Commit 78f2560f authored Dec 03, 2024 by Bernd Schubert Committed by Miklos Szeredi Dec 13, 2024

fuse: Set *nbytesp=0 in fuse_get_user_pages on allocation failure



In fuse_get_user_pages(), set *nbytesp to 0 when struct page **pages
allocation fails. This prevents the caller (fuse_direct_io) from making
incorrect assumptions that could lead to NULL pointer dereferences
when processing the request reply.

Previously, *nbytesp was left unmodified on allocation failure, which
could cause issues if the caller assumed pages had been added to
ap->descs[] when they hadn't.

Reported-by:  <syzbot+87b8e6ed25dbc41759f7@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=87b8e6ed25dbc41759f7


Fixes: 3b97c365 ("fuse: convert direct io to use folios")
Signed-off-by: Bernd Schubert <bschubert@ddn.com>
Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
Tested-by: Dmitry Antipov <dmantipov@yandex.ru>
Tested-by: David Howells <dhowells@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

parent 7a4f5418

fs/fuse/file.c

+5 −2

Original line number	Diff line number	Diff line
		@@ -1541,8 +1541,10 @@ static int fuse_get_user_pages(struct fuse_args_pages ap, struct iov_iter ii,
		*/
		struct page *pages = kzalloc(max_pages sizeof(struct page *),
		GFP_KERNEL);
		if (!pages)
		return -ENOMEM;
		if (!pages) {
		ret = -ENOMEM;
		goto out;
		}

		while (nbytes < *nbytesp && nr_pages < max_pages) {
		unsigned nfolios, i;
		@@ -1588,6 +1590,7 @@ static int fuse_get_user_pages(struct fuse_args_pages ap, struct iov_iter ii,
		else
		ap->args.out_pages = true;

		out:
		*nbytesp = nbytes;

		return ret < 0 ? ret : 0;