From nobody Sun Jun 14 20:03:56 2026 Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9F49F2F83A0 for ; Sun, 5 Apr 2026 19:32:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775417562; cv=none; b=qKS4TXLboq7mOjeg6M4PRoax71/EBu8gMK0ghfeEBZQvGpNES77p+/LA+/BPW+zqn8EsmUwnaPZdpAzaTf4nEORIjVjiT3ITPHDXDqQCAEWXFTIx4mz3UgH1lgDyERV9E+geesffLCUDnCoabIvEfCD+yU/Hxq/1jG2LRGsPuuo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775417562; c=relaxed/simple; bh=vBtlceh81EBRly2nwGp4pbLnqkxyOo4vOEbYGLFUMsY=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=I76qE7GR+iPjpKOCRmSVgaayZMRatFzsVU2QbZkCEZSx76CJlfoRynAp9dTRrnQJE2VLkJZk3+1MXCaFG3Kl536fKibbFaynT3OEOONNOn59fo0OnfkjuwDg3sue6+m8ZgcbhAMX0V0qvagaqtRsMg6TgbDGGI/qUceOoLtv/F0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=V8Jw76FU; arc=none smtp.client-ip=209.85.216.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="V8Jw76FU" Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-35da8d037a5so1257310a91.0 for ; Sun, 05 Apr 2026 12:32:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775417560; x=1776022360; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=ZBuFGDALcJeSyW255Y6h4kabjHqNu/KLOW1Xbqv4rHw=; b=V8Jw76FULq85zGdVH/0LlAnl1u+P96ldUr63RuKXzxscDtOX4cwdvlIQarrqKU1peC LlyXo8jB46Ns009wZnXFP69w7FuXEHrQYg4XlF4rW2yU6H4fwsTUhpGI8Dwwy0NIF7ls YGVGQsWtev5rOgn2V2sqG7ONhOLxpKZgOLDvbtAiyJj712JLJSA83MYhZH/9tD2HWpnY v8W5NtDRketu7gLb87uEA6IQu+h+TRFvatQjUJFyJoRG/SNeGr/He4LClIdshwMbFuJU 2vFkoviNb1veEdgJKVFRNjIrUDnZrCQpT2iBstNRK5lDvFc7yKO22sB1yvlIl9xxVi5w yC7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775417560; x=1776022360; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ZBuFGDALcJeSyW255Y6h4kabjHqNu/KLOW1Xbqv4rHw=; b=HLlCd+49iQnqRd1fGu0ObvH5tobOf0X+5KWbP/AAjv1UrS9BCU92GuYxzw3zkYkrBw hrF6h3da6eCWJYWJG/Jc6OejdNuhh54wwiMFlWew+sgyO6mlKtPkE5tYuWQS0X98CMqK LTIau7TlhrjXrA8jq/jJP9E9olRtvhxYjGmwe5TYfsYxXrYxxlvHRMs3TmkzIF+z/9b4 cX7r16xA0uzBYKsFW3LhyN/ylrfSWsaYkGQCk65/MIhMajp4BzMinb4B4KEK5sdR5RZl Z5vuqCmnGkZx/fTH9ygnOfISQyThIw8ppvnQqHD5e9muqx6mALIkpo4hpy+BeodGd7BZ DYtg== X-Forwarded-Encrypted: i=1; AJvYcCVzlOSnXaQcrJmVt/AIwBEMRapmut6IOjFQ8YEJ7WZHZQPfwBxgZBNVvfmlZbm2UfjOjWOt/I/n7AA8xso=@vger.kernel.org X-Gm-Message-State: AOJu0Yz679Ef6N3qycpJWKNG+gPs++gdehEhhookOIfixKo0CidSL/2P 8uiYgNKgGUOPtzPe38qGLCcMRgFI4cvcmqD+PuW6VfncSYjVOjipYNOi X-Gm-Gg: AeBDiesuBvtZ8wWtEmlfBT6vlByH6Ocdinu6nr4+nYXcfq9/sStmb1hAaeoTYa7Ee2z mYt7jIYVBicR2jm3AdEGkvfVofg65Hpd4tRBlN3tfAB3ZOv2rR9UNGGX08g4mKR32U0QI4BgSnU YbPDb6gKYvuxXoJDrfmdCWx1CX7V4qqMwWXndYPeyE+HvnlVKl7Ea3JCmRS+O7KxTid0RxX1YuM AjhzeUOBIEQOd16Wzg6jdxJ+/4FmGFe7iMtoQ0O9TMKeBu/CE+dpWuwikhLob1YRR3RfLpAj5zl h0VMU8LGwh2FJFAFXaSZyQCRTmAZj2wTqPYZ4M+akizMk7DdAwo8xTWwtVRZXLqZTGZeZ57GAs6 WOE4lkUUimqQ4CzZGSUqPDMUp0eBMNBa1F6BsHdFFllu7irVD10DNEkuJpxPG6e/gyEXU3qzcwb aauWH0p5eL2zO2PA== X-Received: by 2002:a17:90b:1dc6:b0:35d:a843:6b1f with SMTP id 98e67ed59e1d1-35de6899ce5mr9686034a91.11.1775417559954; Sun, 05 Apr 2026 12:32:39 -0700 (PDT) Received: from mes.. ([2001:288:3001:25:be24:11ff:fe8b:b59f]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c76c6563aacsm10498601a12.19.2026.04.05.12.32.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 05 Apr 2026 12:32:39 -0700 (PDT) From: Yung-Tse Cheng To: gmaglione@redhat.com, vgoyal@redhat.com, stefanha@redhat.com, miklos@szeredi.hu Cc: eperezma@redhat.com, virtualization@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Yung-Tse Cheng Subject: [PATCH] virtio-fs: avoid double-free on failed queue setup Date: Mon, 6 Apr 2026 03:30:39 +0800 Message-ID: <20260405193039.178506-1-mes900903@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" virtio_fs_setup_vqs() allocates fs->vqs and fs->mq_map before calling virtio_find_vqs(). If virtio_find_vqs() fails, the error path frees both pointers and returns an error to virtio_fs_probe(). virtio_fs_probe() then drops the last kobject reference, and virtio_fs_ktype_release() frees fs->vqs and fs->mq_map again. This leaves dangling pointers in struct virtio_fs and can trigger a double-free during probe failure cleanup. Set fs->vqs and fs->mq_map to NULL immediately after kfree() in the virtio_fs_setup_vqs() error path so that the later kobject release sees an uninitialized state and kfree(NULL) becomes harmless. Signed-off-by: Yung-Tse Cheng --- This can be reproduced when a broken virtio-fs device advertises more request queues than the transport actually provides. In that case virtio_find_vqs() fails while setting up the extra queue, and the probe path reaches the double-free cleanup sequence. fs/fuse/virtio_fs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c index 057e65b51b99d..e33241e1b8ad9 100644 --- a/fs/fuse/virtio_fs.c +++ b/fs/fuse/virtio_fs.c @@ -988,7 +988,9 @@ static int virtio_fs_setup_vqs(struct virtio_device *vd= ev, kfree(vqs); if (ret) { kfree(fs->vqs); + fs->vqs =3D NULL; kfree(fs->mq_map); + fs->mq_map =3D NULL; } return ret; } base-commit: 3aae9383f42f687221c011d7ee87529398e826b3 --=20 2.43.0