fuse: fix io-uring list corruption for terminated non-committed requests

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

When a request is terminated before it has been committed, the request
is not removed from the queue's list. This leaves a dangling list entry
that leads to list corruption and use-after-free issues.

Remove the request from the queue's list for terminated non-committed
requests.

Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support")
Cc: stable@vger.kernel.org
Reviewed-by: Bernd Schubert <bschubert@ddn.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

authored by

Joanne Koong and committed by

Miklos Szeredi 4 months ago 95c39eef 28fec8b9

1 changed file

expand all

fuse

dev_uring.c

fs/fuse/dev_uring.c

··· 86 86 lockdep_assert_not_held(&queue->lock); 87 87 spin_lock(&queue->lock); 88 88 ent->fuse_req = NULL; 89 + list_del_init(&req->list); 89 90 if (test_bit(FR_BACKGROUND, &req->flags)) { 90 91 queue->active_background--; 91 92 spin_lock(&fc->bg_lock);