From: Hao Xu <howeyxu@xxxxxxxxxxx>
Fixed file for io_uring getdents can trigger race problem. Users can
register a file to be fixed file in io_uring and then remove other
reference so that there are only fixed file reference of that file.
And then they can issue concurrent async getdents requests or both
async and sync getdents requests without holding the f_pos_lock
since there is a f_count == 1 optimization.
Signed-off-by: Hao Xu <howeyxu@xxxxxxxxxxx>
---
io_uring/fs.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/io_uring/fs.c b/io_uring/fs.c
index 480f25677fed..dc74676b1499 100644
--- a/io_uring/fs.c
+++ b/io_uring/fs.c
@@ -303,6 +303,8 @@ int io_getdents_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
{
struct io_getdents *gd = io_kiocb_to_cmd(req, struct io_getdents);
+ if (unlikely(req->flags & REQ_F_FIXED_FILE))
+ return -EBADF;
if (READ_ONCE(sqe->off) != 0)
return -EINVAL;
--
2.25.1
