Revert "[Huawei] io_uring:drop identity before creating a private one"

Offering: HULK hulk inclusion category: feature bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6BTWC ------------------------------- This reverts commit ab459213. We need to apply patch 788d0824269bef (io_uring: import 5.15-stable io_uring) to move io_uring to separate directory and solve the problem of CVE-2023-0240. This patch fix a uaf problem of io_identity, and it can be reverted since io_identity is removed in patch 788d0824269bef. Signed-off-by: N Li Lingfeng <lilingfeng3@huawei.com> Reviewed-by: N Zhang Yi <yi.zhang@huawei.com> Reviewed-by: N Wang Weiyang <wangweiyang2@huawei.com> Signed-off-by: N Jialin Zhang <zhangjialin11@huawei.com>

Revert "[Huawei] io_uring:drop identity before creating a private one"
Offering: HULK hulk inclusion category: feature bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6BTWC ------------------------------- This reverts commit ab459213. We need to apply patch 788d0824269bef (io_uring: import 5.15-stable io_uring) to move io_uring to separate directory and solve the problem of CVE-2023-0240. This patch fix a uaf problem of io_identity, and it can be reverted since io_identity is removed in patch 788d0824269bef. Signed-off-by: N Li Lingfeng <lilingfeng3@huawei.com> Reviewed-by: N Zhang Yi <yi.zhang@huawei.com> Reviewed-by: N Wang Weiyang <wangweiyang2@huawei.com> Signed-off-by: N Jialin Zhang <zhangjialin11@huawei.com>
b04cfe93 · Li Lingfeng · Jialin Zhang · 0d3cf6e0 · b04cfe93
隐藏空白更改
内联并排

Showing with 0 addition and 42 deletion

fs/io_uring.c fs/io_uring.c +0 -42

未找到文件。
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -1364,47 +1364,6 @@ static bool io_identity_cow(struct io_kiocb *req)
 	return true;
 }
-static void io_drop_identity(struct io_kiocb *req)
-{
-	struct io_identity *id = req->work.identity;
-	if (req->work.flags & IO_WQ_WORK_MM) {
-		mmdrop(id->mm);
-		req->work.flags &= ~IO_WQ_WORK_MM;
-	}
-#ifdef CONFIG_BLK_CGROUP
-	if (req->work.flags & IO_WQ_WORK_BLKCG) {
-		css_put(id->blkcg_css);
-		req->work.flags &= ~IO_WQ_WORK_BLKCG;
-	}
-#endif
-	if (req->work.flags & IO_WQ_WORK_CREDS) {
-		put_cred(id->creds);
-		req->work.flags &= ~IO_WQ_WORK_CREDS;
-	}
-	if (req->work.flags & IO_WQ_WORK_FILES) {
-		put_files_struct(req->work.identity->files);
-		put_nsproxy(req->work.identity->nsproxy);
-		req->work.flags &= ~IO_WQ_WORK_FILES;
-	}
-	if (req->work.flags & IO_WQ_WORK_CANCEL)
-		req->work.flags &= ~IO_WQ_WORK_CANCEL;
-	if (req->work.flags & IO_WQ_WORK_FS) {
-		struct fs_struct *fs = id->fs;
-		spin_lock(&id->fs->lock);
-		if (--fs->users)
-			fs = NULL;
-		spin_unlock(&id->fs->lock);
-		if (fs)
-			free_fs_struct(fs);
-		req->work.flags &= ~IO_WQ_WORK_FS;
-	}
-	if (req->work.flags & IO_WQ_WORK_FSIZE)
-		req->work.flags &= ~IO_WQ_WORK_FSIZE;
-}
 static bool io_grab_identity(struct io_kiocb *req)
 {
 	const struct io_op_def *def = &io_op_defs[req->opcode];
@@ -1510,7 +1469,6 @@ static void io_prep_async_work(struct io_kiocb *req)
 	if (io_grab_identity(req))
 		return;
-	io_drop_identity(req);
 	if (!io_identity_cow(req))
 		return;