diff options
| author | Joanne Koong <joannelkoong@gmail.com> | 2026-06-10 00:36:58 +0300 |
|---|---|---|
| committer | Miklos Szeredi <mszeredi@redhat.com> | 2026-06-15 15:06:14 +0300 |
| commit | 1c57a69be962d459c5e705f5cb4355b841b3461c (patch) | |
| tree | 6f5de1ba976090a41de7909e7aee1d0cae7e9a20 /include/linux/node.h | |
| parent | f8fce75fedf73ac72aa09163deb8f4291fdcaad2 (diff) | |
| download | linux-1c57a69be962d459c5e705f5cb4355b841b3461c.tar.xz | |
fuse-uring: remove request-less entries from ent_w_req_queue to fix NULL deref
If a copy into the userspace ring buffer fails, a request will be
terminated and fuse_uring_req_end() will set ent->fuse_req to NULL but
it will leave the entry on ent_w_req_queue in FRRS_FUSE_REQ state. This
can lead to a NULL deref if the request expiration logic scans
ent_w_req_queue in the window before the entry is moved off it.
Fix this by taking the entry off ent_w_req_queue and changing its state
from FRRS_FUSE_REQ to FRRS_INVALID before terminating the request.
Fixes: 4fea593e625c ("fuse: optimize over-io-uring request expiration check")
Cc: stable@kernel.org
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Diffstat (limited to 'include/linux/node.h')
0 files changed, 0 insertions, 0 deletions
