On Tue, Sep 25, 2018 at 11:28 AM, Kirill Tkhai <ktkhai@xxxxxxxxxxxxx> wrote: > We may pick freed req in this way: > > [cpu0] [cpu1] > fuse_dev_do_read() fuse_dev_do_write() > list_move_tail(&req->list, &fpq->processing); ... > spin_unlock(&fpq->lock); ... > ... request_end(fc, req); > ... fuse_put_request(fc, req); > if (test_bit(FR_INTERRUPTED, &req->flags)) > queue_interrupt(fiq, req); > > Fix that by keeping req alive till we finish all manipulations. > > Reported-by: syzbot+4e975615ca01f2277bdd@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Kirill Tkhai <ktkhai@xxxxxxxxxxxxx> Applied. Thanks, Miklos
