git.ipfire.org Git - thirdparty/linux.git/commit

author	Zhenghang Xiao <kipreyyy@gmail.com>
	Mon, 15 Jun 2026 10:25:56 +0000 (12:25 +0200)
committer	Miklos Szeredi <mszeredi@redhat.com>
	Mon, 15 Jun 2026 12:19:45 +0000 (14:19 +0200)
commit	7d87a5a284bb34edb3f4e7e312ef403b3385a7b7
tree	b5244f301391e84f43d0ee7e06b6b4d714d79aff	tree \| snapshot
parent	8bbb2ad1f687633a991839bd3efae04ccfb29e19	commit \| diff

fuse-uring: clear ent->fuse_req in commit_fetch error path

fuse_uring_commit_fetch() error path called fuse_request_end(req) without
clearing ent->fuse_req when fuse_ring_ent_set_commit() fails. The
still-pending fuse_uring_send_in_task() task-work later dereferences the
dangling pointer through fuse_uring_prepare_send(), causing a
use-after-free.

End the request with fuse_uring_req_end(), which handles all conditions
already.

Annotation/edition by Bernd: The UAF should be fixed by other means already
and actually has to be avoided that way.
Just checking for ent->fuse_req == NULL in fuse_uring_send_in_task()
would be prone to race conditions, because if malicious userspace
would commit requests that have passed the NULL check, but are
in doing args copy, it would still trigger a use-after-free.
Setting ent->fuse_req = NULL in fuse_uring_commit_fetch() still
makes sense, though.

Reported-by: Shuvam Pandey <shuvampandey1@gmail.com>
Reported-by: Berkant Koc <me@berkoc.com>
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>