From: Pavel Begunkov <asml.silence@gmail.com>
Date: Mon, 13 Jun 2022 05:32:44 +0000 (+0100)
Subject: io_uring: fix races with file table unregister
X-Git-Tag: v6.1-rc5~847^2~26^2~5
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=b0380bf6dad4601d92025841e2b7a135d566c6e3;p=platform%2Fkernel%2Flinux-starfive.git

io_uring: fix races with file table unregister

Fixed file table quiesce might unlock ->uring_lock, potentially letting
new requests to be submitted, don't allow those requests to use the
table as they will race with unregistration.

Reported-and-tested-by: van fantasy <g1042620637@gmail.com>
Fixes: 05f3fb3c53975 ("io_uring: avoid ring quiesce for fixed file set unregister and update")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
---

diff --git a/fs/io_uring.c b/fs/io_uring.c
index ed3416a..00d2667 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -9768,11 +9768,19 @@ static void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
 
 static int io_sqe_files_unregister(struct io_ring_ctx *ctx)
 {
+	unsigned nr = ctx->nr_user_files;
 	int ret;
 
 	if (!ctx->file_data)
 		return -ENXIO;
+
+	/*
+	 * Quiesce may unlock ->uring_lock, and while it's not held
+	 * prevent new requests using the table.
+	 */
+	ctx->nr_user_files = 0;
 	ret = io_rsrc_ref_quiesce(ctx->file_data, ctx);
+	ctx->nr_user_files = nr;
 	if (!ret)
 		__io_sqe_files_unregister(ctx);
 	return ret;