Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e8f3bd77 authored by Miklos Szeredi's avatar Miklos Szeredi
Browse files

fuse: Fix oops at process_init_reply() 



syzbot is hitting NULL pointer dereference at process_init_reply().
This is because deactivate_locked_super() is called before response for
initial request is processed.

Fix this by aborting and waiting for all requests (including FUSE_INIT)
before resetting fc->sb.

Original patch by Tetsuo Handa <penguin-kernel@I-love.SKAURA.ne.jp>.

Reported-by: default avatarsyzbot <syzbot+b62f08f4d5857755e3bc@syzkaller.appspotmail.com>
Fixes: e27c9d38 ("fuse: fuse: add time_gran to INIT_OUT")
Cc: <stable@vger.kernel.org> # v3.19
Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
parent b8f95e5d

fs/fuse/inode.c

+11 −14
Original line number Diff line number Diff line
@@ -391,11 +391,6 @@ static void fuse_put_super(struct super_block *sb) 
{

	struct fuse_conn *fc = get_fuse_conn_super(sb);



	fuse_send_destroy(fc);



	fuse_abort_conn(fc, false);

	fuse_wait_aborted(fc);



	mutex_lock(&fuse_mutex);

	list_del(&fc->entry);

	fuse_ctl_remove_conn(fc);
@@ -1212,16 +1207,25 @@ static struct dentry *fuse_mount(struct file_system_type *fs_type, 
	return mount_nodev(fs_type, flags, raw_data, fuse_fill_super);

}



static void fuse_kill_sb_anon(struct super_block *sb)

static void fuse_sb_destroy(struct super_block *sb)

{

	struct fuse_conn *fc = get_fuse_conn_super(sb);



	if (fc) {

		fuse_send_destroy(fc);



		fuse_abort_conn(fc, false);

		fuse_wait_aborted(fc);



		down_write(&fc->killsb);

		fc->sb = NULL;

		up_write(&fc->killsb);

	}

}



static void fuse_kill_sb_anon(struct super_block *sb)

{

	fuse_sb_destroy(sb);

	kill_anon_super(sb);

}
@@ -1244,14 +1248,7 @@ static struct dentry *fuse_mount_blk(struct file_system_type *fs_type, 


static void fuse_kill_sb_blk(struct super_block *sb)

{

	struct fuse_conn *fc = get_fuse_conn_super(sb);



	if (fc) {

		down_write(&fc->killsb);

		fc->sb = NULL;

		up_write(&fc->killsb);

	}



	fuse_sb_destroy(sb);

	kill_block_super(sb);

}