Re: [linux-next] fuse: avoid double pqueue allocation in fuse_dev_alloc_install

Next message: Alice Ryhl: "Re: [PATCH v3 4/4] rust_binder: report netlink transactions"
Previous message: Boris Brezillon: "Re: [PATCH v7 5/6] drm/panthor: Support sparse mappings"
In reply to: Morduan Zang: "[linux-next] fuse: avoid double pqueue allocation in fuse_dev_alloc_install"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Miklos Szeredi

Date: Thu Apr 16 2026 - 02:58:11 EST

On Thu, 16 Apr 2026 at 08:21, Morduan Zang <zhangdandan@xxxxxxxxxxxxx> wrote:
>
> From: Morduan <zhangdandan@xxxxxxxxxxxxx>
>
> fuse_dev_chan_new() preallocates fch->pq_prealloc. After dca5bba8d17f,
> fuse_dev_install() transfers that queue to fuse_dev_install_with_pq(),
> which expects fud->pq.processing to still be NULL.
>
> The CUSE open path still goes through fuse_dev_alloc_install(), which
> unconditionally uses fuse_dev_alloc() and allocates fud->pq.processing a
> second time. Opening /dev/cuse then triggers
> WARN_ON(fud->pq.processing) in fuse_dev_install_with_pq() and panics when
> panic_on_warn=1.
>
> If the channel already carries pq_prealloc, allocate the fuse_dev
> without a processing queue and let fuse_dev_install() transfer ownership
> of the preallocated queue.
>
> Fixes: dca5bba8d17f ("fuse: alloc pqueue before installing fch in fuse_dev")
> Reported-by: syzbot+a761f017e231803b82cd@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=a761f017e231803b82cd
> Signed-off-by: Zhan Jun <zhanjun@xxxxxxxxxxxxx>

Thanks, this should be fixed since yesterday in for-next.

Checking fch->pq_prealloc is not necessary, since
fuse_dev_alloc_install() has a single callsite: cuse_channel_open().
Since cuse also uses fuse_dev_chan_new(), pq_prealloc is always going
to be set.

Thanks,
Miklos