io_uring: io_close: Set owner as current->files if req->work.files uninitialized

hulk inclusion
category: bugfix
bugzilla: 186543, https://gitee.com/openeuler/kernel/issues/I5BGFA
CVE: NA

--------------------------------

Following process will trigger an use-after-free problem:

1. open /proc/sysvipc/msg and lock it by file lock
   fcntl_setlk
     do_lock_file_wait
       vfs_lock_file
         posix_lock_file
           locks_insert_lock_ctx
             locks_insert_global_locks  // Added to lock list
2. Close /proc/sysvipc/msg by io_uring
   filp_close(close->put_file, req->work.files)  // req->work.files equals
		NULL，io_grab_files() initialize it, non-async operations
		won't invokes the function.
     locks_remove_posix(filp, NULL)
       lock.fl_owner = NULL
       vfs_lock_file
         posix_lock_file
           posix_same_owner  // Return false according to fl_owner.
		locks_delete_lock_ctx(fl, &dispose) and locks_dispose_list
		won't be executed, flock is not removed from lock list
      fput(filp)  // release filp
3. Read /proc/locks
  seq_read
    locks_start  // Get flock from lock list
    locks_show
      lock_get_status
        file_inode(f->file)  // Access released file, UAF occurs!

Fix it by passing current->files when req->work.files is uninitialized,
because io-sq thread shares same files with uring_fd task, so it still
works in SQPOLL mode.
Signed-off-by: NZhihao Cheng <chengzhihao1@huawei.com>
Reviewed-by: NZhang Yi <yi.zhang@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

fs/io_uring.c

@@ -3903,7 +3903,7 @@ static int io_close(struct io_kiocb *req, bool force_nonblock,
 	}
 
 	/* No ->flush() or already async, safely close from here */
-	ret = filp_close(close->put_file, req->work.files);
+	ret = filp_close(close->put_file, req->work.files ? : current->files);
 	if (ret < 0)
 		req_set_fail_links(req);
 	fput(close->put_file);