public inbox for linux-erofs@ozlabs.org
 help / color / mirror / Atom feed
* [PATCH v2 1/2] erofs-utils: fuse: add missing return on getattr error
@ 2026-03-21  6:26 Ajay Rajera
  2026-03-21  6:26 ` [PATCH v2 2/2] erofs-utils: lib: fix memory leak in erofs_gzran_builder_init error path Ajay Rajera
  2026-03-21  6:43 ` [PATCH v2 1/2] erofs-utils: fuse: add missing return on getattr error Gao Xiang
  0 siblings, 2 replies; 6+ messages in thread
From: Ajay Rajera @ 2026-03-21  6:26 UTC (permalink / raw)
  To: linux-erofs; +Cc: xiang, Ajay Rajera

erofsfuse_getattr() calls fuse_reply_err() when erofs_read_inode_from_disk()
fails, but does not return afterwards. This causes the function to fall through
to erofsfuse_fill_stat() with uninitialized inode data and then call
fuse_reply_attr(), sending a second reply to the same FUSE request.

Sending two replies to a single FUSE request is undefined behavior in libfuse
and typically triggers an assertion failure or crash. The uninitialized inode
data may also expose garbage values to userspace.

Fix by adding the missing return after fuse_reply_err().

Signed-off-by: Ajay Rajera <newajay.11r@gmail.com>
---
 fuse/main.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fuse/main.c b/fuse/main.c
index 82aca8c..b634782 100644
--- a/fuse/main.c
+++ b/fuse/main.c
@@ -265,8 +265,10 @@ static void erofsfuse_getattr(fuse_req_t req, fuse_ino_t ino,
 	struct erofs_inode vi = { .sbi = &g_sbi, .nid = erofsfuse_to_nid(ino) };
 
 	ret = erofs_read_inode_from_disk(&vi);
-	if (ret < 0)
+	if (ret < 0) {
 		fuse_reply_err(req, -ret);
+		return;
+	}
 
 	erofsfuse_fill_stat(&vi, &stbuf);
 	stbuf.st_ino = ino;
-- 
2.51.0.windows.1



^ permalink raw reply related	[flat|nested] 6+ messages in thread
* [PATCH v2 2/2] erofs-utils: lib: fix memory leak in erofs_gzran_builder_init error path
  2026-03-21  6:26 [PATCH v2 1/2] erofs-utils: fuse: add missing return on getattr error Ajay Rajera
@ 2026-03-21  6:26 ` Ajay Rajera
  2026-03-21  7:21   ` Gao Xiang
  2026-03-21  6:43 ` [PATCH v2 1/2] erofs-utils: fuse: add missing return on getattr error Gao Xiang
  1 sibling, 1 reply; 6+ messages in thread
From: Ajay Rajera @ 2026-03-21  6:26 UTC (permalink / raw)
  To: linux-erofs; +Cc: xiang, Ajay Rajera

When inflateInit2() fails, erofs_gzran_builder_init() returns an ERR_PTR(-EFAULT)
but forgets to free the previously allocated erofs_gzran_builder struct (gb),
resulting in a memory leak.

Fix by calling free(gb) before returning the error.

Signed-off-by: Ajay Rajera <newajay.11r@gmail.com>
---
 lib/gzran.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/gzran.c b/lib/gzran.c
index dffb20a..8a01825 100644
--- a/lib/gzran.c
+++ b/lib/gzran.c
@@ -50,8 +50,10 @@ struct erofs_gzran_builder *erofs_gzran_builder_init(struct erofs_vfile *vf,
 	strm->avail_in = 0;
 	strm->next_in = Z_NULL;
 	ret = inflateInit2(strm, 47);	/* automatic zlib or gzip decoding */
-	if (ret != Z_OK)
+	if (ret != Z_OK) {
+		free(gb);
 		return ERR_PTR(-EFAULT);
+	}
 	gb->vf = vf;
 	gb->span_size = span_size;
 	gb->totout = gb->totin = 0;
-- 
2.51.0.windows.1



^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [PATCH v2 1/2] erofs-utils: fuse: add missing return on getattr error
  2026-03-21  6:26 [PATCH v2 1/2] erofs-utils: fuse: add missing return on getattr error Ajay Rajera
  2026-03-21  6:26 ` [PATCH v2 2/2] erofs-utils: lib: fix memory leak in erofs_gzran_builder_init error path Ajay Rajera
@ 2026-03-21  6:43 ` Gao Xiang
  2026-03-21  7:18   ` Ajay Rajera
  1 sibling, 1 reply; 6+ messages in thread
From: Gao Xiang @ 2026-03-21  6:43 UTC (permalink / raw)
  To: Ajay Rajera, linux-erofs; +Cc: xiang



On 2026/3/21 14:26, Ajay Rajera wrote:
> erofsfuse_getattr() calls fuse_reply_err() when erofs_read_inode_from_disk()
> fails, but does not return afterwards. This causes the function to fall through
> to erofsfuse_fill_stat() with uninitialized inode data and then call
> fuse_reply_attr(), sending a second reply to the same FUSE request.
> 
> Sending two replies to a single FUSE request is undefined behavior in libfuse
> and typically triggers an assertion failure or crash. The uninitialized inode
> data may also expose garbage values to userspace.
> 
> Fix by adding the missing return after fuse_reply_err().

Each line of the commit message should not exceed 72 chars.

> 
> Signed-off-by: Ajay Rajera <newajay.11r@gmail.com>
> ---
>   fuse/main.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/fuse/main.c b/fuse/main.c
> index 82aca8c..b634782 100644
> --- a/fuse/main.c
> +++ b/fuse/main.c
> @@ -265,8 +265,10 @@ static void erofsfuse_getattr(fuse_req_t req, fuse_ino_t ino,
>   	struct erofs_inode vi = { .sbi = &g_sbi, .nid = erofsfuse_to_nid(ino) };
>   
>   	ret = erofs_read_inode_from_disk(&vi);
> -	if (ret < 0)
> +	if (ret < 0) {
>   		fuse_reply_err(req, -ret);
> +		return;
> +	}
>   
>   	erofsfuse_fill_stat(&vi, &stbuf);
>   	stbuf.st_ino = ino;



^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH v2 1/2] erofs-utils: fuse: add missing return on getattr error
  2026-03-21  6:43 ` [PATCH v2 1/2] erofs-utils: fuse: add missing return on getattr error Gao Xiang
@ 2026-03-21  7:18   ` Ajay Rajera
  0 siblings, 0 replies; 6+ messages in thread
From: Ajay Rajera @ 2026-03-21  7:18 UTC (permalink / raw)
  To: Gao Xiang; +Cc: linux-erofs, xiang

Yeah, I apologize for the mistake.
I just sent patch v3
Thanks, Ajay.


On Sat, 21 Mar 2026 at 12:13, Gao Xiang <hsiangkao@linux.alibaba.com> wrote:
>
>
>
> On 2026/3/21 14:26, Ajay Rajera wrote:
> > erofsfuse_getattr() calls fuse_reply_err() when erofs_read_inode_from_disk()
> > fails, but does not return afterwards. This causes the function to fall through
> > to erofsfuse_fill_stat() with uninitialized inode data and then call
> > fuse_reply_attr(), sending a second reply to the same FUSE request.
> >
> > Sending two replies to a single FUSE request is undefined behavior in libfuse
> > and typically triggers an assertion failure or crash. The uninitialized inode
> > data may also expose garbage values to userspace.
> >
> > Fix by adding the missing return after fuse_reply_err().
>
> Each line of the commit message should not exceed 72 chars.
>
> >
> > Signed-off-by: Ajay Rajera <newajay.11r@gmail.com>
> > ---
> >   fuse/main.c | 4 +++-
> >   1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/fuse/main.c b/fuse/main.c
> > index 82aca8c..b634782 100644
> > --- a/fuse/main.c
> > +++ b/fuse/main.c
> > @@ -265,8 +265,10 @@ static void erofsfuse_getattr(fuse_req_t req, fuse_ino_t ino,
> >       struct erofs_inode vi = { .sbi = &g_sbi, .nid = erofsfuse_to_nid(ino) };
> >
> >       ret = erofs_read_inode_from_disk(&vi);
> > -     if (ret < 0)
> > +     if (ret < 0) {
> >               fuse_reply_err(req, -ret);
> > +             return;
> > +     }
> >
> >       erofsfuse_fill_stat(&vi, &stbuf);
> >       stbuf.st_ino = ino;
>


^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH v2 2/2] erofs-utils: lib: fix memory leak in erofs_gzran_builder_init error path
  2026-03-21  6:26 ` [PATCH v2 2/2] erofs-utils: lib: fix memory leak in erofs_gzran_builder_init error path Ajay Rajera
@ 2026-03-21  7:21   ` Gao Xiang
  2026-03-21  9:34     ` Ajay Rajera
  0 siblings, 1 reply; 6+ messages in thread
From: Gao Xiang @ 2026-03-21  7:21 UTC (permalink / raw)
  To: Ajay Rajera, linux-erofs; +Cc: xiang



On 2026/3/21 14:26, Ajay Rajera wrote:
> When inflateInit2() fails, erofs_gzran_builder_init() returns an ERR_PTR(-EFAULT)
> but forgets to free the previously allocated erofs_gzran_builder struct (gb),
> resulting in a memory leak.
> 
> Fix by calling free(gb) before returning the error.
> 
> Signed-off-by: Ajay Rajera <newajay.11r@gmail.com>

The same issue.


^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH v2 2/2] erofs-utils: lib: fix memory leak in erofs_gzran_builder_init error path
  2026-03-21  7:21   ` Gao Xiang
@ 2026-03-21  9:34     ` Ajay Rajera
  0 siblings, 0 replies; 6+ messages in thread
From: Ajay Rajera @ 2026-03-21  9:34 UTC (permalink / raw)
  To: Gao Xiang; +Cc: linux-erofs, xiang

yeah, I just sent patch v3.
Thanks, Ajay.

On Sat, 21 Mar 2026 at 12:51, Gao Xiang <hsiangkao@linux.alibaba.com> wrote:
>
>
>
> On 2026/3/21 14:26, Ajay Rajera wrote:
> > When inflateInit2() fails, erofs_gzran_builder_init() returns an ERR_PTR(-EFAULT)
> > but forgets to free the previously allocated erofs_gzran_builder struct (gb),
> > resulting in a memory leak.
> >
> > Fix by calling free(gb) before returning the error.
> >
> > Signed-off-by: Ajay Rajera <newajay.11r@gmail.com>
>
> The same issue.


^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-03-21  9:35 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-21  6:26 [PATCH v2 1/2] erofs-utils: fuse: add missing return on getattr error Ajay Rajera
2026-03-21  6:26 ` [PATCH v2 2/2] erofs-utils: lib: fix memory leak in erofs_gzran_builder_init error path Ajay Rajera
2026-03-21  7:21   ` Gao Xiang
2026-03-21  9:34     ` Ajay Rajera
2026-03-21  6:43 ` [PATCH v2 1/2] erofs-utils: fuse: add missing return on getattr error Gao Xiang
2026-03-21  7:18   ` Ajay Rajera

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox