LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH] fuse: fix NULL dereference when new_inode() fails
@ 2018-05-24 20:20 Stefan Hajnoczi
  2018-06-01  9:24 ` Stefan Hajnoczi
  0 siblings, 1 reply; 4+ messages in thread
From: Stefan Hajnoczi @ 2018-05-24 20:20 UTC (permalink / raw)
  To: linux-fsdevel; +Cc: linux-kernel, Miklos Szeredi, Stefan Hajnoczi

fuse_ctl_remove_conn() dereferences d_inode(fc->ctl_dentry[i]).  If
fuse_ctl_add_dentry() failed to allocate the inode then this field is
NULL and it's not safe to call fuse_ctl_remove_conn().

This patch frees partially initialized dentries in the
fuse_ctl_add_dentry() error case to solve the NULL dereference.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
I spotted this when reading the code.  Compile-tested only.

 fs/fuse/control.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/fs/fuse/control.c b/fs/fuse/control.c
index b9ea99c5b5b3..ef3af9c32147 100644
--- a/fs/fuse/control.c
+++ b/fs/fuse/control.c
@@ -211,10 +211,13 @@ static struct dentry *fuse_ctl_add_dentry(struct dentry *parent,
 	if (!dentry)
 		return NULL;
 
-	fc->ctl_dentry[fc->ctl_ndents++] = dentry;
 	inode = new_inode(fuse_control_sb);
-	if (!inode)
+	if (!inode) {
+		dput(dentry);
 		return NULL;
+	}
+
+	fc->ctl_dentry[fc->ctl_ndents++] = dentry;
 
 	inode->i_ino = get_next_ino();
 	inode->i_mode = mode;
-- 
2.17.0

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] fuse: fix NULL dereference when new_inode() fails
  2018-05-24 20:20 [PATCH] fuse: fix NULL dereference when new_inode() fails Stefan Hajnoczi
@ 2018-06-01  9:24 ` Stefan Hajnoczi
  2018-06-01  9:28   ` Miklos Szeredi
  0 siblings, 1 reply; 4+ messages in thread
From: Stefan Hajnoczi @ 2018-06-01  9:24 UTC (permalink / raw)
  To: Miklos Szeredi; +Cc: linux-fsdevel, linux-kernel, miklos

[-- Attachment #1: Type: text/plain, Size: 118 bytes --]

Ping?

Archive link in case I broke email threading:
https://marc.info/?l=linux-fsdevel&m=152719324102009&w=2

Stefan

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] fuse: fix NULL dereference when new_inode() fails
  2018-06-01  9:24 ` Stefan Hajnoczi
@ 2018-06-01  9:28   ` Miklos Szeredi
  2018-06-01 13:52     ` Stefan Hajnoczi
  0 siblings, 1 reply; 4+ messages in thread
From: Miklos Szeredi @ 2018-06-01  9:28 UTC (permalink / raw)
  To: Stefan Hajnoczi; +Cc: Miklos Szeredi, linux-fsdevel, linux-kernel

On Fri, Jun 1, 2018 at 11:24 AM, Stefan Hajnoczi <stefanha@redhat.com> wrote:
> Ping?
>
> Archive link in case I broke email threading:
> https://marc.info/?l=linux-fsdevel&m=152719324102009&w=2

Thanks for the patch.  Should already be fixed in:

  git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse.git for-next

Miklos

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] fuse: fix NULL dereference when new_inode() fails
  2018-06-01  9:28   ` Miklos Szeredi
@ 2018-06-01 13:52     ` Stefan Hajnoczi
  0 siblings, 0 replies; 4+ messages in thread
From: Stefan Hajnoczi @ 2018-06-01 13:52 UTC (permalink / raw)
  To: Miklos Szeredi; +Cc: Miklos Szeredi, linux-fsdevel, linux-kernel

[-- Attachment #1: Type: text/plain, Size: 443 bytes --]

On Fri, Jun 01, 2018 at 11:28:31AM +0200, Miklos Szeredi wrote:
> On Fri, Jun 1, 2018 at 11:24 AM, Stefan Hajnoczi <stefanha@redhat.com> wrote:
> > Ping?
> >
> > Archive link in case I broke email threading:
> > https://marc.info/?l=linux-fsdevel&m=152719324102009&w=2
> 
> Thanks for the patch.  Should already be fixed in:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse.git for-next

Great, thanks!

Stefan

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2018-06-01 13:52 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-24 20:20 [PATCH] fuse: fix NULL dereference when new_inode() fails Stefan Hajnoczi
2018-06-01  9:24 ` Stefan Hajnoczi
2018-06-01  9:28   ` Miklos Szeredi
2018-06-01 13:52     ` Stefan Hajnoczi

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).