From: Joanne Koong <joannelkoong@gmail.com>
Date: Tue, 19 May 2026 05:28:07 +0000 (-0700)
Subject: fuse: re-lock request before returning from fuse_ref_folio()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b5befa80fdbe287a98480effed9564712924add5;p=thirdparty%2Flinux.git

fuse: re-lock request before returning from fuse_ref_folio()

fuse_ref_folio() unlocks the request but does not re-lock it before
returning. fuse_chan_abort() can end the request and the async end
callback (eg fuse_writepage_free()) can free the args while the
subsequent copy chain logic after fuse_ref_folio() accesses them,
leading to use-after-free issues.

Fix this by locking the request in fuse_ref_folio() before returning.

Fixes: c3021629a0d8 ("fuse: support splice() reading from fuse device")
Cc: stable@vger.kernel.org
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
---

diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 86b62a1d3746..b527d90ef74b 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1106,7 +1106,7 @@ static int fuse_ref_folio(struct fuse_copy_state *cs, struct folio *folio,
 	cs->nr_segs++;
 	cs->len = 0;
 
-	return 0;
+	return lock_request(cs->req);
 }
 
 /*