode;
--
2.17.0
Ping?
Archive link in case I broke email threading:
https://marc.info/?l=linux-fsdevel&m=152719324102009&w=2
Stefan
On Fri, Jun 1, 2018 at 11:24 AM, Stefan Hajnoczi <[email protected]> wrote:
> Ping?
>
> Archive link in case I broke email threading:
> https://marc.info/?l=linux-fsdevel&m=152719324102009&w=2
Thanks for the patch. Should already be fixed in:
git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse.git for-next
Miklos
On Fri, Jun 01, 2018 at 11:28:31AM +0200, Miklos Szeredi wrote:
> On Fri, Jun 1, 2018 at 11:24 AM, Stefan Hajnoczi <[email protected]> wrote:
> > Ping?
> >
> > Archive link in case I broke email threading:
> > https://marc.info/?l=linux-fsdevel&m=152719324102009&w=2
>
> Thanks for the patch. Should already be fixed in:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse.git for-next
Great, thanks!
Stefan