io_uring: get rid of intermediate IORING_OP_CLOSE stage

mainline inclusion from mainline-v5.12-rc1 commit 9eac1904 category: bugfix bugzilla: 188963, https://gitee.com/src-openeuler/kernel/issues/I7GUAN CVE: CVE-2023-1295 -------------------------------- We currently split the close into two, in case we have a ->flush op that we can't safely handle from non-blocking context. This requires us to flag the op as uncancelable if we do need to punt it async, and that means special handling for just this op type. Use __close_fd_get_file() and grab the files lock so we can get the file and check if we need to go async in one atomic operation. That gets rid of the need for splitting this into two steps, and hence the need for IO_WQ_WORK_NO_CANCEL. Signed-off-by: N Jens Axboe <axboe@kernel.dk> Conflict: fs/io_uring.c Signed-off-by: N Li Nan <linan122@huawei.com> Reviewed-by: N Yang Erkun <yangerkun@huawei.com> Reviewed-by: N Wang Weiyang <wangweiyang2@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>

io_uring: get rid of intermediate IORING_OP_CLOSE stage
mainline inclusion from mainline-v5.12-rc1 commit 9eac1904 category: bugfix bugzilla: 188963, https://gitee.com/src-openeuler/kernel/issues/I7GUAN CVE: CVE-2023-1295 -------------------------------- We currently split the close into two, in case we have a ->flush op that we can't safely handle from non-blocking context. This requires us to flag the op as uncancelable if we do need to punt it async, and that means special handling for just this op type. Use __close_fd_get_file() and grab the files lock so we can get the file and check if we need to go async in one atomic operation. That gets rid of the need for splitting this into two steps, and hence the need for IO_WQ_WORK_NO_CANCEL. Signed-off-by: N Jens Axboe <axboe@kernel.dk> Conflict: fs/io_uring.c Signed-off-by: N Li Nan <linan122@huawei.com> Reviewed-by: N Yang Erkun <yangerkun@huawei.com> Reviewed-by: N Wang Weiyang <wangweiyang2@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>
b2b243d6 · Jens Axboe · Yongqiang Liu · 0a50e5be · b2b243d6
隐藏空白更改
内联并排

Showing with 36 addition and 30 deletion

fs/io_uring.c fs/io_uring.c +36 -30

未找到文件。
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -369,7 +369,6 @@ struct io_poll_iocb {
 struct io_close {
 	struct file			*file;
-	struct file			*put_file;
 	int				fd;
 };
@@ -829,8 +828,6 @@ static const struct io_op_def io_op_defs[] = {
 		.needs_fs		= 1,
 	},
 	[IORING_OP_CLOSE] = {
-		.needs_file		= 1,
-		.needs_file_no_error	= 1,
 		.file_table		= 1,
 	},
 	[IORING_OP_FILES_UPDATE] = {
@@ -3853,13 +3850,6 @@ static int io_statx(struct io_kiocb *req, bool force_nonblock)
 static int io_close_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
 {
-	/*
-	 * If we queue this for async, it must not be cancellable. That would
-	 * leave the 'file' in an undeterminate state, and here need to modify
-	 * io_wq_work.flags, so initialize io_wq_work firstly.
-	 */
-	io_req_init_async(req);
 	if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
 		return -EINVAL;
 	if (sqe->ioprio || sqe->off || sqe->addr || sqe->len ||
@@ -3869,44 +3859,60 @@ static int io_close_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
 		return -EBADF;
 	req->close.fd = READ_ONCE(sqe->fd);
-	if ((req->file && req->file->f_op == &io_uring_fops) ||
-	    req->close.fd == req->ctx->ring_fd)
-		return -EBADF;
-	req->close.put_file = NULL;
 	return 0;
 }
 static int io_close(struct io_kiocb *req, bool force_nonblock,
 		    struct io_comp_state *cs)
 {
+	struct files_struct *files = current->files;
 	struct io_close *close = &req->close;
+	struct fdtable *fdt;
+	struct file *file;
 	int ret;
-	/* might be already done during nonblock submission */
+	file = NULL;
-	if (!close->put_file) {
+	ret = -EBADF;
-		ret = close_fd_get_file(close->fd, &close->put_file);
+	spin_lock(&files->file_lock);
-		if (ret < 0)
+	fdt = files_fdtable(files);
-			return (ret == -ENOENT) ? -EBADF : ret;
+	if (close->fd >= fdt->max_fds) {
+		spin_unlock(&files->file_lock);
+		goto err;
+	}
+	file = fdt->fd[close->fd];
+	if (!file) {
+		spin_unlock(&files->file_lock);
+		goto err;
+	}
+	if (file->f_op == &io_uring_fops) {
+		spin_unlock(&files->file_lock);
+		file = NULL;
+		goto err;
 	}
 	/* if the file has a flush method, be safe and punt to async */
-	if (close->put_file->f_op->flush && force_nonblock) {
+	if ((file->f_op->flush && force_nonblock) ||
-		/* not safe to cancel at this point */
+	    req->close.fd == req->ctx->ring_fd) {
-		req->work.flags |= IO_WQ_WORK_NO_CANCEL;
+		spin_unlock(&files->file_lock);
-		/* was never set, but play safe */
-		req->flags &= ~REQ_F_NOWAIT;
-		/* avoid grabbing files - we don't need the files */
-		req->flags |= REQ_F_NO_FILE_TABLE;
 		return -EAGAIN;
 	}
+	ret = __close_fd_get_file(close->fd, &file);
+	spin_unlock(&files->file_lock);
+	if (ret < 0) {
+		if (ret == -ENOENT)
+			ret = -EBADF;
+		goto err;
+	}
 	/* No ->flush() or already async, safely close from here */
-	ret = filp_close(close->put_file, req->work.files ? : current->files);
+	ret = filp_close(file, current->files);
+err:
 	if (ret < 0)
 		req_set_fail_links(req);
-	fput(close->put_file);
+	if (file)
-	close->put_file = NULL;
+		fput(file);
 	__io_req_complete(req, ret, 0, cs);
 	return 0;
 }