summaryrefslogtreecommitdiff
path: root/include/linux
diff options
context:
space:
mode:
authorJi'an Zhou <eilaimemedsnaimel@gmail.com>2026-06-09 12:58:51 +0300
committerMiklos Szeredi <mszeredi@redhat.com>2026-06-15 15:06:14 +0300
commitf8fce75fedf73ac72aa09163deb8f4291fdcaad2 (patch)
tree7ebaac39c26d8abe600d204a9715c38486de0913 /include/linux
parent1efd3d474fc0ba74dfd984249bca78807d739812 (diff)
downloadlinux-f8fce75fedf73ac72aa09163deb8f4291fdcaad2.tar.xz
fuse: clear intr_entry in fuse_resend and fuse_remove_pending_req
When fuse_resend() moves a request from fpq->processing back to fiq->pending, it sets FR_PENDING and clears FR_SENT but does not remove the requests intr_entry from fiq->interrupts. If the request had FR_INTERRUPTED set from a prior signal, intr_entry remains dangling on fiq->interrupts. When the requesting task then receives a fatal signal, fuse_remove_pending_req() sees FR_PENDING=1, removes the request from fiq->pending and frees it via the refcount path, also without cleaning intr_entry. The stale intr_entry causes use-after-free when fuse_read_interrupt() iterates fiq->interrupts: - list_del_init(&req->intr_entry) -> UAF write on freed slab - req->in.h.unique -> UAF read, data leaked to userspace Remove intr_entry from fiq->interrupts in fuse_resend() for interrupted requests before they are placed back on fiq->pending. Add a WARN_ON if the intr_entry is not empty on request destruction. Fixes: 760eac73f9f6 ("fuse: Introduce a new notification type for resend pending requests") Cc: stable@vger.kernel.org # 6.9 Signed-off-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions