[PATCH] fuse: Fix oops at process_init_reply().

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>

syzbot is hitting NULL pointer dereference at process_init_reply() [1].
This is because deactivate_locked_super() is called before response for
initial request is processed. Fix this by protecting process_init_reply()
using fc->killsb.

[1] https://syzkaller.appspot.com/bug?id=d363046088dc26030e146e92102f965bf4623a50

Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
Reported-by: syzbot <syzbot+b62f08f4d5857755e3bc@xxxxxxxxxxxxxxxxxxxxxxxxx>
---
 fs/fuse/inode.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index a24df88..2c9495e 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -868,7 +868,8 @@ static void process_init_reply(struct fuse_conn *fc, struct fuse_req *req)
 {
 	struct fuse_init_out *arg = &req->misc.init_out;
 
-	if (req->out.h.error || arg->major != FUSE_KERNEL_VERSION)
+	down_read(&fc->killsb);
+	if (req->out.h.error || arg->major != FUSE_KERNEL_VERSION || !fc->sb)
 		fc->conn_error = 1;
 	else {
 		unsigned long ra_pages;
@@ -938,6 +939,7 @@ static void process_init_reply(struct fuse_conn *fc, struct fuse_req *req)
 	}
 	fuse_set_initialized(fc);
 	wake_up_all(&fc->blocked_waitq);
+	up_read(&fc->killsb);
 }
 
 static void fuse_send_init(struct fuse_conn *fc, struct fuse_req *req)
-- 
2.7.4




[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux