io_uring: fix double io_uring free

Once we created a file for current context during setup, we should not call io_ring_ctx_wait_and_kill() directly as it'll be done by fput(file) Cc: stable@vger.kernel.org # 5.10 Reported-by: syzbot+c9937dfb2303a5f18640@syzkaller.appspotmail.com Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> [axboe: fix unused 'ret' for !CONFIG_UNIX] Signed-off-by: Jens Axboe <axboe@kernel.dk>
2025-06-26 16:41:25 +00:00 · 2020-12-21 18:34:05 +00:00 · 2020-12-21 18:34:05 +00:00 · 9faadcc8ab
commit 9faadcc8ab
parent a528b04ea4
1 changed files with 40 additions and 33 deletions
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@ -9379,55 +9379,52 @@ static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
 	return 0;
 }
 static int io_uring_install_fd(struct io_ring_ctx *ctx, struct file *file)
 {
 	int ret, fd;
 	fd = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
 	if (fd < 0)
 		return fd;
 	ret = io_uring_add_task_file(ctx, file);
 	if (ret) {
 		put_unused_fd(fd);
 		return ret;
 	}
 	fd_install(fd, file);
 	return fd;
 }
 /*
 * Allocate an anonymous fd, this is what constitutes the application
 * visible backing of an io_uring instance. The application mmaps this
 * fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled,
 * we have to tie this fd to a socket for file garbage collection purposes.
 */
-static int io_uring_get_fd(struct io_ring_ctx *ctx)
+static struct file *io_uring_get_file(struct io_ring_ctx *ctx)
 {
 	struct file *file;
 	int ret;
 	int fd;
 #if defined(CONFIG_UNIX)
 	int ret;
 	ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP,
 				&ctx->ring_sock);
 	if (ret)
-		return ret;
+		return ERR_PTR(ret);
 #endif
 	ret = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
 	if (ret < 0)
 		goto err;
 	fd = ret;
 	file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx,
 					O_RDWR | O_CLOEXEC);
 #if defined(CONFIG_UNIX)
 	if (IS_ERR(file)) {
 		put_unused_fd(fd);
 		ret = PTR_ERR(file);
 		goto err;
 	}
 #if defined(CONFIG_UNIX)
 	ctx->ring_sock->file = file;
 #endif
 	ret = io_uring_add_task_file(ctx, file);
 	if (ret) {
 		fput(file);
 		put_unused_fd(fd);
 		goto err;
 	}
 	fd_install(fd, file);
 	return fd;
 err:
 #if defined(CONFIG_UNIX)
 		sock_release(ctx->ring_sock);
 		ctx->ring_sock = NULL;
 	} else {
 		ctx->ring_sock->file = file;
 	}
 #endif
-	return ret;
+	return file;
 }
 static int io_uring_create(unsigned entries, struct io_uring_params *p,
@ -9435,6 +9432,7 @@ static int io_uring_create(unsigned entries, struct io_uring_params *p,
 {
 	struct user_struct *user = NULL;
 	struct io_ring_ctx *ctx;
 	struct file *file;
 	bool limit_mem;
 	int ret;
@ -9582,13 +9580,22 @@ static int io_uring_create(unsigned entries, struct io_uring_params *p,
 		goto err;
 	}
 	file = io_uring_get_file(ctx);
 	if (IS_ERR(file)) {
 		ret = PTR_ERR(file);
 		goto err;
 	}
 	/*
 	 * Install ring fd as the very last thing, so we don't risk someone
 	 * having closed it before we finish setup
 	 */
-	ret = io_uring_get_fd(ctx);
+	ret = io_uring_install_fd(ctx, file);
-	if (ret < 0)
+	if (ret < 0) {
-		goto err;
+		/* fput will clean it up */
 		fput(file);
 		return ret;
 	}
 	trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
 	return ret;