Message ID | 20180524202004.7813-1-stefanha@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Ping? Archive link in case I broke email threading: https://marc.info/?l=linux-fsdevel&m=152719324102009&w=2 Stefan
On Fri, Jun 1, 2018 at 11:24 AM, Stefan Hajnoczi <stefanha@redhat.com> wrote: > Ping? > > Archive link in case I broke email threading: > https://marc.info/?l=linux-fsdevel&m=152719324102009&w=2 Thanks for the patch. Should already be fixed in: git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse.git for-next Miklos
On Fri, Jun 01, 2018 at 11:28:31AM +0200, Miklos Szeredi wrote: > On Fri, Jun 1, 2018 at 11:24 AM, Stefan Hajnoczi <stefanha@redhat.com> wrote: > > Ping? > > > > Archive link in case I broke email threading: > > https://marc.info/?l=linux-fsdevel&m=152719324102009&w=2 > > Thanks for the patch. Should already be fixed in: > > git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse.git for-next Great, thanks! Stefan
diff --git a/fs/fuse/control.c b/fs/fuse/control.c index b9ea99c5b5b3..ef3af9c32147 100644 --- a/fs/fuse/control.c +++ b/fs/fuse/control.c @@ -211,10 +211,13 @@ static struct dentry *fuse_ctl_add_dentry(struct dentry *parent, if (!dentry) return NULL; - fc->ctl_dentry[fc->ctl_ndents++] = dentry; inode = new_inode(fuse_control_sb); - if (!inode) + if (!inode) { + dput(dentry); return NULL; + } + + fc->ctl_dentry[fc->ctl_ndents++] = dentry; inode->i_ino = get_next_ino(); inode->i_mode = mode;
fuse_ctl_remove_conn() dereferences d_inode(fc->ctl_dentry[i]). If fuse_ctl_add_dentry() failed to allocate the inode then this field is NULL and it's not safe to call fuse_ctl_remove_conn(). This patch frees partially initialized dentries in the fuse_ctl_add_dentry() error case to solve the NULL dereference. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> --- I spotted this when reading the code. Compile-tested only. fs/fuse/control.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)