On Tue, Nov 25, 2025 at 10:15 AM Joanne Koong joannelkoong@gmail.com wrote:
When a request is terminated before it has been committed, the request is not removed from the queue's list. This leaves a dangling list entry that leads to list corruption and use-after-free issues.
Remove the request from the queue's list for terminated non-committed requests.
Signed-off-by: Joanne Koong joannelkoong@gmail.com Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support")
Sorry, forgot to add the stable tag. There should be this line:
Cc: stable@vger.kernel.org
fs/fuse/dev_uring.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c index 0066c9c0a5d5..7760fe4e1f9e 100644 --- a/fs/fuse/dev_uring.c +++ b/fs/fuse/dev_uring.c @@ -86,6 +86,7 @@ static void fuse_uring_req_end(struct fuse_ring_ent *ent, struct fuse_req *req, lockdep_assert_not_held(&queue->lock); spin_lock(&queue->lock); ent->fuse_req = NULL;
list_del_init(&req->list); if (test_bit(FR_BACKGROUND, &req->flags)) { queue->active_background--; spin_lock(&fc->bg_lock);-- 2.47.3
On 11/25/25 19:23, Joanne Koong wrote:
On Tue, Nov 25, 2025 at 10:15 AM Joanne Koong joannelkoong@gmail.com wrote:
When a request is terminated before it has been committed, the request is not removed from the queue's list. This leaves a dangling list entry that leads to list corruption and use-after-free issues.
Remove the request from the queue's list for terminated non-committed requests.
Signed-off-by: Joanne Koong joannelkoong@gmail.com Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support")
Sorry, forgot to add the stable tag. There should be this line:
Cc: stable@vger.kernel.org
fs/fuse/dev_uring.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c index 0066c9c0a5d5..7760fe4e1f9e 100644 --- a/fs/fuse/dev_uring.c +++ b/fs/fuse/dev_uring.c @@ -86,6 +86,7 @@ static void fuse_uring_req_end(struct fuse_ring_ent *ent, struct fuse_req *req, lockdep_assert_not_held(&queue->lock); spin_lock(&queue->lock); ent->fuse_req = NULL;
list_del_init(&req->list); if (test_bit(FR_BACKGROUND, &req->flags)) { queue->active_background--; spin_lock(&fc->bg_lock);-- 2.47.3
Thank you, clearly missing in the fuse_uring_prepare_send() -> fuse_uring_req_end() error code path.
Reviewed-by: Bernd Schubert bschubert@ddn.com
linux-stable-mirror@lists.linaro.org
-
Bernd Schubert -
Joanne Koong