Re: [PATCH] fuse: fix kernel NULL pointer dereference in fuse_uring_add_to_pq()

Next message: Dmitry Torokhov: "Re: [PATCH 2/2] Input: synaptics-rmi4 - use u32 for reg_size to avoid sign extension into item-&gt;reg_size"
Previous message: GONG Ruiqi: "Re: [PATCH] apparmor: Fix two bugs of aa_setup_dfa_engine's fail handling"
In reply to: Jingbo Xu: "Re: [PATCH] fuse: fix kernel NULL pointer dereference in fuse_uring_add_to_pq()"
Next in thread: Bernd Schubert: "Re: [PATCH] fuse: fix kernel NULL pointer dereference in fuse_uring_add_to_pq()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Li Wang

Date: Wed Apr 22 2026 - 21:53:30 EST

Hi Jingbo,

On 22/04/2026 19:18, Jingbo Xu wrote:
>
>
> On 4/22/26 6:36 PM, Li Wang wrote:
>> A kernel NULL pointer dereference was triggered when testing the
>> 'fuse over io_uring' feature with passthrough_ll. The call trace
>> is as follows:
>> BUG: kernel NULL pointer dereference, address: 0000000000000878
>> RIP: 0010:fuse_uring_add_req_to_ring_ent+0x89/0xd0 [fuse]
>> Call Trace:
>> <TASK>
>> fuse_uring_queue_fuse_req+0x82/0x100 [fuse]
>> fuse_chan_send+0xe6/0x180 [fuse]
>
> I don't see fuse_chan_send() in upstream kernel. I think you are
> testing kernel with this patchset[1] applied?
>
> [1] https://lore.kernel.org/all/20260416091658.462783-1-mszeredi@xxxxxxxxxx/
>

The test is based on
git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse.git#for-next

Thanks,
Li