!1361 fix CVE-2023-1295

Merge Pull Request from: @LiuYongQiang0816 3 patches from Li Nan Link:https://gitee.com/openeuler/kernel/pulls/1361 Reviewed-by: Zhang Changzhong <zhangchangzhong@huawei.com> Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>

!1361 fix CVE-2023-1295
Merge Pull Request from: @LiuYongQiang0816 3 patches from Li Nan Link:https://gitee.com/openeuler/kernel/pulls/1361 Reviewed-by: Zhang Changzhong <zhangchangzhong@huawei.com> Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
cb31b5b2 · openeuler-ci-bot · Gitee · 1e06b3d0 · b2b243d6 · cb31b5b2
5 changed file
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2290,7 +2290,7 @@ static void binder_deferred_fd_close(int fd)
 	if (!twcb)
 		return;
 	init_task_work(&twcb->twork, binder_do_fd_close);
-	__close_fd_get_file(fd, &twcb->file);
+	close_fd_get_file(fd, &twcb->file);
 	if (twcb->file) {
 		filp_close(twcb->file, current->files);
 		task_work_add(current, &twcb->twork, true);

--- a/fs/file.c
+++ b/fs/file.c
@@ -20,6 +20,8 @@
 #include <linux/rcupdate.h>
 #include <linux/filescontrol.h>
+#include "internal.h"
 unsigned int sysctl_nr_open __read_mostly = 1024*1024;
 unsigned int sysctl_nr_open_min = BITS_PER_LONG;
 /* our min() is unusable in constant expressions ;-/ */
@@ -696,9 +698,8 @@ int __close_fd(struct files_struct *files, unsigned fd)
 EXPORT_SYMBOL(__close_fd); /* for ksys_close() */
 /*
- * variant of __close_fd that gets a ref on the file for later fput.
+ * See close_fd_get_file() below, this variant assumes current->files->file_lock
- * The caller must ensure that filp_close() called on the file, and then
+ * is held.
- * an fput().
 */
 int __close_fd_get_file(unsigned int fd, struct file **res)
 {
@@ -706,26 +707,39 @@ int __close_fd_get_file(unsigned int fd, struct file **res)
 	struct file *file;
 	struct fdtable *fdt;
-	spin_lock(&files->file_lock);
 	fdt = files_fdtable(files);
 	if (fd >= fdt->max_fds)
-		goto out_unlock;
+		goto out_err;
 	file = fdt->fd[fd];
 	if (!file)
-		goto out_unlock;
+		goto out_err;
 	rcu_assign_pointer(fdt->fd[fd], NULL);
 	__put_unused_fd(files, fd);
-	spin_unlock(&files->file_lock);
 	get_file(file);
 	*res = file;
 	return 0;
+out_err:
-out_unlock:
-	spin_unlock(&files->file_lock);
 	*res = NULL;
 	return -ENOENT;
 }
+/*
+ * variant of close_fd that gets a ref on the file for later fput.
+ * The caller must ensure that filp_close() called on the file, and then
+ * an fput().
+ */
+int close_fd_get_file(unsigned int fd, struct file **res)
+{
+	struct files_struct *files = current->files;
+	int ret;
+	spin_lock(&files->file_lock);
+	ret = __close_fd_get_file(fd, res);
+	spin_unlock(&files->file_lock);
+	return ret;
+}
 void do_close_on_exec(struct files_struct *files)
 {
 	unsigned i;

--- a/fs/internal.h
+++ b/fs/internal.h
@@ -120,6 +120,7 @@ extern struct file *do_filp_open(int dfd, struct filename *pathname,
 extern struct file *do_file_open_root(struct dentry *, struct vfsmount *,
 		const char *, const struct open_flags *);
 extern int build_open_flags(int flags, umode_t mode, struct open_flags *op);
+extern int __close_fd_get_file(unsigned int fd, struct file **res);
 long do_sys_ftruncate(unsigned int fd, loff_t length, int small);
 long do_faccessat(int dfd, const char __user *filename, int mode);

--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -369,7 +369,6 @@ struct io_poll_iocb {
 struct io_close {
 	struct file			*file;
-	struct file			*put_file;
 	int				fd;
 };
@@ -829,8 +828,6 @@ static const struct io_op_def io_op_defs[] = {
 		.needs_fs		= 1,
 	},
 	[IORING_OP_CLOSE] = {
-		.needs_file		= 1,
-		.needs_file_no_error	= 1,
 		.file_table		= 1,
 	},
 	[IORING_OP_FILES_UPDATE] = {
@@ -3853,13 +3850,6 @@ static int io_statx(struct io_kiocb *req, bool force_nonblock)
 static int io_close_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
 {
-	/*
-	 * If we queue this for async, it must not be cancellable. That would
-	 * leave the 'file' in an undeterminate state, and here need to modify
-	 * io_wq_work.flags, so initialize io_wq_work firstly.
-	 */
-	io_req_init_async(req);
 	if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
 		return -EINVAL;
 	if (sqe->ioprio || sqe->off || sqe->addr || sqe->len ||
@@ -3869,44 +3859,60 @@ static int io_close_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
 		return -EBADF;
 	req->close.fd = READ_ONCE(sqe->fd);
-	if ((req->file && req->file->f_op == &io_uring_fops) ||
-	    req->close.fd == req->ctx->ring_fd)
-		return -EBADF;
-	req->close.put_file = NULL;
 	return 0;
 }
 static int io_close(struct io_kiocb *req, bool force_nonblock,
 		    struct io_comp_state *cs)
 {
+	struct files_struct *files = current->files;
 	struct io_close *close = &req->close;
+	struct fdtable *fdt;
+	struct file *file;
 	int ret;
-	/* might be already done during nonblock submission */
+	file = NULL;
-	if (!close->put_file) {
+	ret = -EBADF;
-		ret = __close_fd_get_file(close->fd, &close->put_file);
+	spin_lock(&files->file_lock);
-		if (ret < 0)
+	fdt = files_fdtable(files);
-			return (ret == -ENOENT) ? -EBADF : ret;
+	if (close->fd >= fdt->max_fds) {
+		spin_unlock(&files->file_lock);
+		goto err;
+	}
+	file = fdt->fd[close->fd];
+	if (!file) {
+		spin_unlock(&files->file_lock);
+		goto err;
+	}
+	if (file->f_op == &io_uring_fops) {
+		spin_unlock(&files->file_lock);
+		file = NULL;
+		goto err;
 	}
 	/* if the file has a flush method, be safe and punt to async */
-	if (close->put_file->f_op->flush && force_nonblock) {
+	if ((file->f_op->flush && force_nonblock) ||
-		/* not safe to cancel at this point */
+	    req->close.fd == req->ctx->ring_fd) {
-		req->work.flags |= IO_WQ_WORK_NO_CANCEL;
+		spin_unlock(&files->file_lock);
-		/* was never set, but play safe */
-		req->flags &= ~REQ_F_NOWAIT;
-		/* avoid grabbing files - we don't need the files */
-		req->flags |= REQ_F_NO_FILE_TABLE;
 		return -EAGAIN;
 	}
+	ret = __close_fd_get_file(close->fd, &file);
+	spin_unlock(&files->file_lock);
+	if (ret < 0) {
+		if (ret == -ENOENT)
+			ret = -EBADF;
+		goto err;
+	}
 	/* No ->flush() or already async, safely close from here */
-	ret = filp_close(close->put_file, req->work.files ? : current->files);
+	ret = filp_close(file, current->files);
+err:
 	if (ret < 0)
 		req_set_fail_links(req);
-	fput(close->put_file);
+	if (file)
-	close->put_file = NULL;
+		fput(file);
 	__io_req_complete(req, ret, 0, cs);
 	return 0;
 }

--- a/include/linux/fdtable.h
+++ b/include/linux/fdtable.h
@@ -122,7 +122,7 @@ extern void __fd_install(struct files_struct *files,
 		      unsigned int fd, struct file *file);
 extern int __close_fd(struct files_struct *files,
 		      unsigned int fd);
-extern int __close_fd_get_file(unsigned int fd, struct file **res);
+extern int close_fd_get_file(unsigned int fd, struct file **res);
 extern struct kmem_cache *files_cachep;