fuse-io-uring: Fix UAF and NULL deref in startup error path

abhinavagarwal07 · bsbernd · commit 49fcd891a58f · 2026-03-18T21:30:30.000+01:00
In fuse_uring_start(), the error path called fuse_session_destruct_uring()
which frees fuse_ring, then stored the freed pointer in se-&gt;uring.pool.
On session shutdown, the session loop cleanup checks if (se-&gt;uring.pool)
and calls fuse_uring_stop() — dereferencing the freed memory (use-after-free).

Fix by setting se-&gt;uring.pool = NULL in the error path so the cleanup
check is skipped. Also add a NULL guard before the destruct call to handle
the case where fuse_create_ring() itself returns NULL, which would cause
a NULL pointer dereference at fuse_ring-&gt;nr_queues.

Fixes CVE-2026-33150

Signed-off-by: Abhinav Agarwal &lt;abhinav.agarwal@rubrik.com&gt;
diff --git a/lib/fuse_uring.c b/lib/fuse_uring.c
@@ -925,8 +925,9 @@ int fuse_uring_start(struct fuse_session *se)
 err:
 	if (err) {
 		/* Note all threads need to have been started */
-		fuse_session_destruct_uring(fuse_ring);
-		se->uring.pool = fuse_ring;
+		if (fuse_ring)
+			fuse_session_destruct_uring(fuse_ring);
+		se->uring.pool = NULL;
 	}
 	return err;
 }

Original file line number	Diff line number	Diff line change
`@@ -925,8 +925,9 @@ int fuse_uring_start(struct fuse_session *se)`
`925`	`925`	`err:`
`926`	`926`	`if (err) {`
`927`	`927`	`/* Note all threads need to have been started */`
`928`		`- fuse_session_destruct_uring(fuse_ring);`
`929`		`- se->uring.pool = fuse_ring;`
	`928`	`+ if (fuse_ring)`
	`929`	`+ fuse_session_destruct_uring(fuse_ring);`
	`930`	`+ se->uring.pool = NULL;`
`930`	`931`	`}`
`931`	`932`	`return err;`
`932`	`933`	`}`