As soon as the descriptor is installed, we could potentially have
someone close it. Separate the getting of the anon file and fd from
the descriptor installation, so we can use the fd before we finally
install it at the end.
Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
---
fs/io_uring.c | 38 +++++++++++++++++++++++++-------------
1 file changed, 25 insertions(+), 13 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index fc824b94c7ca..79bc148c0f51 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -8616,7 +8616,7 @@ static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
* fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled,
* we have to tie this fd to a socket for file garbage collection purposes.
*/
-static int io_uring_get_fd(struct io_ring_ctx *ctx)
+static int io_uring_get_fd(struct io_ring_ctx *ctx, struct file **fptr)
{
struct file *file;
int ret;
@@ -8643,7 +8643,7 @@ static int io_uring_get_fd(struct io_ring_ctx *ctx)
#if defined(CONFIG_UNIX)
ctx->ring_sock->file = file;
#endif
- fd_install(ret, file);
+ *fptr = file;
return ret;
err:
#if defined(CONFIG_UNIX)
@@ -8658,8 +8658,9 @@ static int io_uring_create(unsigned entries, struct io_uring_params *p,
{
struct user_struct *user = NULL;
struct io_ring_ctx *ctx;
+ struct file *file;
bool limit_mem;
- int ret;
+ int ret, fd = -1;
if (!entries)
return -EINVAL;
@@ -8737,6 +8738,13 @@ static int io_uring_create(unsigned entries, struct io_uring_params *p,
if (ret)
goto err;
+ /* Only gets the ring fd, doesn't install it in the file table */
+ fd = io_uring_get_fd(ctx, &file);
+ if (fd < 0) {
+ ret = fd;
+ goto err;
+ }
+
ret = io_sq_offload_create(ctx, p);
if (ret)
goto err;
@@ -8772,16 +8780,9 @@ static int io_uring_create(unsigned entries, struct io_uring_params *p,
goto err;
}
- /*
- * Install ring fd as the very last thing, so we don't risk someone
- * having closed it before we finish setup
- */
- ret = io_uring_get_fd(ctx);
- if (ret < 0)
- goto err;
-
trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
- return ret;
+ fd_install(fd, file);
+ return fd;
err:
/*
* Our wait-and-kill does do this, but we need it done before we
@@ -8789,7 +8790,18 @@ static int io_uring_create(unsigned entries, struct io_uring_params *p,
* files could be done as soon as we exit here.
*/
io_finish_async(ctx);
- io_ring_ctx_wait_and_kill(ctx);
+
+ /*
+ * Final fput() will call release and free everything, so if we're
+ * failing beyond having gotten a file and fd, just let normal
+ * release off fput() free things.
+ */
+ if (fd >= 0) {
+ fput(file);
+ put_unused_fd(fd);
+ } else {
+ io_ring_ctx_wait_and_kill(ctx);
+ }
return ret;
}
--
2.28.0
