From: Danny Feng <dfeng@redhat.com> Date: Fri, 4 Dec 2009 04:30:47 -0500 Subject: [fuse] prevent fuse_put_request on invalid pointer Message-id: <20091204043021.22047.4742.sendpatchset@dhcp-65-180.nay.redhat.com> Patchwork-id: 21675 O-Subject: [PATCH RHEL5.5] fuse: prevent fuse_put_request on invalid pointer Bugzilla: 538737 CVE: CVE-2009-4021 RH-Acked-by: Eugene Teo <eugene@redhat.com> RH-Acked-by: Josef Bacik <josef@redhat.com> RH-Acked-by: Prarit Bhargava <prarit@redhat.com> backport upstream commit f60311d to fix CVE-2009-4021: commit f60311d5f7670d9539b424e4ed8b5c0872fc9e83 Author: Anand V. Avati <avati@gluster.com> Date: Thu Oct 22 06:24:52 2009 -0700 fuse: prevent fuse_put_request on invalid pointer fuse_direct_io() has a loop where requests are allocated in each iteration. if allocation fails, the loop is broken out and follows into an unconditional fuse_put_request() on that invalid pointer. Signed-off-by: Anand V. Avati <avati@gluster.com> Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Cc: stable@kernel.org Brew build is available at: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=2124586 resolves bz538737 diff --git a/fs/fuse/file.c b/fs/fuse/file.c index f9f06a5..cba44ca 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -732,7 +732,8 @@ static ssize_t fuse_direct_io(struct file *file, const char __user *buf, break; } } - fuse_put_request(fc, req); + if (!IS_ERR(req)) + fuse_put_request(fc, req); if (res > 0) { if (write) fuse_write_update_size(inode, pos);