CVE-2024-38626

In the Linux kernel, the following vulnerability has been resolved: fuse:
clear FR_SENT when re-adding requests into pending list The following
warning was reported by lee bruce: ------------[ cut here ]------------
WARNING: CPU: 0 PID: 8264 at fs/fuse/dev.c:300 fuse_request_end+0x685/0x7e0
fs/fuse/dev.c:300 Modules linked in: CPU: 0 PID: 8264 Comm: ab2 Not tainted
6.9.0-rc7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP:
0010:fuse_request_end+0x685/0x7e0 fs/fuse/dev.c:300 … Call Trace:
<TASK> fuse_dev_do_read.constprop.0+0xd36/0x1dd0 fs/fuse/dev.c:1334
fuse_dev_read+0x166/0x200 fs/fuse/dev.c:1367 call_read_iter
include/linux/fs.h:2104 [inline] new_sync_read fs/read_write.c:395 [inline]
vfs_read+0x85b/0xba0 fs/read_write.c:476 ksys_read+0x12f/0x260
fs/read_write.c:619 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xce/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f … </TASK> The warning is due
to the FUSE_NOTIFY_RESEND notify sent by the write() syscall in the
reproducer program and it happens as follows: (1) calls fuse_dev_read() to
read the INIT request The read succeeds. During the read, bit FR_SENT will
be set on the request. (2) calls fuse_dev_write() to send an
USE_NOTIFY_RESEND notify The resend notify will resend all processing
requests, so the INIT request is moved from processing list to pending list
again. (3) calls fuse_dev_read() with an invalid output address
fuse_dev_read() will try to copy the same INIT request to the output
address, but it will fail due to the invalid address, so the INIT request
is ended and triggers the warning in fuse_request_end(). Fix it by clearing
FR_SENT when re-adding requests into pending list.