[PATCH 0/2] fuse: io-uring: fix two UAFs in dev_uring.c teardown

[Berkant Koc]

Applied on top of 6916d5703ddf. Thanks Greg for asking to take this
on-list; the original off-list report to security@xxxxxxxxxx included
a defensive third patch that added cancel_delayed_work_sync() in
fuse_conn_put(), but it triggered a WARN_ON in queue_work() because
the work item is not always initialized at that point. That patch is
dropped from this series.

Patch 1/2 is the static-analysis fix: fuse_uring_commit_fetch() leaks
a dangling ent->fuse_req on the set_commit error branch. The patch
routes that branch through the existing fuse_uring_req_end() helper
so ent->fuse_req is cleared under queue->lock.

Patch 2/2 is the KASAN-reproducible fix: fuse_dev_release() on the
last fuse_dev drops the connection ref before the io-uring
async_teardown_work has stopped, so delayed_release() can kfree() ring
entries the work is still walking. Adding fuse_wait_aborted() between
fuse_abort_conn() and fuse_conn_put() drains queue_refs first.

KASAN-tested at HEAD 6916d5703ddf + this series, 50 iterations x 16
worker threads against an io-uring fuse daemon: 0 KASAN trips, 0
warnings. KASAN log on request.

Joanne Koong's [PATCH v2 0/3] (Message-ID
<20260516021138.2759874-1-joannelkoong@xxxxxxxxx>) is in flight on a
separate fuse-next base; this series targets mainline 6916d5703ddf and
does not overlap with hers in code or fix scope.

CCing linux-fuse and linux-kernel now per the on-list workflow.

Berkant Koc (2):
  fuse: io-uring: clear ent->fuse_req in commit_fetch error path
  fuse: wait for aborted connection before releasing last fuse_dev

 fs/fuse/dev.c       | 1 +
 fs/fuse/dev_uring.c | 4 +---
 2 files changed, 2 insertions(+), 3 deletions(-)

--
2.47.3