[linux-next] fuse: avoid double pqueue allocation in fuse_dev_alloc_install

Next message: Sebastian Andrzej Siewior: "Re: [net,PATCH v3 1/2] net: ks8851: Reinstate disabling of BHs around IRQ handler"
Previous message: Hannes Reinecke: "Re: [PATCH v2] nvme-auth: Include SC_C in RVAL controller hash"
Next in thread: Miklos Szeredi: "Re: [linux-next] fuse: avoid double pqueue allocation in fuse_dev_alloc_install"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Morduan Zang

Date: Thu Apr 16 2026 - 02:23:47 EST

From: Morduan <zhangdandan@xxxxxxxxxxxxx>

fuse_dev_chan_new() preallocates fch->pq_prealloc. After dca5bba8d17f,
fuse_dev_install() transfers that queue to fuse_dev_install_with_pq(),
which expects fud->pq.processing to still be NULL.

The CUSE open path still goes through fuse_dev_alloc_install(), which
unconditionally uses fuse_dev_alloc() and allocates fud->pq.processing a
second time. Opening /dev/cuse then triggers
WARN_ON(fud->pq.processing) in fuse_dev_install_with_pq() and panics when
panic_on_warn=1.

If the channel already carries pq_prealloc, allocate the fuse_dev
without a processing queue and let fuse_dev_install() transfer ownership
of the preallocated queue.

Fixes: dca5bba8d17f ("fuse: alloc pqueue before installing fch in fuse_dev")
Reported-by: syzbot+a761f017e231803b82cd@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=a761f017e231803b82cd
Signed-off-by: Zhan Jun <zhanjun@xxxxxxxxxxxxx>
---
fs/fuse/dev.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 87c0a6e60440..6001163db34e 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -501,7 +501,10 @@ struct fuse_dev *fuse_dev_alloc_install(struct fuse_chan *fch)
{
struct fuse_dev *fud;

- fud = fuse_dev_alloc();
+ if (fch->pq_prealloc)
+ fud = fuse_dev_alloc_no_pq();
+ else
+ fud = fuse_dev_alloc();
if (!fud)
return NULL;

--
2.50.1