Commit 0c0214df authored by Jan Kara's avatar Jan Kara
Browse files

fanotify: Fix crash in fanotify_init(2) 



The rrror handling in fanotify_init(2) is buggy and overwrites 'fd'
before calling put_unused_fd() leading to possible access beyond the end
of fd bitmap. Fix it.

Reported-by: default avatar <syzbot+6a3aa63412255587b21b@syzkaller.appspotmail.com>
Fixes: ebe55960 ("fs: get rid of __FMODE_NONOTIFY kludge")
Signed-off-by: default avatarJan Kara <jack@suse.cz>
parent 0357ef03

fs/notify/fanotify/fanotify_user.c

+1 −1
Original line number Diff line number Diff line
@@ -1624,8 +1624,8 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags) 
	file = anon_inode_getfile_fmode("[fanotify]", &fanotify_fops, group,

					f_flags, FMODE_NONOTIFY);

	if (IS_ERR(file)) {

		fd = PTR_ERR(file);

		put_unused_fd(fd);

		fd = PTR_ERR(file);

		goto out_destroy_group;

	}

	fd_install(fd, file);