Re: [PATCH] fuse: {io-uring} use request cleanup helper on commit setup failure

[Bernd Schubert]

On 6/4/26 19:33, Joanne Koong wrote:
> On Thu, Jun 4, 2026 at 10:09 AM Shuvam Pandey <shuvampandey1@xxxxxxxxx> wrote:
>>
>> fuse_uring_commit_fetch() removes the request from the processing
>> list and clears req->ring_entry before moving the ring entry to the
>> commit state. If fuse_ring_ent_set_commit() fails, the request is
>> currently ended directly with fuse_request_end().
>>
>> That bypasses fuse_uring_req_end(), leaving ent->fuse_req pointing at
>> the ended request. A later ring entry teardown can observe the stale
>> pointer and try to end the same request again.
>>
>> Use fuse_uring_req_end() for this error path as well. The helper clears
>> ent->fuse_req under the queue lock before ending the request, matching
>> the other io_uring request cleanup paths.
>>
>> Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support")
>> Cc: stable@xxxxxxxxxxxxxxx # v6.14
>> Signed-off-by: Shuvam Pandey <shuvampandey1@xxxxxxxxx>
>> ---
>>  fs/fuse/dev_uring.c | 4 +---
>>  1 file changed, 1 insertion(+), 3 deletions(-)
>> diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c
>> index 7b9822e88..7523569ff 100644
>> --- a/fs/fuse/dev_uring.c
>> +++ b/fs/fuse/dev_uring.c
>> @@ -924,9 +924,7 @@ static int fuse_uring_commit_fetch(struct io_uring_cmd *cmd, int issue_flags,
>>                 pr_info_ratelimited("qid=%d commit_id %llu state %d",
>>                                     queue->qid, commit_id, ent->state);
>>                 spin_unlock(&queue->lock);
>> -               req->out.h.error = err;
>> -               clear_bit(FR_SENT, &req->flags);
>> -               fuse_request_end(req);
>> +               fuse_uring_req_end(ent, req, err);
>>                 return err;
>>         }
>>
> 
> Hi Shuvam,
> 
> There was a similar fix for this submitted a few weeks ago by
> Zhenghang that was sent offlist to security@xxxxxxxxxx (which I think
> was before the announcement came out to cc the public mailing lists
> when sending fixes to security@). Berkant submitted this fix offlist a
> few days after that as well. Sorry for the duplicate work.

Out of interest, did you see the entire series I had submitted?

Thanks,
Bernd