Re: [PATCH] fuse: fix kernel NULL pointer dereference in fuse_uring_add_to_pq()

Next message: Muchun Song: "[PATCH v5 v5 3/6] mm/sparse-vmemmap: Pass @pgmap argument to memory deactivation paths"
Previous message: Michal Hocko: "Re: [RFC 3/3] mm: process_mrelease: introduce PROCESS_MRELEASE_REAP_KILL flag"
In reply to: Li Wang: "Re: [PATCH] fuse: fix kernel NULL pointer dereference in fuse_uring_add_to_pq()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Miklos Szeredi

Date: Thu Apr 23 2026 - 03:19:57 EST

On Thu, 23 Apr 2026 at 08:45, Li Wang <liwang@xxxxxxxxxx> wrote:

> > diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c
> > index 5abf447e9710..e467b23e6895 100644
> > --- a/fs/fuse/dev_uring.c
> > +++ b/fs/fuse/dev_uring.c
> > @@ -277,7 +277,7 @@ static struct fuse_ring_queue
> > *fuse_uring_create_queue(struct fuse_ring *ring,
> > queue = kzalloc_obj(*queue, GFP_KERNEL_ACCOUNT);
> > if (!queue)
> > return NULL;
> > - pq = kzalloc_objs(struct list_head, FUSE_PQ_HASH_SIZE);
> > + pq = fuse_pqueue_alloc();
> > if (!pq) {
> > kfree(queue);
> > return NULL;
> > @@ -295,8 +295,8 @@ static struct fuse_ring_queue
> > *fuse_uring_create_queue(struct fuse_ring *ring,
> > INIT_LIST_HEAD(&queue->fuse_req_bg_queue);
> > INIT_LIST_HEAD(&queue->ent_released);
> >
> > - queue->fpq.processing = pq;
> > fuse_pqueue_init(&queue->fpq);
> > + queue->fpq.processing = pq;
> >
> > after exporting fuse_pqueue_alloc() into fuse_dev_i.h

Folded.

Thanks,
Miklos