fuse: don't dereference req->args on finished request

Move the check for async request after check for the request being already finished and done with. Reported-by: syzbot+ae0bb7aae3de6b4594e2@syzkaller.appspotmail.com Fixes: d49937749fef ("fuse: stop copying args to fuse_req") Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
author: Miklos Szeredi <mszeredi@redhat.com> 2019-10-21 09:11:40 +0200
committer: Miklos Szeredi <mszeredi@redhat.com> 2019-10-21 09:11:40 +0200
commit: 2b319d1f6f92a4ced9897678113d176ee16ae85d (patch)
tree: 4d166771b531db8e720acc6a7f1189eb5def5615 /fs
parent: 3f22c7467136adfa6d2a7baf7cd5c573f0641bd1 (diff)
download: linux-2b319d1f6f92a4ced9897678113d176ee16ae85d.tar.gz
linux-2b319d1f6f92a4ced9897678113d176ee16ae85d.tar.bz2
linux-2b319d1f6f92a4ced9897678113d176ee16ae85d.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index dadd617d826c..ed1abc9e33cf 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -276,10 +276,12 @@ static void flush_bg_queue(struct fuse_conn *fc)
 void fuse_request_end(struct fuse_conn *fc, struct fuse_req *req)
 {
 	struct fuse_iqueue *fiq = &fc->iq;
-	bool async = req->args->end;
+	bool async;
 
 	if (test_and_set_bit(FR_FINISHED, &req->flags))
 		goto put_request;
+
+	async = req->args->end;
 	/*
 	 * test_and_set_bit() implies smp_mb() between bit
 	 * changing and below intr_entry check. Pairs with
author	Miklos Szeredi <mszeredi@redhat.com>	2019-10-21 09:11:40 +0200
committer	Miklos Szeredi <mszeredi@redhat.com>	2019-10-21 09:11:40 +0200
commit	2b319d1f6f92a4ced9897678113d176ee16ae85d (patch)
tree	4d166771b531db8e720acc6a7f1189eb5def5615 /fs
parent	3f22c7467136adfa6d2a7baf7cd5c573f0641bd1 (diff)
download	linux-2b319d1f6f92a4ced9897678113d176ee16ae85d.tar.gz linux-2b319d1f6f92a4ced9897678113d176ee16ae85d.tar.bz2 linux-2b319d1f6f92a4ced9897678113d176ee16ae85d.zip