Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp3017101imm;
        Sun, 1 Jul 2018 10:22:31 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKIPcB/JfekIBDbq6DnAFqA+SROc8UeRiss2cOkC+a2TckPVoN1d0dFtRB8/ZLFLZqqyUp+N
X-Received: by 2002:a63:26c3:: with SMTP id m186-v6mr19088633pgm.56.1530465751877;
        Sun, 01 Jul 2018 10:22:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1530465751; cv=none;
        d=google.com; s=arc-20160816;
        b=F4xg+Relf694xDCuXcXP8YYSxB2H+82eCc9stYHie+qkCVu3kvsFx9V0+9rvi7rwXG
         hGUEDGfzsdToP1Jq3w6KeCJV9D17P+MYO7F1wAe0lJjuZA2k/WiBVDvdnfaZ1+QluCBm
         b5dIVDP1+4/jFRruOFoUmCPM1Wsb2ckKBBI1nVoKgU0bkItxBAju78KV+/6oeF79Y104
         AQEhDnNtExfH16H/xoldtYJffKHAf95p7TTohJzvHhV7+c8V0regPAO/mj9tXNADUAlK
         +W+kSAh4ywPCTGm3/LRItmZrD7EcfW2D+1TTz/Kky6MscF0IQpAf17FgMTvrI4mRgZYt
         kT1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=Wd58zxh1NW63RQGyIvlO3yWY3vrm5ItsocuQTg9cU5s=;
        b=m3Aqaz+EHISQvpInAno91Ctynb0B7uEQppYtg2v0wusuKMY3hqw4DMiLo6VPYfN617
         o/RaqO6IHnIFnfolkaA/xenxn3iHPdcvYx1Ex5uagHH1yn5+8jToTlTHsbkKZbxI26Jd
         GN7kf054LBO2l9p4ZHeL093IyZPhpWTNQNdmpubvKRoYo7HAjxSh586fDZdA2ntXV9Yo
         /yuQs74+9qBYB7arbH5JWtrdh3HcqcaoSbdCI1cIAZAiZF1XebEV77K6E4MH8LRTCyWR
         xft2p1TbjNmI9yLjhEmHPruf/Zm0buVSXjvMj+/z1bH46VIkVpzZ2LMRzxB0oPJTzNh0
         YaMg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z18-v6si11661047pfl.209.2018.07.01.10.22.17;
        Sun, 01 Jul 2018 10:22:31 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1030555AbeGARVV (ORCPT <rfc822;deadfox.tw@gmail.com>
        + 99 others); Sun, 1 Jul 2018 13:21:21 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:36702 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1031572AbeGAQiW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 1 Jul 2018 12:38:22 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id E25DC92B;
        Sun,  1 Jul 2018 16:38:21 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot <syzbot+32c236387d66c4516827@syzkaller.appspotmail.com>,
        Miklos Szeredi <mszeredi@redhat.com>
Subject: [PATCH 4.17 043/220] fuse: fix control dir setup and teardown
Date:   Sun,  1 Jul 2018 18:21:07 +0200
Message-Id: <20180701160910.121576575@linuxfoundation.org>
X-Mailer: git-send-email 2.18.0
In-Reply-To: <20180701160908.272447118@linuxfoundation.org>
References: <20180701160908.272447118@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@redhat.com>

commit 6becdb601bae2a043d7fb9762c4d48699528ea6e upstream.

syzbot is reporting NULL pointer dereference at fuse_ctl_remove_conn() [1].
Since fc->ctl_ndents is incremented by fuse_ctl_add_conn() when new_inode()
failed, fuse_ctl_remove_conn() reaches an inode-less dentry and tries to
clear d_inode(dentry)->i_private field.

Fix by only adding the dentry to the array after being fully set up.

When tearing down the control directory, do d_invalidate() on it to get rid
of any mounts that might have been added.

[1] https://syzkaller.appspot.com/bug?id=f396d863067238959c91c0b7cfc10b163638cac6
Reported-by: syzbot <syzbot+32c236387d66c4516827@syzkaller.appspotmail.com>
Fixes: bafa96541b25 ("[PATCH] fuse: add control filesystem")
Cc: <stable@vger.kernel.org> # v2.6.18
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/control.c |   13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

--- a/fs/fuse/control.c
+++ b/fs/fuse/control.c
@@ -211,10 +211,11 @@ static struct dentry *fuse_ctl_add_dentr
 	if (!dentry)
 		return NULL;
 
-	fc->ctl_dentry[fc->ctl_ndents++] = dentry;
 	inode = new_inode(fuse_control_sb);
-	if (!inode)
+	if (!inode) {
+		dput(dentry);
 		return NULL;
+	}
 
 	inode->i_ino = get_next_ino();
 	inode->i_mode = mode;
@@ -228,6 +229,9 @@ static struct dentry *fuse_ctl_add_dentr
 	set_nlink(inode, nlink);
 	inode->i_private = fc;
 	d_add(dentry, inode);
+
+	fc->ctl_dentry[fc->ctl_ndents++] = dentry;
+
 	return dentry;
 }
 
@@ -284,7 +288,10 @@ void fuse_ctl_remove_conn(struct fuse_co
 	for (i = fc->ctl_ndents - 1; i >= 0; i--) {
 		struct dentry *dentry = fc->ctl_dentry[i];
 		d_inode(dentry)->i_private = NULL;
-		d_drop(dentry);
+		if (!i) {
+			/* Get rid of submounts: */
+			d_invalidate(dentry);
+		}
 		dput(dentry);
 	}
 	drop_nlink(d_inode(fuse_control_sb->s_root));