From: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> syzbot is hitting NULL pointer dereference at process_init_reply() [1]. This is because deactivate_locked_super() is called before response for initial request is processed. Fix this by protecting process_init_reply() using fc->killsb. [1] https://syzkaller.appspot.com/bug?id=d363046088dc26030e146e92102f965bf4623a50 Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> Reported-by: syzbot <syzbot+b62f08f4d5857755e3bc@xxxxxxxxxxxxxxxxxxxxxxxxx> --- fs/fuse/inode.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c index a24df88..2c9495e 100644 --- a/fs/fuse/inode.c +++ b/fs/fuse/inode.c @@ -868,7 +868,8 @@ static void process_init_reply(struct fuse_conn *fc, struct fuse_req *req) { struct fuse_init_out *arg = &req->misc.init_out; - if (req->out.h.error || arg->major != FUSE_KERNEL_VERSION) + down_read(&fc->killsb); + if (req->out.h.error || arg->major != FUSE_KERNEL_VERSION || !fc->sb) fc->conn_error = 1; else { unsigned long ra_pages; @@ -938,6 +939,7 @@ static void process_init_reply(struct fuse_conn *fc, struct fuse_req *req) } fuse_set_initialized(fc); wake_up_all(&fc->blocked_waitq); + up_read(&fc->killsb); } static void fuse_send_init(struct fuse_conn *fc, struct fuse_req *req) -- 2.7.4
