Commit eb278e9b authored by Li Lingfeng's avatar Li Lingfeng Committed by Jialin Zhang
Browse files

Revert "[Huawei] io_uring:drop identity before creating a private one" 

Offering: HULK
hulk inclusion
category: feature
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6BTWC



-------------------------------

This reverts commit 6d9aaec1.

We need to apply patch 788d0824269bef (io_uring: import 5.15-stable
io_uring) to move io_uring to separate directory and solve
the problem of CVE-2023-0240.
This patch fix a uaf problem of io_identity, and it can be reverted
since io_identity is removed in patch 788d0824269bef.

Signed-off-by: default avatarLi Lingfeng <lilingfeng3@huawei.com>
Reviewed-by: default avatarZhang Yi <yi.zhang@huawei.com>
Reviewed-by: default avatarWang Weiyang <wangweiyang2@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parent 443c6146

fs/io_uring.c

+0 −42
Original line number Diff line number Diff line
@@ -1364,47 +1364,6 @@ static bool io_identity_cow(struct io_kiocb *req) 
	return true;

}



static void io_drop_identity(struct io_kiocb *req)

{

	struct io_identity *id = req->work.identity;



	if (req->work.flags & IO_WQ_WORK_MM) {

		mmdrop(id->mm);

		req->work.flags &= ~IO_WQ_WORK_MM;

	}

#ifdef CONFIG_BLK_CGROUP

	if (req->work.flags & IO_WQ_WORK_BLKCG) {

		css_put(id->blkcg_css);

		req->work.flags &= ~IO_WQ_WORK_BLKCG;

	}

#endif

	if (req->work.flags & IO_WQ_WORK_CREDS) {

		put_cred(id->creds);

		req->work.flags &= ~IO_WQ_WORK_CREDS;

	}

	if (req->work.flags & IO_WQ_WORK_FILES) {

		put_files_struct(req->work.identity->files);

		put_nsproxy(req->work.identity->nsproxy);

		req->work.flags &= ~IO_WQ_WORK_FILES;

	}

	if (req->work.flags & IO_WQ_WORK_CANCEL)

		req->work.flags &= ~IO_WQ_WORK_CANCEL;

	if (req->work.flags & IO_WQ_WORK_FS) {

		struct fs_struct *fs = id->fs;



		spin_lock(&id->fs->lock);

		if (--fs->users)

			fs = NULL;

		spin_unlock(&id->fs->lock);



		if (fs)

			free_fs_struct(fs);

		req->work.flags &= ~IO_WQ_WORK_FS;

	}

	if (req->work.flags & IO_WQ_WORK_FSIZE)

		req->work.flags &= ~IO_WQ_WORK_FSIZE;

}



static bool io_grab_identity(struct io_kiocb *req)

{

	const struct io_op_def *def = &io_op_defs[req->opcode];
@@ -1510,7 +1469,6 @@ static void io_prep_async_work(struct io_kiocb *req) 
	if (io_grab_identity(req))

		return;



	io_drop_identity(req);

	if (!io_identity_cow(req))

		return;