Re: [PATCH 1/2] fuse: io-uring: clear ent->fuse_req in commit_fetch error path

Next message: Jonathan Cameron: "Re: [PATCH v6 09/12] iio: dac: ad5686: add helpers to handle powerdown masks"
Previous message: Baokun Li: "[PATCH v2 1/3] writeback: fix race between cgroup_writeback_umount() and inode_switch_wbs()"
In reply to: Bernd Schubert: "Re: [PATCH 1/2] fuse: io-uring: clear ent-&gt;fuse_req in commit_fetch error path"
Next in thread: Berkant Koc: "[PATCH 2/2] fuse: wait for aborted connection before releasing last fuse_dev"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Berkant Koc

Date: Sun May 17 2026 - 10:25:23 EST

On 2026-05-17 16:11, Bernd Schubert wrote:
> We already had a security report for that on Friday [...] I had
> already replied to Zhenghang on Friday, I don't think it is enough.
> [...] valid all over the copy operation (fuse_uring_prepare_send())

Thanks for the context. P1 is a duplicate of Zhenghang's Friday report,
please consider it withdrawn.

You are right that clearing ent->fuse_req only in the commit_fetch error
path is not sufficient. The same window is reachable across the whole
copy path in fuse_uring_prepare_send(), so a single-point clear leaves
the race open on the other exits. I will not push a v2 for this one and
leave the scope call to you.

P2 ([PATCH 2/2] serialize ring teardown and per-ent setup against
ent->state writers) is a separate path: ent->state being written without
the queue lock while teardown frees the ring. If that overlaps with what
you are looking at today, I will hold off on P2 as well. If it is out of
scope for your work, a short note is enough and I will keep tracking it
independently.

KASAN config and the repro harness (qemu + libfuse uring example with
abort-on-mount) are set up here, happy to test your fix once it is on
the list.

Thanks,
Berkant