fanotify: Fix crash in fanotify_init(2)

The rrror handling in fanotify_init(2) is buggy and overwrites 'fd'
before calling put_unused_fd() leading to possible access beyond the end
of fd bitmap. Fix it.

Reported-by: syzbot+6a3aa63412255587b21b@syzkaller.appspotmail.com
Fixes: ebe559609d78 ("fs: get rid of __FMODE_NONOTIFY kludge")
Signed-off-by: Jan Kara <jack@suse.cz>

diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index 19435cd2c41f58a33b26dedec03e89210a0c8b03..6ff94e3122326d561057250a6f353d6520585f78 100644 (file)
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -1624,8 +1624,8 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags)
        file = anon_inode_getfile_fmode("[fanotify]", &fanotify_fops, group,
                                        f_flags, FMODE_NONOTIFY);
        if (IS_ERR(file)) {
-               fd = PTR_ERR(file);
                put_unused_fd(fd);
+               fd = PTR_ERR(file);
                goto out_destroy_group;
        }
        fd_install(fd, file);