fuse: fix io-uring list corruption for terminated non-committed requests

When a request is terminated before it has been committed, the request is not removed from the queue's list. This leaves a dangling list entry that leads to list corruption and use-after-free issues. Remove the request from the queue's list for terminated non-committed requests. Signed-off-by: Joanne Koong <joannelkoong@gmail.com> Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support") Cc: stable@vger.kernel.org Reviewed-by: Bernd Schubert <bschubert@ddn.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
author: Joanne Koong <joannelkoong@gmail.com> 2025-11-25 10:13:47 -0800
committer: Miklos Szeredi <mszeredi@redhat.com> 2025-11-26 12:38:40 +0100
commit: 95c39eef7c2b666026c69ab5b30471da94ea2874 (patch)
tree: 99ac8c40f0aba24c6542539b81fa7bfd450d6c98
parent: 28fec8b95e67704df7b841dc4cbbba0957078213 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c
index 0066c9c0a5d5..7760fe4e1f9e 100644
--- a/fs/fuse/dev_uring.c
+++ b/fs/fuse/dev_uring.c
@@ -86,6 +86,7 @@ static void fuse_uring_req_end(struct fuse_ring_ent *ent, struct fuse_req *req,
 	lockdep_assert_not_held(&queue->lock);
 	spin_lock(&queue->lock);
 	ent->fuse_req = NULL;
+	list_del_init(&req->list);
 	if (test_bit(FR_BACKGROUND, &req->flags)) {
 		queue->active_background--;
 		spin_lock(&fc->bg_lock);
author	Joanne Koong <joannelkoong@gmail.com>	2025-11-25 10:13:47 -0800
committer	Miklos Szeredi <mszeredi@redhat.com>	2025-11-26 12:38:40 +0100
commit	95c39eef7c2b666026c69ab5b30471da94ea2874 (patch)
tree	99ac8c40f0aba24c6542539b81fa7bfd450d6c98
parent	28fec8b95e67704df7b841dc4cbbba0957078213 (diff)