fuse: fix io-uring list corruption for terminated non-committed requests

commit 95c39eef7c2b666026c69ab5b30471da94ea2874 upstream. When a request is terminated before it has been committed, the request is not removed from the queue's list. This leaves a dangling list entry that leads to list corruption and use-after-free issues. Remove the request from the queue's list for terminated non-committed requests. Signed-off-by: Joanne Koong <joannelkoong@gmail.com> Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support") Cc: stable@vger.kernel.org Reviewed-by: Bernd Schubert <bschubert@ddn.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Joanne Koong <joannelkoong@gmail.com> 2025-11-25 10:13:47 -0800
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-01-02 12:57:31 +0100
commit: a6d1f1ace16d0e777a85f84267160052d3499b6e (patch)
tree: 4ff75b5f1ff67a93fd8e103d523efe6736eb6422 /fs/fuse
parent: f6c08d3aa441bbc1956e9d65f1cbb89113a5aa8a (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c
index f6b12aebb8bb..d2bc05a8b3d1 100644
--- a/fs/fuse/dev_uring.c
+++ b/fs/fuse/dev_uring.c
@@ -86,6 +86,7 @@ static void fuse_uring_req_end(struct fuse_ring_ent *ent, struct fuse_req *req,
 	lockdep_assert_not_held(&queue->lock);
 	spin_lock(&queue->lock);
 	ent->fuse_req = NULL;
+	list_del_init(&req->list);
 	if (test_bit(FR_BACKGROUND, &req->flags)) {
 		queue->active_background--;
 		spin_lock(&fc->bg_lock);
author	Joanne Koong <joannelkoong@gmail.com>	2025-11-25 10:13:47 -0800
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2026-01-02 12:57:31 +0100
commit	a6d1f1ace16d0e777a85f84267160052d3499b6e (patch)
tree	4ff75b5f1ff67a93fd8e103d523efe6736eb6422 /fs/fuse
parent	f6c08d3aa441bbc1956e9d65f1cbb89113a5aa8a (diff)