Skip to content

Commit

Permalink
io_uring: fix double io_uring free
Browse files Browse the repository at this point in the history
Once we created a file for current context during setup, we should not
call io_ring_ctx_wait_and_kill() directly as it'll be done by fput(file)

Cc: [email protected] # 5.10
Reported-by: [email protected]
Signed-off-by: Pavel Begunkov <[email protected]>
[axboe: fix unused 'ret' for !CONFIG_UNIX]
Signed-off-by: Jens Axboe <[email protected]>
  • Loading branch information
isilence authored and axboe committed Dec 23, 2020
1 parent a528b04 commit 9faadcc
Showing 1 changed file with 39 additions and 32 deletions.
71 changes: 39 additions & 32 deletions fs/io_uring.c
Original file line number Diff line number Diff line change
Expand Up @@ -9379,62 +9379,60 @@ static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
return 0;
}

static int io_uring_install_fd(struct io_ring_ctx *ctx, struct file *file)
{
int ret, fd;

fd = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
if (fd < 0)
return fd;

ret = io_uring_add_task_file(ctx, file);
if (ret) {
put_unused_fd(fd);
return ret;
}
fd_install(fd, file);
return fd;
}

/*
* Allocate an anonymous fd, this is what constitutes the application
* visible backing of an io_uring instance. The application mmaps this
* fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled,
* we have to tie this fd to a socket for file garbage collection purposes.
*/
static int io_uring_get_fd(struct io_ring_ctx *ctx)
static struct file *io_uring_get_file(struct io_ring_ctx *ctx)
{
struct file *file;
#if defined(CONFIG_UNIX)
int ret;
int fd;

#if defined(CONFIG_UNIX)
ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP,
&ctx->ring_sock);
if (ret)
return ret;
return ERR_PTR(ret);
#endif

ret = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
if (ret < 0)
goto err;
fd = ret;

file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx,
O_RDWR | O_CLOEXEC);
if (IS_ERR(file)) {
put_unused_fd(fd);
ret = PTR_ERR(file);
goto err;
}

#if defined(CONFIG_UNIX)
ctx->ring_sock->file = file;
#endif
ret = io_uring_add_task_file(ctx, file);
if (ret) {
fput(file);
put_unused_fd(fd);
goto err;
if (IS_ERR(file)) {
sock_release(ctx->ring_sock);
ctx->ring_sock = NULL;
} else {
ctx->ring_sock->file = file;
}
fd_install(fd, file);
return fd;
err:
#if defined(CONFIG_UNIX)
sock_release(ctx->ring_sock);
ctx->ring_sock = NULL;
#endif
return ret;
return file;
}

static int io_uring_create(unsigned entries, struct io_uring_params *p,
struct io_uring_params __user *params)
{
struct user_struct *user = NULL;
struct io_ring_ctx *ctx;
struct file *file;
bool limit_mem;
int ret;

Expand Down Expand Up @@ -9582,13 +9580,22 @@ static int io_uring_create(unsigned entries, struct io_uring_params *p,
goto err;
}

file = io_uring_get_file(ctx);
if (IS_ERR(file)) {
ret = PTR_ERR(file);
goto err;
}

/*
* Install ring fd as the very last thing, so we don't risk someone
* having closed it before we finish setup
*/
ret = io_uring_get_fd(ctx);
if (ret < 0)
goto err;
ret = io_uring_install_fd(ctx, file);
if (ret < 0) {
/* fput will clean it up */
fput(file);
return ret;
}

trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
return ret;
Expand Down

0 comments on commit 9faadcc

Please sign in to comment.