[trimmed Cc list a bit] On Thu, Aug 15, 2019 at 07:46:56PM -0700, Eric Biggers wrote: > On Sat, Jul 20, 2019 at 07:29:49AM +0800, Yin Fengwei wrote: > > syzbot reported general protection fault in kstrtouint: > > https://lkml.org/lkml/2019/7/18/328 > > > > From the log, if the mount option is something like: > > fd,XXXXXXXXXXXXXXXXXXXX > > > > The default parameter (which has NULL param->string) will be > > passed to vfs_parse_fs_param. Finally, this NULL param->string > > is passed to kstrtouint and trigger NULL pointer access. > > > > Reported-by: syzbot+398343b7c1b1b989228d@xxxxxxxxxxxxxxxxxxxxxxxxx > > Fixes: 71cbb7570a9a ("vfs: Move the subtype parameter into fuse") > > > > Signed-off-by: Yin Fengwei <nh26223.lmm@xxxxxxxxx> > > --- > > ChangeLog: > > v1 -> v2: > > - Fix typo in v1 > > - Remove braces {} from single statement blocks > > > > fs/fs_parser.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/fs/fs_parser.c b/fs/fs_parser.c > > index 83b66c9e9a24..7498a44f18c0 100644 > > --- a/fs/fs_parser.c > > +++ b/fs/fs_parser.c > > @@ -206,6 +206,9 @@ int fs_parse(struct fs_context *fc, > > case fs_param_is_fd: { > > switch (param->type) { > > case fs_value_is_string: > > + if (!result->has_value) > > + goto bad_value; > > + > > ret = kstrtouint(param->string, 0, &result->uint_32); > > break; > > case fs_value_is_file: > > -- > > 2.17.1 > > Reviewed-by: Eric Biggers <ebiggers@xxxxxxxxxx> > > Al, can you please apply this patch? > > - Eric Ping. Al, when are you going to apply this? - Eric
