If an invalid file descriptor is provided in the mount options, fget()
returns NULL. fuse_opt_fd() was dereferencing this NULL pointer when
checking the file operations.

Fixes: 6dcceeb72856 ("fuse: support FSCONFIG_SET_FD for "fd" option")
Reported-by: syzbot+2a667b3be0ca4b7035ce@syzkaller.appspotmail.com
Signed-off-by: Andrei Vagin <avagin@google.com>
---
 fs/fuse/inode.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index af8ad96829fd..95bbc7b28b89 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -862,6 +862,10 @@ static int fuse_parse_param(struct fs_context *fsc, struct fs_parameter *param)
 			return fuse_opt_fd(fsc, param->file);
 		} else {
 			struct file *file __free(fput) = fget(result.uint_32);
+
+			if (!file)
+				return invalfc(fsc, "invalid file descriptor");
+
 			return fuse_opt_fd(fsc, file);
 		}
 
-- 
2.53.0.851.ga537e3e6e9-goog