io_uring/af_unix: defer registered files gc to io_uring release

mainline inclusion from mainline-v6.1-rc1 commit 0091bfc8 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5WFKI CVE: CVE-2022-2602 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?h=v6.1-rc1&id=0091bfc81741b8d3aeb3b7ab8636f911b2de6e80 -------------------------------- Instead of putting io_uring's registered files in unix_gc() we want it to be done by io_uring itself. The trick here is to consider io_uring registered files for cycle detection but not actually putting them down. Because io_uring can't register other ring instances, this will remove all refs to the ring file triggering the ->release path and clean up with io_ring_ctx_free(). Cc: stable@vger.kernel.org Fixes: 6b06314c ("io_uring: add file set registration") Reported-and-tested-by: N David Bouman <dbouman03@gmail.com> Signed-off-by: N Pavel Begunkov <asml.silence@gmail.com> Signed-off-by: N Thadeu Lima de Souza Cascardo <cascardo@canonical.com> [axboe: add kerneldoc comment to skb, fold in skb leak fix] Signed-off-by: N Jens Axboe <axboe@kernel.dk> Conflicts: fs/io_uring.c include/linux/skbuff.h Signed-off-by: N Zhihao Cheng <chengzhihao1@huawei.com> Reviewed-by: N zhongbaisong <zhongbaisong@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

io_uring/af_unix: defer registered files gc to io_uring release
mainline inclusion from mainline-v6.1-rc1 commit 0091bfc8 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5WFKI CVE: CVE-2022-2602 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?h=v6.1-rc1&id=0091bfc81741b8d3aeb3b7ab8636f911b2de6e80 -------------------------------- Instead of putting io_uring's registered files in unix_gc() we want it to be done by io_uring itself. The trick here is to consider io_uring registered files for cycle detection but not actually putting them down. Because io_uring can't register other ring instances, this will remove all refs to the ring file triggering the ->release path and clean up with io_ring_ctx_free(). Cc: stable@vger.kernel.org Fixes: 6b06314c ("io_uring: add file set registration") Reported-and-tested-by: N David Bouman <dbouman03@gmail.com> Signed-off-by: N Pavel Begunkov <asml.silence@gmail.com> Signed-off-by: N Thadeu Lima de Souza Cascardo <cascardo@canonical.com> [axboe: add kerneldoc comment to skb, fold in skb leak fix] Signed-off-by: N Jens Axboe <axboe@kernel.dk> Conflicts: fs/io_uring.c include/linux/skbuff.h Signed-off-by: N Zhihao Cheng <chengzhihao1@huawei.com> Reviewed-by: N zhongbaisong <zhongbaisong@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
07141800 · Pavel Begunkov · Zheng Zengkai · 38bd9cf5 · 07141800 · 07141800
隐藏空白更改
内联并排

Showing with 23 addition and 0 deletion

fs/io_uring.c fs/io_uring.c +1 -0

include/linux/skbuff.h include/linux/skbuff.h +2 -0

net/unix/garbage.c net/unix/garbage.c +20 -0

未找到文件。
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -7338,6 +7338,7 @@ static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset)
 	}

 	skb->sk = sk;
+	skb->scm_io_uring = 1;

 	nr_files = 0;
 	fpl->user = get_uid(ctx->user);

--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -706,6 +706,7 @@ typedef unsigned char *sk_buff_data_t;
 *	@transport_header: Transport layer header
 *	@network_header: Network layer header
 *	@mac_header: Link layer header
+ *	@scm_io_uring: SKB holds io_uring registered files
 *	@tail: Tail pointer
 *	@end: End pointer
 *	@head: Head of buffer
@@ -866,6 +867,7 @@ struct sk_buff {
 #ifdef CONFIG_TLS_DEVICE
 	__u8			decrypted:1;
 #endif
+	__u8			scm_io_uring:1;

 #ifdef CONFIG_NET_SCHED
 	__u16			tc_index;	/* traffic control index */

--- a/net/unix/garbage.c
+++ b/net/unix/garbage.c
@@ -204,6 +204,7 @@ void wait_for_unix_gc(void)
 /* The external entry point: unix_gc() */
 void unix_gc(void)
 {
+	struct sk_buff *next_skb, *skb;
 	struct unix_sock *u;
 	struct unix_sock *next;
 	struct sk_buff_head hitlist;
@@ -297,11 +298,30 @@ void unix_gc(void)

 	spin_unlock(&unix_gc_lock);

+	/* We need io_uring to clean its registered files, ignore all io_uring
+	 * originated skbs. It's fine as io_uring doesn't keep references to
+	 * other io_uring instances and so killing all other files in the cycle
+	 * will put all io_uring references forcing it to go through normal
+	 * release.path eventually putting registered files.
+	 */
+	skb_queue_walk_safe(&hitlist, skb, next_skb) {
+		if (skb->scm_io_uring) {
+			__skb_unlink(skb, &hitlist);
+			skb_queue_tail(&skb->sk->sk_receive_queue, skb);
+		}
+	}
+
 	/* Here we are. Hitlist is filled. Die. */
 	__skb_queue_purge(&hitlist);

 	spin_lock(&unix_gc_lock);

+	/* There could be io_uring registered files, just push them back to
+	 * the inflight list
+	 */
+	list_for_each_entry_safe(u, next, &gc_candidates, link)
+		list_move_tail(&u->link, &gc_inflight_list);
+
 	/* All candidates should have been detached by now. */
 	BUG_ON(!list_empty(&gc_candidates));