!1361 fix CVE-2023-1295

	if (!twcb)

		return;

	init_task_work(&twcb->twork, binder_do_fd_close);

	__close_fd_get_file(fd, &twcb->file);

	close_fd_get_file(fd, &twcb->file);

	if (twcb->file) {

		filp_close(twcb->file, current->files);

		task_work_add(current, &twcb->twork, true);

#include <linux/rcupdate.h>

#include <linux/filescontrol.h>

#include "internal.h"

unsigned int sysctl_nr_open __read_mostly = 1024*1024;

unsigned int sysctl_nr_open_min = BITS_PER_LONG;

/* our min() is unusable in constant expressions ;-/ */

EXPORT_SYMBOL(__close_fd); /* for ksys_close() */

/*

 * variant of __close_fd that gets a ref on the file for later fput.

 * The caller must ensure that filp_close() called on the file, and then

 * an fput().

 * See close_fd_get_file() below, this variant assumes current->files->file_lock

 * is held.

 */

int __close_fd_get_file(unsigned int fd, struct file **res)

{

	struct file *file;

	struct fdtable *fdt;

	spin_lock(&files->file_lock);

	fdt = files_fdtable(files);

	if (fd >= fdt->max_fds)

		goto out_unlock;

		goto out_err;

	file = fdt->fd[fd];

	if (!file)

		goto out_unlock;

		goto out_err;

	rcu_assign_pointer(fdt->fd[fd], NULL);

	__put_unused_fd(files, fd);

	spin_unlock(&files->file_lock);

	get_file(file);

	*res = file;

	return 0;

out_unlock:

	spin_unlock(&files->file_lock);

out_err:

	*res = NULL;

	return -ENOENT;

}

/*

 * variant of close_fd that gets a ref on the file for later fput.

 * The caller must ensure that filp_close() called on the file, and then

 * an fput().

 */

int close_fd_get_file(unsigned int fd, struct file **res)

{

	struct files_struct *files = current->files;

	int ret;

	spin_lock(&files->file_lock);

	ret = __close_fd_get_file(fd, res);

	spin_unlock(&files->file_lock);

	return ret;

}

void do_close_on_exec(struct files_struct *files)

{

	unsigned i;

extern struct file *do_file_open_root(struct dentry *, struct vfsmount *,

		const char *, const struct open_flags *);

extern int build_open_flags(int flags, umode_t mode, struct open_flags *op);

extern int __close_fd_get_file(unsigned int fd, struct file **res);

long do_sys_ftruncate(unsigned int fd, loff_t length, int small);

long do_faccessat(int dfd, const char __user *filename, int mode);

struct io_close {

	struct file			*file;

	struct file			*put_file;

	int				fd;

};

		.needs_fs		= 1,

	},

	[IORING_OP_CLOSE] = {

		.needs_file		= 1,

		.needs_file_no_error	= 1,

		.file_table		= 1,

	},

	[IORING_OP_FILES_UPDATE] = {

static int io_close_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)

{

	/*

	 * If we queue this for async, it must not be cancellable. That would

	 * leave the 'file' in an undeterminate state, and here need to modify

	 * io_wq_work.flags, so initialize io_wq_work firstly.

	 */

	io_req_init_async(req);

	if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))

		return -EINVAL;

	if (sqe->ioprio || sqe->off || sqe->addr || sqe->len ||

		return -EBADF;

	req->close.fd = READ_ONCE(sqe->fd);

	if ((req->file && req->file->f_op == &io_uring_fops) ||

	    req->close.fd == req->ctx->ring_fd)

		return -EBADF;

	req->close.put_file = NULL;

	return 0;

}

static int io_close(struct io_kiocb *req, bool force_nonblock,

		    struct io_comp_state *cs)

{

	struct files_struct *files = current->files;

	struct io_close *close = &req->close;

	struct fdtable *fdt;

	struct file *file;

	int ret;

	/* might be already done during nonblock submission */

	if (!close->put_file) {

		ret = __close_fd_get_file(close->fd, &close->put_file);

		if (ret < 0)

			return (ret == -ENOENT) ? -EBADF : ret;

	file = NULL;

	ret = -EBADF;

	spin_lock(&files->file_lock);

	fdt = files_fdtable(files);

	if (close->fd >= fdt->max_fds) {

		spin_unlock(&files->file_lock);

		goto err;

	}

	file = fdt->fd[close->fd];

	if (!file) {

		spin_unlock(&files->file_lock);

		goto err;

	}

	if (file->f_op == &io_uring_fops) {

		spin_unlock(&files->file_lock);

		file = NULL;

		goto err;

	}

	/* if the file has a flush method, be safe and punt to async */

	if (close->put_file->f_op->flush && force_nonblock) {

		/* not safe to cancel at this point */

		req->work.flags |= IO_WQ_WORK_NO_CANCEL;

		/* was never set, but play safe */

		req->flags &= ~REQ_F_NOWAIT;

		/* avoid grabbing files - we don't need the files */

		req->flags |= REQ_F_NO_FILE_TABLE;

	if ((file->f_op->flush && force_nonblock) ||

	    req->close.fd == req->ctx->ring_fd) {

		spin_unlock(&files->file_lock);

		return -EAGAIN;

	}

	ret = __close_fd_get_file(close->fd, &file);

	spin_unlock(&files->file_lock);

	if (ret < 0) {

		if (ret == -ENOENT)

			ret = -EBADF;

		goto err;

	}

	/* No ->flush() or already async, safely close from here */

	ret = filp_close(close->put_file, req->work.files ? : current->files);

	ret = filp_close(file, current->files);

err:

	if (ret < 0)

		req_set_fail_links(req);

	fput(close->put_file);

	close->put_file = NULL;

	if (file)

		fput(file);

	__io_req_complete(req, ret, 0, cs);

	return 0;

}

		      unsigned int fd, struct file *file);

extern int __close_fd(struct files_struct *files,

		      unsigned int fd);

extern int __close_fd_get_file(unsigned int fd, struct file **res);

extern int close_fd_get_file(unsigned int fd, struct file **res);

extern struct kmem_cache *files_cachep;