io_uring/waitid: always prune wait queue entry in io_waitid_wait()

jira KERNEL-318
cve CVE-2025-40047
Rebuild_History Non-Buildable kernel-6.12.0-124.20.1.el10_1
commit-author Jens Axboe <axboe@kernel.dk>
commit 2f8229d

For a successful return, always remove our entry from the wait queue
entry list. Previously this was skipped if a cancelation was in
progress, but this can race with another invocation of the wait queue
entry callback.

	Cc: stable@vger.kernel.org
Fixes: f31ecf6 ("io_uring: add IORING_OP_WAITID support")
	Reported-by: syzbot+b9e83021d9c642a33d8c@syzkaller.appspotmail.com
	Tested-by: syzbot+b9e83021d9c642a33d8c@syzkaller.appspotmail.com
Link: https://lore.kernel.org/io-uring/68e5195e.050a0220.256323.001f.GAE@google.com/
	Signed-off-by: Jens Axboe <axboe@kernel.dk>
(cherry picked from commit 2f8229d)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

Author: PlaidCat

io_uring/waitid.c

@@ -272,13 +272,14 @@ static int io_waitid_wait(struct wait_queue_entry *wait, unsigned mode,
 	if (!pid_child_should_wake(wo, p))
 		return 0;
 
+	list_del_init(&wait->entry);
+
 	/* cancel is in progress */
 	if (atomic_fetch_inc(&iw->refs) & IO_WAITID_REF_MASK)
 		return 1;
 
 	req->io_task_work.func = io_waitid_cb;
 	io_req_task_work_add(req);
-	list_del_init(&wait->entry);
 	return 1;
 }