mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-04 04:02:26 +00:00
fuse: Set *nbytesp=0 in fuse_get_user_pages on allocation failure
In fuse_get_user_pages(), set *nbytesp to 0 when struct page **pages
allocation fails. This prevents the caller (fuse_direct_io) from making
incorrect assumptions that could lead to NULL pointer dereferences
when processing the request reply.
Previously, *nbytesp was left unmodified on allocation failure, which
could cause issues if the caller assumed pages had been added to
ap->descs[] when they hadn't.
Reported-by: syzbot+87b8e6ed25dbc41759f7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=87b8e6ed25dbc41759f7
Fixes: 3b97c3652d
("fuse: convert direct io to use folios")
Signed-off-by: Bernd Schubert <bschubert@ddn.com>
Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
Tested-by: Dmitry Antipov <dmantipov@yandex.ru>
Tested-by: David Howells <dhowells@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
This commit is contained in:
parent
7a4f541873
commit
78f2560fc9
@ -1541,8 +1541,10 @@ static int fuse_get_user_pages(struct fuse_args_pages *ap, struct iov_iter *ii,
|
|||||||
*/
|
*/
|
||||||
struct page **pages = kzalloc(max_pages * sizeof(struct page *),
|
struct page **pages = kzalloc(max_pages * sizeof(struct page *),
|
||||||
GFP_KERNEL);
|
GFP_KERNEL);
|
||||||
if (!pages)
|
if (!pages) {
|
||||||
return -ENOMEM;
|
ret = -ENOMEM;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
while (nbytes < *nbytesp && nr_pages < max_pages) {
|
while (nbytes < *nbytesp && nr_pages < max_pages) {
|
||||||
unsigned nfolios, i;
|
unsigned nfolios, i;
|
||||||
@ -1588,6 +1590,7 @@ static int fuse_get_user_pages(struct fuse_args_pages *ap, struct iov_iter *ii,
|
|||||||
else
|
else
|
||||||
ap->args.out_pages = true;
|
ap->args.out_pages = true;
|
||||||
|
|
||||||
|
out:
|
||||||
*nbytesp = nbytes;
|
*nbytesp = nbytes;
|
||||||
|
|
||||||
return ret < 0 ? ret : 0;
|
return ret < 0 ? ret : 0;
|
||||||
|
Loading…
Reference in New Issue
Block a user