diff options
| author | Al Viro <viro@zeniv.linux.org.uk> | 2022-06-05 14:01:42 -0400 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2022-06-05 15:03:03 -0400 |
| commit | 40a1926022d128057376d35167128a7c74e3dca4 (patch) | |
| tree | b58c10d4ef49365fece9ccd5e49974ce8e03d747 | |
| parent | 6319194ec57b0452dcda4589d24c4e7db299c5bf (diff) | |
| download | linux-40a1926022d128057376d35167128a7c74e3dca4.tar.gz | |
fix the breakage in close_fd_get_file() calling conventions change
It used to grab an extra reference to struct file rather than
just transferring to caller the one it had removed from descriptor
table. New variant doesn't, and callers need to be adjusted.
Reported-and-tested-by: syzbot+47dd250f527cb7bebf24@syzkaller.appspotmail.com
Fixes: 6319194ec57b ("Unify the primitives for file descriptor closing")
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| -rw-r--r-- | drivers/android/binder.c | 2 | ||||
| -rw-r--r-- | fs/file.c | 3 | ||||
| -rw-r--r-- | fs/io_uring.c | 5 |
3 files changed, 4 insertions, 6 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 27c9b004823aa9..73beea5dc18c94 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -1857,6 +1857,8 @@ static void binder_deferred_fd_close(int fd) init_task_work(&twcb->twork, binder_do_fd_close); twcb->file = close_fd_get_file(fd); if (twcb->file) { + // pin it until binder_do_fd_close(); see comments there + get_file(twcb->file); filp_close(twcb->file, current->files); task_work_add(current, &twcb->twork, TWA_RESUME); } else { diff --git a/fs/file.c b/fs/file.c index dd6692048f4f11..3bcc1ecc314a78 100644 --- a/fs/file.c +++ b/fs/file.c @@ -800,8 +800,7 @@ struct file *__close_fd_get_file(unsigned int fd) /* * variant of close_fd that gets a ref on the file for later fput. - * The caller must ensure that filp_close() called on the file, and then - * an fput(). + * The caller must ensure that filp_close() called on the file. */ struct file *close_fd_get_file(unsigned int fd) { diff --git a/fs/io_uring.c b/fs/io_uring.c index 7257b087035371..33da5116cc38ca 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -5110,7 +5110,7 @@ static int io_close(struct io_kiocb *req, unsigned int issue_flags) struct files_struct *files = current->files; struct io_close *close = &req->close; struct fdtable *fdt; - struct file *file = NULL; + struct file *file; int ret = -EBADF; if (req->close.file_slot) { @@ -5127,7 +5127,6 @@ static int io_close(struct io_kiocb *req, unsigned int issue_flags) file = fdt->fd[close->fd]; if (!file || file->f_op == &io_uring_fops) { spin_unlock(&files->file_lock); - file = NULL; goto err; } @@ -5147,8 +5146,6 @@ static int io_close(struct io_kiocb *req, unsigned int issue_flags) err: if (ret < 0) req_set_fail(req); - if (file) - fput(file); __io_req_complete(req, issue_flags, ret, 0); return 0; } |