1. Patchew
  2. linux
  3. View series

[PATCH 0/2] fuse: io-uring: fix two UAFs in dev_uring.c teardown

Berkant Koc posted 2 patches 1 week ago 
fs/fuse/dev.c       | 1 +
fs/fuse/dev_uring.c | 4 +---
2 files changed, 2 insertions(+), 3 deletions(-)
[PATCH 0/2] fuse: io-uring: fix two UAFs in dev_uring.c teardown
Posted by Berkant Koc 1 week ago 
Applied on top of 6916d5703ddf. Thanks Greg for asking to take this
on-list; the original off-list report to security@kernel.org included
a defensive third patch that added cancel_delayed_work_sync() in
fuse_conn_put(), but it triggered a WARN_ON in queue_work() because
the work item is not always initialized at that point. That patch is
dropped from this series.

Patch 1/2 is the static-analysis fix: fuse_uring_commit_fetch() leaks
a dangling ent->fuse_req on the set_commit error branch. The patch
routes that branch through the existing fuse_uring_req_end() helper
so ent->fuse_req is cleared under queue->lock.

Patch 2/2 is the KASAN-reproducible fix: fuse_dev_release() on the
last fuse_dev drops the connection ref before the io-uring
async_teardown_work has stopped, so delayed_release() can kfree() ring
entries the work is still walking. Adding fuse_wait_aborted() between
fuse_abort_conn() and fuse_conn_put() drains queue_refs first.

KASAN-tested at HEAD 6916d5703ddf + this series, 50 iterations x 16
worker threads against an io-uring fuse daemon: 0 KASAN trips, 0
warnings. KASAN log on request.

Joanne Koong's [PATCH v2 0/3] (Message-ID
<20260516021138.2759874-1-joannelkoong@gmail.com>) is in flight on a
separate fuse-next base; this series targets mainline 6916d5703ddf and
does not overlap with hers in code or fix scope.

CCing linux-fuse and linux-kernel now per the on-list workflow.

Berkant Koc (2):
  fuse: io-uring: clear ent->fuse_req in commit_fetch error path
  fuse: wait for aborted connection before releasing last fuse_dev

 fs/fuse/dev.c       | 1 +
 fs/fuse/dev_uring.c | 4 +---
 2 files changed, 2 insertions(+), 3 deletions(-)

--
2.47.3
Re: [PATCH 0/2] fuse: io-uring: fix two UAFs in dev_uring.c teardown
Posted by Berkant Koc 1 week ago 
Quick correction on the Cc list of this series:

linux-fuse@vger.kernel.org does not exist as a vger list and the
three patch mails bounced from it (550 5.1.1 User unknown).
Per MAINTAINERS, the FUSE list is linux-fsdevel@vger.kernel.org;
adding it now so the series shows up in the lore.kernel.org archive
for the FUSE-fsdevel readership. The original patches and KASAN
context are in this thread via In-Reply-To.

No content change to the patches; this is purely a list-routing fix.

Apologies for the noise.

Berkant
Re: [PATCH 0/2] fuse: io-uring: fix two UAFs in dev_uring.c teardown
Posted by Bernd Schubert 1 week ago 

On 5/17/26 15:14, Berkant Koc wrote:
> Quick correction on the Cc list of this series:
> 
> linux-fuse@vger.kernel.org does not exist as a vger list and the
> three patch mails bounced from it (550 5.1.1 User unknown).

The right list is fuse-devel@lists.linux.dev. MAINTAINERS file is in the
process to get updated.

> Per MAINTAINERS, the FUSE list is linux-fsdevel@vger.kernel.org;
> adding it now so the series shows up in the lore.kernel.org archive
> for the FUSE-fsdevel readership. The original patches and KASAN
> context are in this thread via In-Reply-To.
> 
> No content change to the patches; this is purely a list-routing fix.
> 
> Apologies for the noise.
> 
> Berkant
> 


Thanks,
Bernd
Re: [PATCH 0/2] fuse: io-uring: fix two UAFs in dev_uring.c teardown
Posted by Berkant Koc 1 week ago 
Thanks Bernd, adding fuse-devel@lists.linux.dev to Cc now so this
subthread lands in the right archive. Will use that as the FUSE
mailing list going forward.

Berkant

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.