fs/fuse/dev_uring.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)
fuse_uring_commit_fetch() removes the request from the processing
list and clears req->ring_entry before moving the ring entry to the
commit state. If fuse_ring_ent_set_commit() fails, the request is
currently ended directly with fuse_request_end().
That bypasses fuse_uring_req_end(), leaving ent->fuse_req pointing at
the ended request. A later ring entry teardown can observe the stale
pointer and try to end the same request again.
Use fuse_uring_req_end() for this error path as well. The helper clears
ent->fuse_req under the queue lock before ending the request, matching
the other io_uring request cleanup paths.
Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support")
Cc: stable@vger.kernel.org # v6.14
Signed-off-by: Shuvam Pandey <shuvampandey1@gmail.com>
---
fs/fuse/dev_uring.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c
index 7b9822e88..7523569ff 100644
--- a/fs/fuse/dev_uring.c
+++ b/fs/fuse/dev_uring.c
@@ -924,9 +924,7 @@ static int fuse_uring_commit_fetch(struct io_uring_cmd *cmd, int issue_flags,
pr_info_ratelimited("qid=%d commit_id %llu state %d",
queue->qid, commit_id, ent->state);
spin_unlock(&queue->lock);
- req->out.h.error = err;
- clear_bit(FR_SENT, &req->flags);
- fuse_request_end(req);
+ fuse_uring_req_end(ent, req, err);
return err;
}
On Thu, Jun 4, 2026 at 10:09 AM Shuvam Pandey <shuvampandey1@gmail.com> wrote:
>
> fuse_uring_commit_fetch() removes the request from the processing
> list and clears req->ring_entry before moving the ring entry to the
> commit state. If fuse_ring_ent_set_commit() fails, the request is
> currently ended directly with fuse_request_end().
>
> That bypasses fuse_uring_req_end(), leaving ent->fuse_req pointing at
> the ended request. A later ring entry teardown can observe the stale
> pointer and try to end the same request again.
>
> Use fuse_uring_req_end() for this error path as well. The helper clears
> ent->fuse_req under the queue lock before ending the request, matching
> the other io_uring request cleanup paths.
>
> Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support")
> Cc: stable@vger.kernel.org # v6.14
> Signed-off-by: Shuvam Pandey <shuvampandey1@gmail.com>
> ---
> fs/fuse/dev_uring.c | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
> diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c
> index 7b9822e88..7523569ff 100644
> --- a/fs/fuse/dev_uring.c
> +++ b/fs/fuse/dev_uring.c
> @@ -924,9 +924,7 @@ static int fuse_uring_commit_fetch(struct io_uring_cmd *cmd, int issue_flags,
> pr_info_ratelimited("qid=%d commit_id %llu state %d",
> queue->qid, commit_id, ent->state);
> spin_unlock(&queue->lock);
> - req->out.h.error = err;
> - clear_bit(FR_SENT, &req->flags);
> - fuse_request_end(req);
> + fuse_uring_req_end(ent, req, err);
> return err;
> }
>
Hi Shuvam,
There was a similar fix for this submitted a few weeks ago by
Zhenghang that was sent offlist to security@kernel.org (which I think
was before the announcement came out to cc the public mailing lists
when sending fixes to security@). Berkant submitted this fix offlist a
few days after that as well. Sorry for the duplicate work.
Thanks,
Joanne
>
>
On 6/4/26 19:33, Joanne Koong wrote:
> On Thu, Jun 4, 2026 at 10:09 AM Shuvam Pandey <shuvampandey1@gmail.com> wrote:
>>
>> fuse_uring_commit_fetch() removes the request from the processing
>> list and clears req->ring_entry before moving the ring entry to the
>> commit state. If fuse_ring_ent_set_commit() fails, the request is
>> currently ended directly with fuse_request_end().
>>
>> That bypasses fuse_uring_req_end(), leaving ent->fuse_req pointing at
>> the ended request. A later ring entry teardown can observe the stale
>> pointer and try to end the same request again.
>>
>> Use fuse_uring_req_end() for this error path as well. The helper clears
>> ent->fuse_req under the queue lock before ending the request, matching
>> the other io_uring request cleanup paths.
>>
>> Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support")
>> Cc: stable@vger.kernel.org # v6.14
>> Signed-off-by: Shuvam Pandey <shuvampandey1@gmail.com>
>> ---
>> fs/fuse/dev_uring.c | 4 +---
>> 1 file changed, 1 insertion(+), 3 deletions(-)
>> diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c
>> index 7b9822e88..7523569ff 100644
>> --- a/fs/fuse/dev_uring.c
>> +++ b/fs/fuse/dev_uring.c
>> @@ -924,9 +924,7 @@ static int fuse_uring_commit_fetch(struct io_uring_cmd *cmd, int issue_flags,
>> pr_info_ratelimited("qid=%d commit_id %llu state %d",
>> queue->qid, commit_id, ent->state);
>> spin_unlock(&queue->lock);
>> - req->out.h.error = err;
>> - clear_bit(FR_SENT, &req->flags);
>> - fuse_request_end(req);
>> + fuse_uring_req_end(ent, req, err);
>> return err;
>> }
>>
>
> Hi Shuvam,
>
> There was a similar fix for this submitted a few weeks ago by
> Zhenghang that was sent offlist to security@kernel.org (which I think
> was before the announcement came out to cc the public mailing lists
> when sending fixes to security@). Berkant submitted this fix offlist a
> few days after that as well. Sorry for the duplicate work.
Out of interest, did you see the entire series I had submitted?
Thanks,
Bernd
On Thu, 4 Jun 2026 19:36:15 +0200, Bernd Schubert wrote: > Out of interest, did you see the entire series I had submitted? Yes, I went through the full v3 series, thanks for picking these up. My standalone "use request cleanup helper" change is covered by 3/4 and 4/4, so I will drop it rather than carry a duplicate. I still have the reproducer that surfaced the commit_fetch and async_stop_queues races. Once v3 settles I will run it against the series and follow up with a Tested-by if it holds. Thanks, Berkant
On Thu, Jun 4, 2026 at 10:36 AM Bernd Schubert <bschubert@ddn.com> wrote:
>
>
>
> On 6/4/26 19:33, Joanne Koong wrote:
> > On Thu, Jun 4, 2026 at 10:09 AM Shuvam Pandey <shuvampandey1@gmail.com> wrote:
> >>
> >> fuse_uring_commit_fetch() removes the request from the processing
> >> list and clears req->ring_entry before moving the ring entry to the
> >> commit state. If fuse_ring_ent_set_commit() fails, the request is
> >> currently ended directly with fuse_request_end().
> >>
> >> That bypasses fuse_uring_req_end(), leaving ent->fuse_req pointing at
> >> the ended request. A later ring entry teardown can observe the stale
> >> pointer and try to end the same request again.
> >>
> >> Use fuse_uring_req_end() for this error path as well. The helper clears
> >> ent->fuse_req under the queue lock before ending the request, matching
> >> the other io_uring request cleanup paths.
> >>
> >> Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support")
> >> Cc: stable@vger.kernel.org # v6.14
> >> Signed-off-by: Shuvam Pandey <shuvampandey1@gmail.com>
> >> ---
> >> fs/fuse/dev_uring.c | 4 +---
> >> 1 file changed, 1 insertion(+), 3 deletions(-)
> >> diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c
> >> index 7b9822e88..7523569ff 100644
> >> --- a/fs/fuse/dev_uring.c
> >> +++ b/fs/fuse/dev_uring.c
> >> @@ -924,9 +924,7 @@ static int fuse_uring_commit_fetch(struct io_uring_cmd *cmd, int issue_flags,
> >> pr_info_ratelimited("qid=%d commit_id %llu state %d",
> >> queue->qid, commit_id, ent->state);
> >> spin_unlock(&queue->lock);
> >> - req->out.h.error = err;
> >> - clear_bit(FR_SENT, &req->flags);
> >> - fuse_request_end(req);
> >> + fuse_uring_req_end(ent, req, err);
> >> return err;
> >> }
> >>
> >
> > Hi Shuvam,
> >
> > There was a similar fix for this submitted a few weeks ago by
> > Zhenghang that was sent offlist to security@kernel.org (which I think
> > was before the announcement came out to cc the public mailing lists
> > when sending fixes to security@). Berkant submitted this fix offlist a
> > few days after that as well. Sorry for the duplicate work.
>
> Out of interest, did you see the entire series I had submitted?
Not sure if you're asking Shuvam or me, but could you post a link to the series?
Thanks,
Joanne
>
> Thanks,
> Bernd
© 2016 - 2026 Red Hat, Inc.