Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp2971707imm; Sun, 1 Jul 2018 09:26:17 -0700 (PDT) X-Google-Smtp-Source: AAOMgpeOXfxwg+qqNtUWMz5Sk93y810u8fATu9MRzI7CUf/LF5KzUiI/2fmZBEKgXuWVAhv5te4Z X-Received: by 2002:a62:6147:: with SMTP id v68-v6mr13519741pfb.115.1530462377384; Sun, 01 Jul 2018 09:26:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530462377; cv=none; d=google.com; s=arc-20160816; b=jcmTllA/6cdrjV5aoR6qrvX6ChWrCUP8gV+e58zW1FPkKrPPhWW3EttrngyX0LLnZc qjS2Ey/+ytuHJ9EKNPnhA1smjZ6zxIgzcomM3srW0UajbP1LcnU3YvgKIzA+6RcmKA8P 8AlQcka1FUi1LULyvclN7PDHeobOeod9wbSbX5eyNTBeiNwkkO0Zyj3jN1uXnmXB202M OUQRKe9N4txkcTgdIffs/fGq+T/li9iu7evG1V9ylqlBNO7Bm8M2guyl1FTS+SiNLvJI pvLPVYcpnNQm1kUVZWGA2l8MdrK6bwIFy7YZnjHjg+0WIb70l7oHFlCq6mbDozHUXfm3 wD6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=Kph+yDa0JICDU7FjzTuy8OeNDndEmqjVAFplgabJ2kE=; b=gvPQdAewUGpAZSmxXQhgYdcgJ2FeJ2pdfCjKWu/RFEpNYEwwkJkqsIT7JEScttgvXs pQbKPH7h+LZj7d6nL1Bh3AA1xdJ4EC75pCpWiD0CrKL42aJa6/8LQWZsoGTfVBq/lPn7 wcBws7p34np8SOt4KNMP1Vg7lPbyVXYiUhH/kkP/h4NIoHckRy8xwFz7kBBmzbCc4gKl 86HHilrSSQx/4LLVK/faBO05vxNZm8hghdKRYaEFPIvyNrQae9ju5ZnB8U3tYu9Jkz5Z gRgX6e+ucBZZIjgXjWKAGzqGDNbjWNsTLwf8GRZLan/ii2nMScxAelezjDVljP6vwyEw kxiA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o81-v6si14114948pfj.350.2018.07.01.09.26.03; Sun, 01 Jul 2018 09:26:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964984AbeGAQZG (ORCPT + 99 others); Sun, 1 Jul 2018 12:25:06 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:33608 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932790AbeGAQZC (ORCPT ); Sun, 1 Jul 2018 12:25:02 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 2E46AAE0; Sun, 1 Jul 2018 16:25:01 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot , Miklos Szeredi Subject: [PATCH 4.9 023/101] fuse: fix control dir setup and teardown Date: Sun, 1 Jul 2018 18:21:09 +0200 Message-Id: <20180701160758.070967043@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180701160757.138608453@linuxfoundation.org> References: <20180701160757.138608453@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Miklos Szeredi commit 6becdb601bae2a043d7fb9762c4d48699528ea6e upstream. syzbot is reporting NULL pointer dereference at fuse_ctl_remove_conn() [1]. Since fc->ctl_ndents is incremented by fuse_ctl_add_conn() when new_inode() failed, fuse_ctl_remove_conn() reaches an inode-less dentry and tries to clear d_inode(dentry)->i_private field. Fix by only adding the dentry to the array after being fully set up. When tearing down the control directory, do d_invalidate() on it to get rid of any mounts that might have been added. [1] https://syzkaller.appspot.com/bug?id=f396d863067238959c91c0b7cfc10b163638cac6 Reported-by: syzbot Fixes: bafa96541b25 ("[PATCH] fuse: add control filesystem") Cc: # v2.6.18 Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman --- fs/fuse/control.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) --- a/fs/fuse/control.c +++ b/fs/fuse/control.c @@ -211,10 +211,11 @@ static struct dentry *fuse_ctl_add_dentr if (!dentry) return NULL; - fc->ctl_dentry[fc->ctl_ndents++] = dentry; inode = new_inode(fuse_control_sb); - if (!inode) + if (!inode) { + dput(dentry); return NULL; + } inode->i_ino = get_next_ino(); inode->i_mode = mode; @@ -228,6 +229,9 @@ static struct dentry *fuse_ctl_add_dentr set_nlink(inode, nlink); inode->i_private = fc; d_add(dentry, inode); + + fc->ctl_dentry[fc->ctl_ndents++] = dentry; + return dentry; } @@ -284,7 +288,10 @@ void fuse_ctl_remove_conn(struct fuse_co for (i = fc->ctl_ndents - 1; i >= 0; i--) { struct dentry *dentry = fc->ctl_dentry[i]; d_inode(dentry)->i_private = NULL; - d_drop(dentry); + if (!i) { + /* Get rid of submounts: */ + d_invalidate(dentry); + } dput(dentry); } drop_nlink(d_inode(fuse_control_sb->s_root));