From: Jens Axboe axboe@kernel.dk
stable inclusion from stable-v5.10.214 commit 875f5fed30a182675f729f35bbd6ad62b52bd1ac category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9P06W CVE: CVE-2023-52656
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Commit a4104821ad651d8a0b374f0b2474c345bbb42f82 upstream.
Since we no longer allow sending io_uring fds over SCM_RIGHTS, move to using io_is_uring_fops() to detect whether this is a io_uring fd or not. With that done, kill off io_uring_get_socket() as nobody calls it anymore.
This is in preparation to yanking out the rest of the core related to unix gc with io_uring.
Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: Sasha Levin sashal@kernel.org
Conflicts: include/linux/io_uring.h [context conflict, does not affect the patch] Signed-off-by: Zizhi Wo wozizhi@huawei.com --- include/linux/io_uring.h | 10 +++++----- io_uring/io_uring.c | 18 +++++------------- net/core/scm.c | 2 +- net/unix/scm.c | 4 +--- 4 files changed, 12 insertions(+), 22 deletions(-)
diff --git a/include/linux/io_uring.h b/include/linux/io_uring.h index 026e1b33bbcf..b3e0fca62705 100644 --- a/include/linux/io_uring.h +++ b/include/linux/io_uring.h @@ -37,9 +37,9 @@ struct io_uring_task { #endif
#if defined(CONFIG_IO_URING) -struct sock *io_uring_get_socket(struct file *file); void __io_uring_cancel(bool cancel_all); void __io_uring_free(struct task_struct *tsk); +bool io_is_uring_fops(struct file *file);
static inline void io_uring_files_cancel(void) { @@ -57,10 +57,6 @@ static inline void io_uring_free(struct task_struct *tsk) __io_uring_free(tsk); } #else -static inline struct sock *io_uring_get_socket(struct file *file) -{ - return NULL; -} static inline void io_uring_task_cancel(void) { } @@ -70,6 +66,10 @@ static inline void io_uring_files_cancel(void) static inline void io_uring_free(struct task_struct *tsk) { } +static inline bool io_is_uring_fops(struct file *file) +{ + return false; +} #endif
#endif diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index ab59e2de1987..c0014b2d9a7b 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -1115,19 +1115,6 @@ static struct kmem_cache *req_cachep;
static const struct file_operations io_uring_fops;
-struct sock *io_uring_get_socket(struct file *file) -{ -#if defined(CONFIG_UNIX) - if (file->f_op == &io_uring_fops) { - struct io_ring_ctx *ctx = file->private_data; - - return ctx->ring_sock->sk; - } -#endif - return NULL; -} -EXPORT_SYMBOL(io_uring_get_socket); - static inline void io_tw_lock(struct io_ring_ctx *ctx, bool *locked) { if (!*locked) { @@ -10280,6 +10267,11 @@ static const struct file_operations io_uring_fops = { #endif };
+bool io_is_uring_fops(struct file *file) +{ + return file->f_op == &io_uring_fops; +} + static int io_allocate_scq_urings(struct io_ring_ctx *ctx, struct io_uring_params *p) { diff --git a/net/core/scm.c b/net/core/scm.c index 3c7f160720d3..d09849cb60f0 100644 --- a/net/core/scm.c +++ b/net/core/scm.c @@ -105,7 +105,7 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) if (fd < 0 || !(file = fget_raw(fd))) return -EBADF; /* don't allow io_uring files */ - if (io_uring_get_socket(file)) { + if (io_is_uring_fops(file)) { fput(file); return -EINVAL; } diff --git a/net/unix/scm.c b/net/unix/scm.c index e8e2a00bb0f5..d1048b4c2baa 100644 --- a/net/unix/scm.c +++ b/net/unix/scm.c @@ -34,10 +34,8 @@ struct sock *unix_get_socket(struct file *filp) /* PF_UNIX ? */ if (s && sock->ops && sock->ops->family == PF_UNIX) u_sock = s; - } else { - /* Could be an io_uring instance */ - u_sock = io_uring_get_socket(filp); } + return u_sock; } EXPORT_SYMBOL(unix_get_socket);