Re: [syzbot] [fuse?] general protection fault in fuse_dev_release

Next message: Johannes Berg: "Re: [PATCH wireless-next v2 06/31] wifi: mm81x: add core.h"
Previous message: Kathiravan Thirumoorthy: "Re: [PATCH 2/2] regulator: qcom-refgen: add support for the IPQ9650 SoC"
In reply to: syzbot: "[syzbot] [fuse?] general protection fault in fuse_dev_release"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Miklos Szeredi

Date: Thu Jun 04 2026 - 07:42:45 EST

On Mon, 1 Jun 2026 at 12:27, syzbot
<syzbot+5bfc774fd6dffbbc4b70@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

> RIP: 0010:list_empty include/linux/list.h:404 [inline]
> RIP: 0010:list_splice_init include/linux/list.h:602 [inline]
> RIP: 0010:fuse_dev_release+0x19c/0x670 fs/fuse/dev.c:2221

Found a race between fuse_dev_install_with_pq() and
fuse_dev_release(). One uses fch->lock the other fpq->lock, so there
can be a short window where fud->pq.processing is NULL after fud->chan
was set. This would explain the Oops.

Fixed in #for-next, let's see if this still reproduces.

Thanks,
Miklos