syzbot reported general protection fault in kstrtouint: https://lkml.org/lkml/2019/7/18/328 >From the log, if the mount option is something like: fd,XXXXXXXXXXXXXXXXXXXX The default parameter (which has NULL param->string) will be passed to vfs_parse_fs_param. Finally, this NULL param->string is passed to kstrtouint and trigger NULL pointer access. Reported-by: syzbot+398343b7c1b1b989228d@xxxxxxxxxxxxxxxxxxxxxxxxx Fixes: 71cbb7570a9a ("vfs: Move the subtype parameter into fuse") Signed-off-by: Yin Fengwei <nh26223.lmm@xxxxxxxxx> --- ChangeLog: v1 -> v2: - Fix typo in v1 - Remove braces {} from single statement blocks fs/fs_parser.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/fs_parser.c b/fs/fs_parser.c index 83b66c9e9a24..7498a44f18c0 100644 --- a/fs/fs_parser.c +++ b/fs/fs_parser.c @@ -206,6 +206,9 @@ int fs_parse(struct fs_context *fc, case fs_param_is_fd: { switch (param->type) { case fs_value_is_string: + if (!result->has_value) + goto bad_value; + ret = kstrtouint(param->string, 0, &result->uint_32); break; case fs_value_is_file: -- 2.17.1
