fuse-uring: Avoid use-after-free in fuse_uring_async_stop_queues

fuse_uring_async_stop_queues() might run when the last reference
on ring->queue_refs was already dropped.

In order to avoid an early destruction a reference on struct fuse_conn
is now taken before starting fuse_uring_async_stop_queues() and that
reference is only released when that delayed work queue terminates.

Fixes: 4a9bfb9b6850 ("fuse: {io-uring} Handle teardown of ring entries")
Cc: stable@kernel.org # 6.14
Reported-by: Berkant Koc <me@berkoc.com>
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c
index 7b20a0f7643d4f7f11a61397a8b2c877e0ffc57f..38b5a05a423ffd2fb927b2e8ab89ce664d530dee 100644 (file)
--- a/fs/fuse/dev_uring.c
+++ b/fs/fuse/dev_uring.c
@@ -470,6 +470,7 @@ static void fuse_uring_async_stop_queues(struct work_struct *work)
                                      FUSE_URING_TEARDOWN_INTERVAL);
        } else {
                wake_up_all(&ring->stop_waitq);
+               fuse_conn_put(ring->chan->conn);
        }
 }
 
@@ -481,6 +482,7 @@ void fuse_uring_stop_queues(struct fuse_ring *ring)
        fuse_uring_teardown_all_queues(ring);
 
        if (atomic_read(&ring->queue_refs) > 0) {
+               fuse_conn_get(ring->chan->conn);
                ring->teardown_time = jiffies;
                INIT_DELAYED_WORK(&ring->async_teardown_work,
                                  fuse_uring_async_stop_queues);