summaryrefslogtreecommitdiff
path: root/include/linux
diff options
context:
space:
mode:
authorJoanne Koong <joannelkoong@gmail.com>2026-06-10 00:36:58 +0300
committerMiklos Szeredi <mszeredi@redhat.com>2026-06-15 15:06:14 +0300
commit1c57a69be962d459c5e705f5cb4355b841b3461c (patch)
tree6f5de1ba976090a41de7909e7aee1d0cae7e9a20 /include/linux
parentf8fce75fedf73ac72aa09163deb8f4291fdcaad2 (diff)
downloadlinux-1c57a69be962d459c5e705f5cb4355b841b3461c.tar.xz
fuse-uring: remove request-less entries from ent_w_req_queue to fix NULL deref
If a copy into the userspace ring buffer fails, a request will be terminated and fuse_uring_req_end() will set ent->fuse_req to NULL but it will leave the entry on ent_w_req_queue in FRRS_FUSE_REQ state. This can lead to a NULL deref if the request expiration logic scans ent_w_req_queue in the window before the entry is moved off it. Fix this by taking the entry off ent_w_req_queue and changing its state from FRRS_FUSE_REQ to FRRS_INVALID before terminating the request. Fixes: 4fea593e625c ("fuse: optimize over-io-uring request expiration check") Cc: stable@kernel.org Signed-off-by: Joanne Koong <joannelkoong@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions