[PATCH] fuse: check fi is not NULL before calling fuse_passthrough_release()

Linux filesystem development
 help / color / mirror / Atom feed

From: Tristan Madani <tristmd@gmail.com>
To: miklos@szeredi.hu
Cc: amir73il@gmail.com, linux-fsdevel@vger.kernel.org,
	stable@vger.kernel.org, tristan@talencesecurity.com
Subject: [PATCH] fuse: check fi is not NULL before calling fuse_passthrough_release()
Date: Fri, 19 Jun 2026 12:00:26 +0000	[thread overview]
Message-ID: <20260619120026.2630196-1-tristmd@gmail.com> (raw)

From: Tristan Madani <tristan@talencesecurity.com>

fuse_create_open() calls fuse_sync_release() with a NULL fuse_inode
when fuse_iget() fails. This propagates to fuse_prepare_release(),
which passes the NULL fi to fuse_inode_backing() via the
fuse_passthrough_release() call, resulting in a NULL pointer
dereference.

The existing comment in fuse_prepare_release() documents that the
inode can be NULL on the error path of fuse_create_open(), and the
fi->lock access below is already guarded with if (likely(fi)), but
the passthrough release path added by commit 4a90451bbc7f ("fuse:
implement open in passthrough mode") was not given the same
protection.

Add the missing NULL check for fi before calling
fuse_passthrough_release().

Found by syzkaller.

Fixes: 4a90451bbc7f ("fuse: implement open in passthrough mode")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/fuse/file.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index c59452d60b8d..9b368eab159c 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -313,7 +313,7 @@ static void fuse_prepare_release(struct fuse_inode *fi, struct fuse_file *ff,
 	struct fuse_conn *fc = ff->fm->fc;
 	struct fuse_release_args *ra = &ff->args->release_args;

-	if (fuse_file_passthrough(ff))
+	if (fi && fuse_file_passthrough(ff))
 		fuse_passthrough_release(ff, fuse_inode_backing(fi));

 	/* Inode is NULL on error path of fuse_create_open() */
-- 
2.47.3

next             reply	other threads:[~2026-06-19 12:00 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-19 12:00 Tristan Madani [this message]
2026-06-22 17:53 ` [PATCH] fuse: check fi is not NULL before calling fuse_passthrough_release() Amir Goldstein

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:c59452d60b8 dfblob:9b368eab159 )
 OR (
bs:"[PATCH] fuse: check fi is not NULL before calling fuse_passthrough_release()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260619120026.2630196-1-tristmd@gmail.com \
    --to=tristmd@gmail.com \
    --cc=amir73il@gmail.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    --cc=stable@vger.kernel.org \
    --cc=tristan@talencesecurity.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox