[PATCH 1/2] fuse: io-uring: clear ent->fuse_req in commit_fetch error path

[Berkant Koc <me@berkoc.com>]

From: Berkant Koc <me@berkoc.com>

fuse_uring_commit_fetch() locates a request, removes it from the
processing queue, clears req->ring_entry, then calls
fuse_ring_ent_set_commit() under queue->lock. On the error branch
(set_commit returning non-zero because the entry is not in
FRRS_USERSPACE) the function unlocks the queue and ends the request
directly with fuse_request_end(), but it never clears ent->fuse_req.

ent->fuse_req then keeps pointing at the freed fuse_req while the entry
remains on a queue list. Subsequent teardown via
fuse_uring_entry_teardown() reads ent->fuse_req under queue->lock and
hands the dangling pointer to fuse_uring_stop_fuse_req_end(), which
dereferences it and calls fuse_request_end() a second time on freed
memory.

Route the error branch through fuse_uring_req_end() instead. That
helper acquires queue->lock, clears ent->fuse_req under the lock,
removes the request from any list it is still on, drops the lock, sets
req->out.h.error, clears FR_SENT and ends the request. The
ent->fuse_req = NULL store under the lock is what closes the window
for the later teardown reader.

Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support")
Cc: stable@vger.kernel.org # 6.14+
Signed-off-by: Berkant Koc <me@berkoc.com>
---
 fs/fuse/dev_uring.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c
index 7b9822e8837b..7523569ffdce 100644
--- a/fs/fuse/dev_uring.c
+++ b/fs/fuse/dev_uring.c
@@ -924,9 +924,7 @@ static int fuse_uring_commit_fetch(struct io_uring_cmd *cmd, int issue_flags,
 		pr_info_ratelimited("qid=%d commit_id %llu state %d",
 				    queue->qid, commit_id, ent->state);
 		spin_unlock(&queue->lock);
-		req->out.h.error = err;
-		clear_bit(FR_SENT, &req->flags);
-		fuse_request_end(req);
+		fuse_uring_req_end(ent, req, err);
 		return err;
 	}

--
2.47.3