From nobody Mon May 25 06:41:06 2026 Received: from mail-03.1984.is (mail-03.1984.is [93.95.224.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 34BFD364023 for ; Sun, 17 May 2026 12:59:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=93.95.224.70 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779022794; cv=none; b=t7DLYLudNRkphZiGr+0X631ABHBHlBGAKz+2z4tPphEaS/p01WrStEdnd9Wxb9ADcnxIlRlYAjf/ZwnLiFJ/60SvAPCnpszkX6R9w2ioCQJlltzFjTWsVShSwCD6gcPI/mNtLzRKTLBjLO9F1u7mbt3hI7hZ0rX8WdKHEkcuUfg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779022794; c=relaxed/simple; bh=9e3BmgdJb0QlYO293oDp5X6uQtiWcE3CakWPhE1+d3Y=; h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=dbMzXw8x8jC/fAcqcn6/Csn67tGbbrTtQs5tYa9NMyq9tddAvyzri/cojGgdn8v2rEa4eETF25i6lNm2GFrfBMXoUrV9Km6TgvtlQGag4RdfvWSdNzGMJ6WOfOPRw80ipXVzZyFNwobNpiq0LP3I0pP5E2KopOiuifZJ6RzULZY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=berkoc.com; spf=pass smtp.mailfrom=berkoc.com; dkim=pass (2048-bit key) header.d=berkoc.com header.i=@berkoc.com header.b=GVpfH1TM; arc=none smtp.client-ip=93.95.224.70 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=berkoc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=berkoc.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=berkoc.com header.i=@berkoc.com header.b="GVpfH1TM" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=berkoc.com; s=1984; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References: In-Reply-To:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=zLScHbIoE1WkvrZE61YdaMLPUkvU5JQlxl31hK59DY8=; b=GVpfH1TMC18gCNDlQcydBWz6pV b8gMip5B16f9vsLYgtBmQb3PZNmg/a1UNacGac4Z4n43Aqh06TIKLL8yRdfBNRU+jTTwS8H8DuqQj Dt5TD5gYs7uz+4w4ax9GEsyBFWwAXjQ7ypm3sDuN0HSE9fydz9Loi0BAu8dKBK6IOLA5iFh3fg+mh 4zwVvnTQi6bBZ7zJpw6LW60W8z3j8AW0x5qlxs4o2AlYBFIQkg/flMWVuuT4lHBLSohwlWsO4/jAy vtju7pP8Z4aspXoj61yco17VsYl7Y7a55h7iWI21NZCOJFFQ1L6hpY6Ck7R5G2JfHE5wovQ0WkCQx KuHlqABQ==; Received: from localhost by mail-03.1984.is with utf8esmtp (Exim 4.96) (envelope-from ) id 1wOb5q-00H3hr-2c; Sun, 17 May 2026 12:59:43 +0000 Date: Sun, 17 May 2026 14:59:37 +0200 From: Berkant Koc To: Greg KH , Miklos Szeredi , Bernd Schubert Cc: security@kernel.org, Joanne Koong , linux-fuse@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 1/2] fuse: io-uring: clear ent->fuse_req in commit_fetch error path Message-ID: <20260517-fuse-uaf-patch1@berkoc.com> In-Reply-To: <20260517-fuse-uaf-cover@berkoc.com> References: <20260517095846.fuse-iouring-uaf.dc5f5dbb71dc@berkoc.com> <2026051703-equinox-multitude-91e2@gregkh> <20260517-fuse-uaf-cover@berkoc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Authenticated-User: me@berkoc.com X-Sender-Address: me@berkoc.com Content-Type: text/plain; charset="utf-8" From: Berkant Koc fuse_uring_commit_fetch() locates a request, removes it from the processing queue, clears req->ring_entry, then calls fuse_ring_ent_set_commit() under queue->lock. On the error branch (set_commit returning non-zero because the entry is not in FRRS_USERSPACE) the function unlocks the queue and ends the request directly with fuse_request_end(), but it never clears ent->fuse_req. ent->fuse_req then keeps pointing at the freed fuse_req while the entry remains on a queue list. Subsequent teardown via fuse_uring_entry_teardown() reads ent->fuse_req under queue->lock and hands the dangling pointer to fuse_uring_stop_fuse_req_end(), which dereferences it and calls fuse_request_end() a second time on freed memory. Route the error branch through fuse_uring_req_end() instead. That helper acquires queue->lock, clears ent->fuse_req under the lock, removes the request from any list it is still on, drops the lock, sets req->out.h.error, clears FR_SENT and ends the request. The ent->fuse_req =3D NULL store under the lock is what closes the window for the later teardown reader. Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support") Cc: stable@vger.kernel.org # 6.14+ Signed-off-by: Berkant Koc --- fs/fuse/dev_uring.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c index 7b9822e8837b..7523569ffdce 100644 --- a/fs/fuse/dev_uring.c +++ b/fs/fuse/dev_uring.c @@ -924,9 +924,7 @@ static int fuse_uring_commit_fetch(struct io_uring_cmd = *cmd, int issue_flags, pr_info_ratelimited("qid=3D%d commit_id %llu state %d", queue->qid, commit_id, ent->state); spin_unlock(&queue->lock); - req->out.h.error =3D err; - clear_bit(FR_SENT, &req->flags); - fuse_request_end(req); + fuse_uring_req_end(ent, req, err); return err; } -- 2.47.3 From nobody Mon May 25 06:41:06 2026 Received: from mail-03.1984.is (mail-03.1984.is [93.95.224.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 75CC9368962 for ; Sun, 17 May 2026 13:00:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=93.95.224.70 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779022807; cv=none; b=MpvhYKdUZs4xVAjwUofvZuUEBN/3IvpAlAcnce/NE2jzzOv/tn07tobFaYkmZxg2brLxxgd06Vnr2n3ev2xpE7NhsjuvUHobdnq5Nnql5nDvzORW4oig0BPgwxGA+cAmVJsBMt/8iJXNlUhF6jELH1dowxZ1bWW4WbVO0r3hm/w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779022807; c=relaxed/simple; bh=AUa+DryTCKfA8qbfV3vKYF3R4uOUhcRnOvVOpZyHfic=; h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=fIMfhaEj2NaMGGscptR+WKI96bArgWbcsZE2dHZfBpNqaYQv4Le45vpeNQ1DMV3j35wlQDn6gb7795imemiwRS1Uz9H0b7z2hwZVg1STTBqYCOLz2q2B+suuGRLKVqGUsQCC0RubgF4qnmjDR/OdO5YnoGFz22rV/mSCTsGMdv4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=berkoc.com; spf=pass smtp.mailfrom=berkoc.com; dkim=pass (2048-bit key) header.d=berkoc.com header.i=@berkoc.com header.b=iKppLZ92; arc=none smtp.client-ip=93.95.224.70 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=berkoc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=berkoc.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=berkoc.com header.i=@berkoc.com header.b="iKppLZ92" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=berkoc.com; s=1984; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References: In-Reply-To:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=jtrJEMbJHGbOPyFyo4Usc4cCFauKq5cFUuo73LUbCVM=; b=iKppLZ92s+r9FhdA1dPphAXWoN MPGcPQBKsJfD6zqE7RxjpEEQNjz7iGM0dUVL0/7489crxQFFyg8Twr1qlY4xVY4nDW7o243v3fyFF 6z4Gcsj3hOMq2qwgxq08I+Y5aOnMCqb8l3/nREBei9IIY1ZGp7eQflZDt/mI24NyxIsJC4fTJoZ2H AhAxUVYgzjzqgUUgIdlLF8bOLR9M3DayfL546X4J0qYj6dTj+J/A/WDNcMIjFaCMzz4hiS0yCPtxe pYsqIjt+cSqkpGVXnl3E+wUVVuFt7Os5zzi1aG6cW0w2ChShwCZBYsmSWuoyCjrwPZLaqgr/BacgQ PvniaSBQ==; Received: from localhost by mail-03.1984.is with utf8esmtp (Exim 4.96) (envelope-from ) id 1wOb60-00H3jU-2w; Sun, 17 May 2026 12:59:54 +0000 Date: Sun, 17 May 2026 14:59:47 +0200 From: Berkant Koc To: Greg KH , Miklos Szeredi , Bernd Schubert Cc: security@kernel.org, Joanne Koong , linux-fuse@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 2/2] fuse: wait for aborted connection before releasing last fuse_dev Message-ID: <20260517-fuse-uaf-patch2@berkoc.com> In-Reply-To: <20260517-fuse-uaf-cover@berkoc.com> References: <20260517095846.fuse-iouring-uaf.dc5f5dbb71dc@berkoc.com> <2026051703-equinox-multitude-91e2@gregkh> <20260517-fuse-uaf-cover@berkoc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Authenticated-User: me@berkoc.com X-Sender-Address: me@berkoc.com Content-Type: text/plain; charset="utf-8" From: Berkant Koc fuse_dev_release() on the last fuse_dev of a connection calls fuse_abort_conn(fc) and then immediately fuse_conn_put(fc). For io-uring backed connections fuse_abort_conn() reaches fuse_uring_abort(), which runs fuse_uring_teardown_all_queues() synchronously once and then schedules ring->async_teardown_work to run after FUSE_URING_TEARDOWN_INTERVAL (HZ/20). If the synchronous pass left queue_refs > 0 the work owns further accesses to ring->queues[*]-> ent_avail_queue and ent_in_userspace entries. Meanwhile fuse_conn_put() can drop the last reference and arm delayed_release() via call_rcu(). After the RCU grace period delayed_release() calls fuse_uring_destruct(), which kfree()s the ring entries on each queue->ent_released list. The previously scheduled async_teardown_work then runs and walks per-queue lists that contain freed entries, producing a slab-use-after-free reported by KASAN at fuse_uring_teardown_all_queues+0xee reading ent->list.next from a freed kmalloc-192 region. fuse_wait_aborted() already exists for this purpose: it waits on fc->blocked_waitq for num_waiting to drain and then calls fuse_uring_wait_stopped_queues(), which waits for ring->queue_refs to reach zero. Call it between fuse_abort_conn() and fuse_conn_put() on the last-device path so the io-uring teardown work has fully drained before the connection can be torn down. Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support") Cc: stable@vger.kernel.org # 6.14+ Tested-by: Berkant Koc Signed-off-by: Berkant Koc Reviewed-by: Joanne Koong --- fs/fuse/dev.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c index 5dda7080f4a9..7d9c06654a98 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -2566,6 +2566,7 @@ int fuse_dev_release(struct inode *inode, struct file= *file) if (last) { WARN_ON(fc->iq.fasync !=3D NULL); fuse_abort_conn(fc); + fuse_wait_aborted(fc); } fuse_conn_put(fc); } -- 2.47.3