syzbot reported general protection fault in kstrtouint: https://lkml.org/lkml/2019/7/18/328
>From the log, if the mount option is something like: fd,XXXXXXXXXXXXXXXXXXXX The default parameter (which has NULL param->string) will be passed to vfs_parse_fs_param. Finally, this NULL param->string is passed to kstrtouint and trigger NULL pointer access. Reported-by: syzbot+398343b7c1b1b9892...@syzkaller.appspotmail.com Fixes: 71cbb7570a9a ("vfs: Move the subtype parameter into fuse") Signed-off-by: Yin Fengwei <nh26223....@gmail.com> --- fs/fs_parser.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/fs_parser.c b/fs/fs_parser.c index d13fe7d797c2..578e6880ac67 100644 --- a/fs/fs_parser.c +++ b/fs/fs_parser.c @@ -210,6 +210,10 @@ int fs_parse(struct fs_context *fc, case fs_param_is_fd: { switch (param->type) { case fs_value_is_string: + if (result->has_value) { + goto bad_value; + } + ret = kstrtouint(param->string, 0, &result->uint_32); break; case fs_value_is_file: -- 2.17.1