Re: [PATCH] fuse: fix kernel NULL pointer dereference in fuse_uring_add_to_pq()

[Bernd Schubert]

On 4/22/26 12:36, Li Wang wrote:
> A kernel NULL pointer dereference was triggered when testing the
> 'fuse over io_uring' feature with passthrough_ll. The call trace
> is as follows:
>   BUG: kernel NULL pointer dereference, address: 0000000000000878
>   RIP: 0010:fuse_uring_add_req_to_ring_ent+0x89/0xd0 [fuse]
>   Call Trace:
>   <TASK>
>   fuse_uring_queue_fuse_req+0x82/0x100 [fuse]
>   fuse_chan_send+0xe6/0x180 [fuse]

Is this linux-next?

>   fuse_lookup_name+0x131/0x2b0 [fuse]
>   fuse_lookup+0x78/0x1a0 [fuse]
>   fuse_atomic_open+0xfc/0x140 [fuse]
>   atomic_open+0x4b/0xf0
>   path_openat+0x746/0x1080
>   do_file_open+0xc9/0x180
> 
> fuse_uring_create_queue() must initialize struct fuse_pqueue before assigning
> the per-hash processing table:
> 
> - Call fuse_pqueue_init() before setting fpq.processing. fuse_pqueue_init()
>   clears fpq.processing; assigning the kcalloc'd bucket array must happen
>   afterwards.
> 
> - After allocating the processing bucket array with kzalloc_objs(), initialize
>   each list head with INIT_LIST_HEAD(), matching fuse_pqueue_alloc() in dev.c.
>   Zeroed list_head values are not valid empty lists; list_move_tail() would
>   dereference NULL prev/next.
> 
> Signed-off-by: Li Wang <liwang@xxxxxxxxxx>
> ---
>  fs/fuse/dev_uring.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c
> index d6d75e024b35..b765c1ff5e2d 100644
> --- a/fs/fuse/dev_uring.c
> +++ b/fs/fuse/dev_uring.c
> @@ -282,6 +282,8 @@ static struct fuse_ring_queue *fuse_uring_create_queue(struct fuse_ring *ring,
>  		kfree(queue);
>  		return NULL;
>  	}
> +	for (int i = 0; i < FUSE_PQ_HASH_SIZE; i++)
> +		INIT_LIST_HEAD(&pq[i]);
>  
>  	queue->qid = qid;
>  	queue->ring = ring;
> @@ -295,8 +297,8 @@ static struct fuse_ring_queue *fuse_uring_create_queue(struct fuse_ring *ring,
>  	INIT_LIST_HEAD(&queue->fuse_req_bg_queue);
>  	INIT_LIST_HEAD(&queue->ent_released);
>  
> -	queue->fpq.processing = pq;
>  	fuse_pqueue_init(&queue->fpq);
> +	queue->fpq.processing = pq;
>  
>  	spin_lock(&fch->lock);
>  	if (ring->queues[qid]) {

I don't think this patch is right. The existing order is

	queue = kzalloc_obj(*queue, GFP_KERNEL_ACCOUNT);
	pq = kzalloc_objs(struct list_head, FUSE_PQ_HASH_SIZE);
	queue->fpq.processing = pq;
	fuse_pqueue_init(&queue->fpq); =====> INIT_LIST_HEAD() of pg


I need to look at Miklos' patches, I guess it sends to fuse-io-uring,
although that is not ready yet.


Thanks,
Bernd