From patchwork Fri Mar 14 20:50:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joanne Koong X-Patchwork-Id: 14017403 Received: from mail-yb1-f174.google.com (mail-yb1-f174.google.com [209.85.219.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6E1841547E2 for ; Fri, 14 Mar 2025 20:50:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741985446; cv=none; b=CNh8pkBuBy1+5giAZdmqk87cdc8tYMa4q345r6goSovn9x4Gt9bopdqoEIw9io2A9NSAPUxBuUcj2/MCXvuU+BUwqYcdKlhwoM+L1/u+i8PVeqnD3b7q4NkiOnczKbiCazHzj32vrg6d4kz0vjXouqbiKOUDBnnUVg2nUGXR67E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741985446; c=relaxed/simple; bh=tm/B4py7EYuSsSLNqxDR+tDZn5+3TufOvVwpSw3aeEs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=nn6a4gTsgKvWOE2dO7tOrytrwg9Oct/+wprZzeWrSp0UzEt31kq80RDR9rOYPzqXVjL3zJGVPv1/n9ZEZh3E1n/Pct78pDxcuHLt2nAYWRV84mfgfbr43BmI55ImVENvX0+Wd4LqqGMlHHwzluF26HWaLeyAwsKJaIInkunli8I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=nIsIqUex; arc=none smtp.client-ip=209.85.219.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="nIsIqUex" Received: by mail-yb1-f174.google.com with SMTP id 3f1490d57ef6-e46ebe19368so2116343276.0 for ; Fri, 14 Mar 2025 13:50:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741985444; x=1742590244; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=wmIjd2kV+SNyaXVQwp9mzDhUQaztt3De1d/l++eeKg0=; b=nIsIqUex45tnsurWgPKfIchroXAuqV2JHtgS7uWS/MykdWWjsmXCM3UUEfQnN5kiSm UGkRbYthZe2ZnuWW7HpHjvUVGOtH4Em5JvJMIOtyvU9Ta+kDKjzU65c0/kA4A66jXZpM I1WGP0QsTZzKJRSlfm6YYhXEp2Igxdvjlvowej9ADZ7PmFyCPKGykveplMNlZ6cKNgzq 9i7NSZ6+5mSVvebbkitvPPVZqkaTeAHRwmGYYo3ptvjOihrsOTPOXxj7FTNC2qz3AUiq 5ZX5hUNcR/ArWlX7sJ05g7Lyy6La5HtvhiAa0VJNNgli9u65KSOC2lOs9hc5HU7twA6p CiLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741985444; x=1742590244; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=wmIjd2kV+SNyaXVQwp9mzDhUQaztt3De1d/l++eeKg0=; b=g+NhlO/XtwK7oXqlIBXKSmSHZwl7wy3b6wfZHKaPN71qHBuI5ZNus6JIbpPfwg7hcV ZJlv7vw+IiZvvFdQkLornpg7k+pCsD3qS4JP9Jqysh3RVRu9eXc9kUwBmZnpvldk3lRV ZbvhQXZ/be5kDBHznVeKyWFydhqmyN2VsYVkPGahzR7rsSO4xxgcsv9KcLYM3vDMbKZ9 aIUNzIeBXvpMLE34rm182g5oeolA5aBPNRC3RshwU1MroZRzhzRjyc4zt7j5+JNmF7WU I/DYAkiqDCEL7YihPrmv3VXrsnlI+ZUwnCP0vhyVXmq8AW0bhF2azRYZ1yEiV6Xq7u1c /xVw== X-Forwarded-Encrypted: i=1; AJvYcCXsLB+fckI1Hnju4nq2tROiS9le8bCDPiLP/LLxcMwHm188yP1HZDqVubkw2HLzNXBRPyre+tTP1t/eTOF6@vger.kernel.org X-Gm-Message-State: AOJu0YyaBPji2xZEOjJhyLnE9Ezu0NIO7FqEoQAIfNgDQtiA/4djmi0z GkIlCtzxawhBpiAJT9hEMbbEQzxzErInuSCpojeXyyfqPR6fYjhqOW/9GA== X-Gm-Gg: ASbGncuZaYSPakiyUvKFOpwJi4hN1/K2nBXYy7QeGw1Rj0IPRWNhYZK++qsbEcjFXF8 XUbPcaJhzbukOlbceMbKfeJd0Mos8D2USiJnEbe72EKyGiurBle5fF5CBk9wZ8UC4lPHBcywrbU TNCKcdXbVbQ01JHqzlhCxeMdZ+9bYzylqVnve38x/mnw5RbK6m7StLoTwK4WQRUDojEagmAP6FH Jl6H/duT5+Q94jVmuGfYaZT7N5vmd0vFHB7RP2hI5ls9CtCkcMevIRYIbJF03GsR/PuXih1vxEp jLO2sJpaY3axBSHu4Hj0xqFWsAeh9yDhPBGa9bYZVOE= X-Google-Smtp-Source: AGHT+IHlRUu+XtV+vNIypkI6QeLYgZKhzymZJVfY4JZ6Gpd2MlwR77kVzcqH0E4F7ByRrNUa8+ieEQ== X-Received: by 2002:a05:6902:2581:b0:e63:7119:bcb with SMTP id 3f1490d57ef6-e63f65274f7mr5355022276.18.1741985444113; Fri, 14 Mar 2025 13:50:44 -0700 (PDT) Received: from localhost ([2a03:2880:25ff:73::]) by smtp.gmail.com with ESMTPSA id 3f1490d57ef6-e63e54451d1sm1024911276.28.2025.03.14.13.50.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 14 Mar 2025 13:50:43 -0700 (PDT) From: Joanne Koong To: miklos@szeredi.hu, linux-fsdevel@vger.kernel.org Cc: bernd.schubert@fastmail.fm, kernel-team@meta.com Subject: [PATCH v2] fuse: fix uring race condition for null dereference of fc Date: Fri, 14 Mar 2025 13:50:33 -0700 Message-ID: <20250314205033.762641-1-joannelkoong@gmail.com> X-Mailer: git-send-email 2.47.1 Precedence: bulk X-Mailing-List: linux-fsdevel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 There is a race condition leading to a kernel crash from a null dereference when attemping to access fc->lock in fuse_uring_create_queue(). fc may be NULL in the case where another thread is creating the uring in fuse_uring_create() and has set fc->ring but has not yet set ring->fc when fuse_uring_create_queue() reads ring->fc. This fix passes fc to fuse_uring_create_queue() instead of accessing it through ring->fc. Signed-off-by: Joanne Koong Fixes: 24fe962c86f5 ("fuse: {io-uring} Handle SQEs - register commands") --- fs/fuse/dev_uring.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c index ab8c26042aa8..64f1ae308dc4 100644 --- a/fs/fuse/dev_uring.c +++ b/fs/fuse/dev_uring.c @@ -250,10 +250,10 @@ static struct fuse_ring *fuse_uring_create(struct fuse_conn *fc) return res; } -static struct fuse_ring_queue *fuse_uring_create_queue(struct fuse_ring *ring, +static struct fuse_ring_queue *fuse_uring_create_queue(struct fuse_conn *fc, + struct fuse_ring *ring, int qid) { - struct fuse_conn *fc = ring->fc; struct fuse_ring_queue *queue; struct list_head *pq; @@ -1088,7 +1088,7 @@ static int fuse_uring_register(struct io_uring_cmd *cmd, queue = ring->queues[qid]; if (!queue) { - queue = fuse_uring_create_queue(ring, qid); + queue = fuse_uring_create_queue(fc, ring, qid); if (!queue) return err; }