Re: [PATCH 0/2] fuse: io-uring: fix two UAFs in dev

Linux filesystem development
 help / color / mirror / Atom feed

* Re: [PATCH 0/2] fuse: io-uring: fix two UAFs in dev_uring.c teardown
       [not found]   ` <20260517-fuse-uaf-cover@berkoc.com>
@ 2026-05-17 13:14     ` Berkant Koc
  2026-05-17 13:43       ` Bernd Schubert
       [not found]     ` <20260517-fuse-uaf-patch1@berkoc.com>
  1 sibling, 1 reply; 4+ messages in thread
From: Berkant Koc @ 2026-05-17 13:14 UTC (permalink / raw)
  To: Greg KH, Miklos Szeredi, Bernd Schubert
  Cc: linux-fsdevel, linux-kernel, security, Joanne Koong

Quick correction on the Cc list of this series:

linux-fuse@vger.kernel.org does not exist as a vger list and the
three patch mails bounced from it (550 5.1.1 User unknown).
Per MAINTAINERS, the FUSE list is linux-fsdevel@vger.kernel.org;
adding it now so the series shows up in the lore.kernel.org archive
for the FUSE-fsdevel readership. The original patches and KASAN
context are in this thread via In-Reply-To.

No content change to the patches; this is purely a list-routing fix.

Apologies for the noise.

Berkant

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 0/2] fuse: io-uring: fix two UAFs in dev_uring.c teardown
  2026-05-17 13:14     ` [PATCH 0/2] fuse: io-uring: fix two UAFs in dev_uring.c teardown Berkant Koc
@ 2026-05-17 13:43       ` Bernd Schubert
  2026-05-17 14:02         ` Berkant Koc
  0 siblings, 1 reply; 4+ messages in thread
From: Bernd Schubert @ 2026-05-17 13:43 UTC (permalink / raw)
  To: Berkant Koc, Greg KH, Miklos Szeredi, Bernd Schubert
  Cc: linux-fsdevel, linux-kernel, security, Joanne Koong



On 5/17/26 15:14, Berkant Koc wrote:
> Quick correction on the Cc list of this series:
> 
> linux-fuse@vger.kernel.org does not exist as a vger list and the
> three patch mails bounced from it (550 5.1.1 User unknown).

The right list is fuse-devel@lists.linux.dev. MAINTAINERS file is in the
process to get updated.

> Per MAINTAINERS, the FUSE list is linux-fsdevel@vger.kernel.org;
> adding it now so the series shows up in the lore.kernel.org archive
> for the FUSE-fsdevel readership. The original patches and KASAN
> context are in this thread via In-Reply-To.
> 
> No content change to the patches; this is purely a list-routing fix.
> 
> Apologies for the noise.
> 
> Berkant
> 


Thanks,
Bernd

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 0/2] fuse: io-uring: fix two UAFs in dev_uring.c teardown
  2026-05-17 13:43       ` Bernd Schubert
@ 2026-05-17 14:02         ` Berkant Koc
  0 siblings, 0 replies; 4+ messages in thread
From: Berkant Koc @ 2026-05-17 14:02 UTC (permalink / raw)
  To: Bernd Schubert
  Cc: Miklos Szeredi, Greg KH, security, Joanne Koong, linux-fsdevel,
	linux-kernel, fuse-devel

Thanks Bernd, adding fuse-devel@lists.linux.dev to Cc now so this
subthread lands in the right archive. Will use that as the FUSE
mailing list going forward.

Berkant

^ permalink raw reply	[flat|nested] 4+ messages in thread

[parent not found: <20260517-fuse-uaf-patch1@berkoc.com>]

[parent not found: <3f1567cf-218e-405b-be7f-e9e9c44205d6@bsbernd.com>]

* Re: [PATCH 1/2] fuse: io-uring: clear ent->fuse_req in commit_fetch error path
       [not found]       ` <3f1567cf-218e-405b-be7f-e9e9c44205d6@bsbernd.com>
@ 2026-05-17 14:24         ` Berkant Koc
  0 siblings, 0 replies; 4+ messages in thread
From: Berkant Koc @ 2026-05-17 14:24 UTC (permalink / raw)
  To: Bernd Schubert
  Cc: Miklos Szeredi, Greg KH, security, Joanne Koong, fuse-devel,
	linux-fsdevel, linux-kernel

On 2026-05-17 16:11, Bernd Schubert wrote:
> We already had a security report for that on Friday [...] I had
> already replied to Zhenghang on Friday, I don't think it is enough.
> [...] valid all over the copy operation (fuse_uring_prepare_send())

Thanks for the context. P1 is a duplicate of Zhenghang's Friday report,
please consider it withdrawn.

You are right that clearing ent->fuse_req only in the commit_fetch error
path is not sufficient. The same window is reachable across the whole
copy path in fuse_uring_prepare_send(), so a single-point clear leaves
the race open on the other exits. I will not push a v2 for this one and
leave the scope call to you.

P2 ([PATCH 2/2] serialize ring teardown and per-ent setup against
ent->state writers) is a separate path: ent->state being written without
the queue lock while teardown frees the ring. If that overlaps with what
you are looking at today, I will hold off on P2 as well. If it is out of
scope for your work, a short note is enough and I will keep tracking it
independently.

KASAN config and the repro harness (qemu + libfuse uring example with
abort-on-mount) are set up here, happy to test your fix once it is on
the list.

Thanks,
Berkant

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-05-17 14:25 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20260517095846.fuse-iouring-uaf.dc5f5dbb71dc@berkoc.com>
     [not found] ` <2026051703-equinox-multitude-91e2@gregkh>
     [not found]   ` <20260517-fuse-uaf-cover@berkoc.com>
2026-05-17 13:14     ` [PATCH 0/2] fuse: io-uring: fix two UAFs in dev_uring.c teardown Berkant Koc
2026-05-17 13:43       ` Bernd Schubert
2026-05-17 14:02         ` Berkant Koc
     [not found]     ` <20260517-fuse-uaf-patch1@berkoc.com>
     [not found]       ` <3f1567cf-218e-405b-be7f-e9e9c44205d6@bsbernd.com>
2026-05-17 14:24         ` [PATCH 1/2] fuse: io-uring: clear ent->fuse_req in commit_fetch error path Berkant Koc

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox