CVE-2024-38626

In the Linux kernel, the following vulnerability has been resolved:

fuse: clear FR_SENT when re-adding requests into pending list

The following warning was reported by lee bruce:

------------[ cut here ]------------ WARNING: CPU: 0 PID: 8264 at fs/fuse/dev.c:300 fuserequestend+0x685/0x7e0 fs/fuse/dev.c:300 Modules linked in: CPU: 0 PID: 8264 Comm: ab2 Not tainted 6.9.0-rc7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:fuserequestend+0x685/0x7e0 fs/fuse/dev.c:300 ...... Call Trace: <TASK> fusedevdoread.constprop.0+0xd36/0x1dd0 fs/fuse/dev.c:1334 fusedevread+0x166/0x200 fs/fuse/dev.c:1367 callreaditer include/linux/fs.h:2104 [inline] newsyncread fs/readwrite.c:395 [inline] vfsread+0x85b/0xba0 fs/readwrite.c:476 ksysread+0x12f/0x260 fs/readwrite.c:619 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xce/0x260 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f ...... </TASK>

The warning is due to the FUSENOTIFYRESEND notify sent by the write() syscall in the reproducer program and it happens as follows:

(1) calls fusedevread() to read the INIT request The read succeeds. During the read, bit FRSENT will be set on the request. (2) calls fusedevwrite() to send an USENOTIFYRESEND notify The resend notify will resend all processing requests, so the INIT request is moved from processing list to pending list again. (3) calls fusedevread() with an invalid output address fusedevread() will try to copy the same INIT request to the output address, but it will fail due to the invalid address, so the INIT request is ended and triggers the warning in fuserequest_end().

Fix it by clearing FR_SENT when re-adding requests into pending list.