Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp2948810imm; Thu, 24 May 2018 19:42:06 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpnaDf+0by7wPJ7t0L0V6oyK9ljAiq+l0cPDWsu1IXoCllK+AQk4zFHdY2baA3I8fB46p09 X-Received: by 2002:a17:902:bc4c:: with SMTP id t12-v6mr602149plz.177.1527216126782; Thu, 24 May 2018 19:42:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527216126; cv=none; d=google.com; s=arc-20160816; b=K6JaJH04QLaMz0x4FrtUhH9zMeAo8v585rM7LlnOOwmytxPbKApo5BSdVkDuJUVQpj whbEsMgTAQ27MDoUckZWStuj2bF1KxidwbgcwOsEDPicOnjvPJjLDQLg3O5WE6uLcj6v AtHHj0Ml7irH8H5BIQZU6F7+V+7noOC7BO/g1Uajw0p6t8fckJVLuYUy6q7eWyIzij3y PhShMquBoGFxNF92Mv0bTV4BuUmc2Gg1meVw4gWWik4nYVD4pNZOr/0s1l9B0N30/BpY vCYqxIeOKOx6ylnIKddmPNfmQOYEK8aONoN4LVJSFOvIK5PA+3lmQhJRJgjSQ26V5Nj9 dBWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=ZiLWPlQJ+3xsZn+vADN9G7QeSIw8vobVXC5gezaxX4Q=; b=aLZRu0tyXjO79ZxFgHkXWSveK6bJbseE/XjE5w1NdwtaRGeO2lMI+YaaeZ8hRwdL38 xDDckR4x/bC5vO318eHZUJ3rLnr9GZcWC/vJXshm9q5o6ZYxe/v6zUKyl4Q1zVhlloMn uxUU5h9cqGa+3WlJp5gtRo3hUjVEFjsMLEX38raJUAFUvMQajrdAdaHW3VEscvbXLPfL Q0bs4ZowSpPRfToPGLGvkAa7olNPPnUrEk7esewXOcn1TQiQOeVtiWOq8qxzJgL+pLdn nqF/afJzkfufSEvE/7YyL+PBOPEO2/klLNZ7pEGd8qciGy0BOrS90788XeqC9J+2CeNA HQIg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f184-v6si17807345pgc.309.2018.05.24.19.41.52; Thu, 24 May 2018 19:42:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1032641AbeEXUU2 (ORCPT + 99 others); Thu, 24 May 2018 16:20:28 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:57902 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S968892AbeEXUU0 (ORCPT ); Thu, 24 May 2018 16:20:26 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B2836401EF03; Thu, 24 May 2018 20:20:25 +0000 (UTC) Received: from localhost (ovpn-116-126.ams2.redhat.com [10.36.116.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id A7B071102E2A; Thu, 24 May 2018 20:20:22 +0000 (UTC) From: Stefan Hajnoczi To: linux-fsdevel@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Miklos Szeredi , Stefan Hajnoczi Subject: [PATCH] fuse: fix NULL dereference when new_inode() fails Date: Thu, 24 May 2018 21:20:04 +0100 Message-Id: <20180524202004.7813-1-stefanha@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 24 May 2018 20:20:25 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 24 May 2018 20:20:25 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'stefanha@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org fuse_ctl_remove_conn() dereferences d_inode(fc->ctl_dentry[i]). If fuse_ctl_add_dentry() failed to allocate the inode then this field is NULL and it's not safe to call fuse_ctl_remove_conn(). This patch frees partially initialized dentries in the fuse_ctl_add_dentry() error case to solve the NULL dereference. Signed-off-by: Stefan Hajnoczi --- I spotted this when reading the code. Compile-tested only. fs/fuse/control.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/fs/fuse/control.c b/fs/fuse/control.c index b9ea99c5b5b3..ef3af9c32147 100644 --- a/fs/fuse/control.c +++ b/fs/fuse/control.c @@ -211,10 +211,13 @@ static struct dentry *fuse_ctl_add_dentry(struct dentry *parent, if (!dentry) return NULL; - fc->ctl_dentry[fc->ctl_ndents++] = dentry; inode = new_inode(fuse_control_sb); - if (!inode) + if (!inode) { + dput(dentry); return NULL; + } + + fc->ctl_dentry[fc->ctl_ndents++] = dentry; inode->i_ino = get_next_ino(); inode->i_mode = mode; -- 2.17.0