[PATCH] fuse: {io-uring} use request cleanup helper on commit setup failure

Next message: Anton Leontev: "[PATCH net v3] hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf"
Previous message: Andrei Vagin: "[PATCH 3/4] x86/fpu: Add consistency check between xstate_size and xfeatures"
Next in thread: Joanne Koong: "Re: [PATCH] fuse: {io-uring} use request cleanup helper on commit setup failure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Shuvam Pandey

Date: Thu Jun 04 2026 - 13:05:19 EST

fuse_uring_commit_fetch() removes the request from the processing
list and clears req->ring_entry before moving the ring entry to the
commit state. If fuse_ring_ent_set_commit() fails, the request is
currently ended directly with fuse_request_end().

That bypasses fuse_uring_req_end(), leaving ent->fuse_req pointing at
the ended request. A later ring entry teardown can observe the stale
pointer and try to end the same request again.

Use fuse_uring_req_end() for this error path as well. The helper clears
ent->fuse_req under the queue lock before ending the request, matching
the other io_uring request cleanup paths.

Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support")
Cc: stable@xxxxxxxxxxxxxxx # v6.14
Signed-off-by: Shuvam Pandey <shuvampandey1@xxxxxxxxx>
---
fs/fuse/dev_uring.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c
index 7b9822e88..7523569ff 100644
--- a/fs/fuse/dev_uring.c
+++ b/fs/fuse/dev_uring.c
@@ -924,9 +924,7 @@ static int fuse_uring_commit_fetch(struct io_uring_cmd *cmd, int issue_flags,
pr_info_ratelimited("qid=%d commit_id %llu state %d",
queue->qid, commit_id, ent->state);
spin_unlock(&queue->lock);
- req->out.h.error = err;
- clear_bit(FR_SENT, &req->flags);
- fuse_request_end(req);
+ fuse_uring_req_end(ent, req, err);
return err;
}