io_uring/waitid: always prune wait queue entry in io_waitid_wait()

JIRA: https://issues.redhat.com/browse/RHEL-124973
CVE: CVE-2025-40047

commit 2f8229d
Author: Jens Axboe <axboe@kernel.dk>
Date:   Tue Oct 7 07:46:00 2025 -0600

    io_uring/waitid: always prune wait queue entry in io_waitid_wait()

    For a successful return, always remove our entry from the wait queue
    entry list. Previously this was skipped if a cancelation was in
    progress, but this can race with another invocation of the wait queue
    entry callback.

    Cc: stable@vger.kernel.org
    Fixes: f31ecf6 ("io_uring: add IORING_OP_WAITID support")
    Reported-by: syzbot+b9e83021d9c642a33d8c@syzkaller.appspotmail.com
    Tested-by: syzbot+b9e83021d9c642a33d8c@syzkaller.appspotmail.com
    Link: https://lore.kernel.org/io-uring/68e5195e.050a0220.256323.001f.GAE@google.com/
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>

Author: CKI Backport Bot

io_uring/waitid.c

@@ -272,13 +272,14 @@ static int io_waitid_wait(struct wait_queue_entry *wait, unsigned mode,
 	if (!pid_child_should_wake(wo, p))
 		return 0;
 
+	list_del_init(&wait->entry);
+
 	/* cancel is in progress */
 	if (atomic_fetch_inc(&iw->refs) & IO_WAITID_REF_MASK)
 		return 1;
 
 	req->io_task_work.func = io_waitid_cb;
 	io_req_task_work_add(req);
-	list_del_init(&wait->entry);
 	return 1;
 }