fanotify: Fix crash in fanotify_init(2)

The rrror handling in fanotify_init(2) is buggy and overwrites 'fd' before calling put_unused_fd() leading to possible access beyond the end of fd bitmap. Fix it. Reported-by: syzbot+6a3aa63412255587b21b@syzkaller.appspotmail.com Fixes: ebe559609d78 ("fs: get rid of __FMODE_NONOTIFY kludge") Signed-off-by: Jan Kara <jack@suse.cz>
author: Jan Kara <jack@suse.cz> 2025-01-06 12:08:42 +0100
committer: Jan Kara <jack@suse.cz> 2025-01-06 12:08:42 +0100
commit: 0c0214df28f0dba8de084cb4dedc0c459dfbc083 (patch)
tree: 3f5e8fd9f5e1f1be6cd1784bbd05b724459df008
parent: 0357ef03c94ef835bd44a0658b8edb672a9dbf51 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index 19435cd2c41f..6ff94e312232 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -1624,8 +1624,8 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags)
 	file = anon_inode_getfile_fmode("[fanotify]", &fanotify_fops, group,
 					f_flags, FMODE_NONOTIFY);
 	if (IS_ERR(file)) {
-		fd = PTR_ERR(file);
 		put_unused_fd(fd);
+		fd = PTR_ERR(file);
 		goto out_destroy_group;
 	}
 	fd_install(fd, file);
author	Jan Kara <jack@suse.cz>	2025-01-06 12:08:42 +0100
committer	Jan Kara <jack@suse.cz>	2025-01-06 12:08:42 +0100
commit	0c0214df28f0dba8de084cb4dedc0c459dfbc083 (patch)
tree	3f5e8fd9f5e1f1be6cd1784bbd05b724459df008
parent	0357ef03c94ef835bd44a0658b8edb672a9dbf51 (diff)