diff options
| author | Joanne Koong <joannelkoong@gmail.com> | 2026-05-18 22:28:07 -0700 |
|---|---|---|
| committer | Miklos Szeredi <mszeredi@redhat.com> | 2026-05-26 16:26:11 +0200 |
| commit | 2dcf16d41cc04472a4f9bc6e99d0ab26cfb1afb1 (patch) | |
| tree | 4be8df0ce4207e5847336796a08808a25c3f2f76 /fs | |
| parent | 3634f6a86add4406afb46d428a4bb3c79828a34c (diff) | |
| download | linux-next-history-2dcf16d41cc04472a4f9bc6e99d0ab26cfb1afb1.tar.gz | |
fuse: re-lock request before returning from fuse_ref_folio()
fuse_ref_folio() unlocks the request but does not re-lock it before
returning. fuse_chan_abort() can end the request and the async end
callback (eg fuse_writepage_free()) can free the args while the
subsequent copy chain logic after fuse_ref_folio() accesses them,
leading to use-after-free issues.
Fix this by locking the request in fuse_ref_folio() before returning.
Fixes: c3021629a0d8 ("fuse: support splice() reading from fuse device")
Cc: stable@vger.kernel.org
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/fuse/dev.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c index 37b11b89ce1b8..a9385d3597ccf 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -1227,7 +1227,7 @@ static int fuse_ref_folio(struct fuse_copy_state *cs, struct folio *folio, cs->nr_segs++; cs->len = 0; - return 0; + return lock_request(cs->req); } /* |