[PATCH 2/2] fuse: wait for aborted connection before releasing last fuse_dev

The Linux Kernel Mailing List
 help / color / mirror / Atom feed

From: Berkant Koc <me@berkoc.com>
To: Greg KH <gregkh@linuxfoundation.org>,
	Miklos Szeredi <miklos@szeredi.hu>,
	Bernd Schubert <bschubert@ddn.com>
Cc: security@kernel.org, Joanne Koong <joannelkoong@gmail.com>,
	linux-fuse@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH 2/2] fuse: wait for aborted connection before releasing last fuse_dev
Date: Sun, 17 May 2026 14:59:47 +0200	[thread overview]
Message-ID: <20260517-fuse-uaf-patch2@berkoc.com> (raw)
In-Reply-To: <20260517-fuse-uaf-cover@berkoc.com>

From: Berkant Koc <me@berkoc.com>

fuse_dev_release() on the last fuse_dev of a connection calls
fuse_abort_conn(fc) and then immediately fuse_conn_put(fc). For io-uring
backed connections fuse_abort_conn() reaches fuse_uring_abort(), which
runs fuse_uring_teardown_all_queues() synchronously once and then
schedules ring->async_teardown_work to run after
FUSE_URING_TEARDOWN_INTERVAL (HZ/20). If the synchronous pass left
queue_refs > 0 the work owns further accesses to ring->queues[*]->
ent_avail_queue and ent_in_userspace entries.

Meanwhile fuse_conn_put() can drop the last reference and arm
delayed_release() via call_rcu(). After the RCU grace period
delayed_release() calls fuse_uring_destruct(), which kfree()s the ring
entries on each queue->ent_released list. The previously scheduled
async_teardown_work then runs and walks per-queue lists that contain
freed entries, producing a slab-use-after-free reported by KASAN at
fuse_uring_teardown_all_queues+0xee reading ent->list.next from a
freed kmalloc-192 region.

fuse_wait_aborted() already exists for this purpose: it waits on
fc->blocked_waitq for num_waiting to drain and then calls
fuse_uring_wait_stopped_queues(), which waits for ring->queue_refs to
reach zero. Call it between fuse_abort_conn() and fuse_conn_put() on
the last-device path so the io-uring teardown work has fully drained
before the connection can be torn down.

Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support")
Cc: stable@vger.kernel.org # 6.14+
Tested-by: Berkant Koc <me@berkoc.com>
Signed-off-by: Berkant Koc <me@berkoc.com>
---
 fs/fuse/dev.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 5dda7080f4a9..7d9c06654a98 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -2566,6 +2566,7 @@ int fuse_dev_release(struct inode *inode, struct file *file)
 		if (last) {
 			WARN_ON(fc->iq.fasync != NULL);
 			fuse_abort_conn(fc);
+			fuse_wait_aborted(fc);
 		}
 		fuse_conn_put(fc);
 	}
--
2.47.3

next prev parent reply	other threads:[~2026-05-17 13:00 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20260517095846.fuse-iouring-uaf.dc5f5dbb71dc@berkoc.com>
     [not found] ` <2026051703-equinox-multitude-91e2@gregkh>
2026-05-17 12:59   ` [PATCH 0/2] fuse: io-uring: fix two UAFs in dev_uring.c teardown Berkant Koc
2026-05-17 12:59     ` [PATCH 1/2] fuse: io-uring: clear ent->fuse_req in commit_fetch error path Berkant Koc
2026-05-17 14:11       ` Bernd Schubert
2026-05-17 14:24         ` Berkant Koc
2026-05-17 12:59     ` Berkant Koc [this message]
2026-05-17 15:00       ` [PATCH 2/2] fuse: wait for aborted connection before releasing last fuse_dev Bernd Schubert
2026-05-18  1:13         ` Berkant Koc
2026-05-18  9:55           ` Bernd Schubert
2026-05-18 11:47             ` Bernd Schubert
2026-05-18 14:32               ` Berkant Koc
2026-05-18 14:46                 ` Bernd Schubert
2026-05-18 15:35                   ` Joanne Koong
2026-05-18 17:49                     ` Berkant Koc
2026-05-18 15:47                   ` Berkant Koc
2026-05-18  9:06         ` Pavel Begunkov
2026-05-18  9:50           ` Bernd Schubert
2026-05-18 10:32             ` Pavel Begunkov
2026-05-17 13:14     ` [PATCH 0/2] fuse: io-uring: fix two UAFs in dev_uring.c teardown Berkant Koc
2026-05-17 13:43       ` Bernd Schubert
2026-05-17 14:02         ` Berkant Koc

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5dda7080f4a dfblob:7d9c06654a9 )
 OR (
bs:"[PATCH 2/2] fuse: wait for aborted connection before releasing last fuse_dev" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260517-fuse-uaf-patch2@berkoc.com \
    --to=me@berkoc.com \
    --cc=bschubert@ddn.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=joannelkoong@gmail.com \
    --cc=linux-fuse@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    --cc=security@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox