Skip to content

Commit 80019f1

Browse files
author
Miklos Szeredi
committed
fuse: always initialize sb->s_fs_info
Syzkaller reports a null pointer dereference in fuse_test_super() that is caused by sb->s_fs_info being NULL. This is due to the fact that fuse_fill_super() is initializing s_fs_info, which is too late, it's already on the fs_supers list. The initialization needs to be done in sget_fc() with the sb_lock held. Move allocation of fuse_mount and fuse_conn from fuse_fill_super() into fuse_get_tree(). After this ->kill_sb() will always be called with non-NULL ->s_fs_info, hence fuse_mount_destroy() can drop the test for non-NULL "fm". Reported-by: [email protected] Fixes: 5d5b74a ("fuse: allow sharing existing sb") Signed-off-by: Miklos Szeredi <[email protected]>
1 parent c191cd0 commit 80019f1

File tree

1 file changed

+25
-25
lines changed

1 file changed

+25
-25
lines changed

fs/fuse/inode.c

Lines changed: 25 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -1557,8 +1557,6 @@ static int fuse_fill_super(struct super_block *sb, struct fs_context *fsc)
15571557
{
15581558
struct fuse_fs_context *ctx = fsc->fs_private;
15591559
int err;
1560-
struct fuse_conn *fc;
1561-
struct fuse_mount *fm;
15621560

15631561
if (!ctx->file || !ctx->rootmode_present ||
15641562
!ctx->user_id_present || !ctx->group_id_present)
@@ -1574,22 +1572,6 @@ static int fuse_fill_super(struct super_block *sb, struct fs_context *fsc)
15741572
goto err;
15751573
ctx->fudptr = &ctx->file->private_data;
15761574

1577-
fc = kmalloc(sizeof(*fc), GFP_KERNEL);
1578-
err = -ENOMEM;
1579-
if (!fc)
1580-
goto err;
1581-
1582-
fm = kzalloc(sizeof(*fm), GFP_KERNEL);
1583-
if (!fm) {
1584-
kfree(fc);
1585-
goto err;
1586-
}
1587-
1588-
fuse_conn_init(fc, fm, sb->s_user_ns, &fuse_dev_fiq_ops, NULL);
1589-
fc->release = fuse_free_conn;
1590-
1591-
sb->s_fs_info = fm;
1592-
15931575
err = fuse_fill_super_common(sb, ctx);
15941576
if (err)
15951577
goto err;
@@ -1621,22 +1603,40 @@ static int fuse_get_tree(struct fs_context *fsc)
16211603
{
16221604
struct fuse_fs_context *ctx = fsc->fs_private;
16231605
struct fuse_dev *fud;
1606+
struct fuse_conn *fc;
1607+
struct fuse_mount *fm;
16241608
struct super_block *sb;
16251609
int err;
16261610

1611+
fc = kmalloc(sizeof(*fc), GFP_KERNEL);
1612+
if (!fc)
1613+
return -ENOMEM;
1614+
1615+
fm = kzalloc(sizeof(*fm), GFP_KERNEL);
1616+
if (!fm) {
1617+
kfree(fc);
1618+
return -ENOMEM;
1619+
}
1620+
1621+
fuse_conn_init(fc, fm, fsc->user_ns, &fuse_dev_fiq_ops, NULL);
1622+
fc->release = fuse_free_conn;
1623+
1624+
fsc->s_fs_info = fm;
1625+
16271626
if (ctx->fd_present)
16281627
ctx->file = fget(ctx->fd);
16291628

16301629
if (IS_ENABLED(CONFIG_BLOCK) && ctx->is_bdev) {
16311630
err = get_tree_bdev(fsc, fuse_fill_super);
1632-
goto out_fput;
1631+
goto out;
16331632
}
16341633
/*
16351634
* While block dev mount can be initialized with a dummy device fd
16361635
* (found by device name), normal fuse mounts can't
16371636
*/
1637+
err = -EINVAL;
16381638
if (!ctx->file)
1639-
return -EINVAL;
1639+
goto out;
16401640

16411641
/*
16421642
* Allow creating a fuse mount with an already initialized fuse
@@ -1652,7 +1652,9 @@ static int fuse_get_tree(struct fs_context *fsc)
16521652
} else {
16531653
err = get_tree_nodev(fsc, fuse_fill_super);
16541654
}
1655-
out_fput:
1655+
out:
1656+
if (fsc->s_fs_info)
1657+
fuse_mount_destroy(fm);
16561658
if (ctx->file)
16571659
fput(ctx->file);
16581660
return err;
@@ -1740,10 +1742,8 @@ static void fuse_sb_destroy(struct super_block *sb)
17401742

17411743
void fuse_mount_destroy(struct fuse_mount *fm)
17421744
{
1743-
if (fm) {
1744-
fuse_conn_put(fm->fc);
1745-
kfree(fm);
1746-
}
1745+
fuse_conn_put(fm->fc);
1746+
kfree(fm);
17471747
}
17481748
EXPORT_SYMBOL(fuse_mount_destroy);
17491749

0 commit comments

Comments
 (0)