[PATCH] fuse: fix kernel NULL pointer dereference in fuse_uring_add_to_pq()
From: Li Wang
Date: Wed Apr 22 2026 - 06:39:04 EST
A kernel NULL pointer dereference was triggered when testing the
'fuse over io_uring' feature with passthrough_ll. The call trace
is as follows:
BUG: kernel NULL pointer dereference, address: 0000000000000878
RIP: 0010:fuse_uring_add_req_to_ring_ent+0x89/0xd0 [fuse]
Call Trace:
<TASK>
fuse_uring_queue_fuse_req+0x82/0x100 [fuse]
fuse_chan_send+0xe6/0x180 [fuse]
fuse_lookup_name+0x131/0x2b0 [fuse]
fuse_lookup+0x78/0x1a0 [fuse]
fuse_atomic_open+0xfc/0x140 [fuse]
atomic_open+0x4b/0xf0
path_openat+0x746/0x1080
do_file_open+0xc9/0x180
fuse_uring_create_queue() must initialize struct fuse_pqueue before assigning
the per-hash processing table:
- Call fuse_pqueue_init() before setting fpq.processing. fuse_pqueue_init()
clears fpq.processing; assigning the kcalloc'd bucket array must happen
afterwards.
- After allocating the processing bucket array with kzalloc_objs(), initialize
each list head with INIT_LIST_HEAD(), matching fuse_pqueue_alloc() in dev.c.
Zeroed list_head values are not valid empty lists; list_move_tail() would
dereference NULL prev/next.
Signed-off-by: Li Wang <liwang@xxxxxxxxxx>
---
fs/fuse/dev_uring.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c
index d6d75e024b35..b765c1ff5e2d 100644
--- a/fs/fuse/dev_uring.c
+++ b/fs/fuse/dev_uring.c
@@ -282,6 +282,8 @@ static struct fuse_ring_queue *fuse_uring_create_queue(struct fuse_ring *ring,
kfree(queue);
return NULL;
}
+ for (int i = 0; i < FUSE_PQ_HASH_SIZE; i++)
+ INIT_LIST_HEAD(&pq[i]);
queue->qid = qid;
queue->ring = ring;
@@ -295,8 +297,8 @@ static struct fuse_ring_queue *fuse_uring_create_queue(struct fuse_ring *ring,
INIT_LIST_HEAD(&queue->fuse_req_bg_queue);
INIT_LIST_HEAD(&queue->ent_released);
- queue->fpq.processing = pq;
fuse_pqueue_init(&queue->fpq);
+ queue->fpq.processing = pq;
spin_lock(&fch->lock);
if (ring->queues[qid]) {
--
2.34.1