From: Pavel Begunkov asml.silence@gmail.com
mainline inclusion from mainline-5.6-rc2 commit 8fef80bf56a49c60b457dedb99fd6c5279a5dbe1 category: feature bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=27 CVE: NA ---------------------------
openat() and statx() may have allocated ->open.filename, which should be be put. Add cleanup handlers for them.
Signed-off-by: Pavel Begunkov asml.silence@gmail.com Signed-off-by: Jens Axboe axboe@kernel.dk
Conflicts: fs/io_uring.c [remove IORING_OP_OPENAT2 for commit cebdb98617ae ("io_uring: add support for IORING_OP_OPENAT2") is not applied] Signed-off-by: yangerkun yangerkun@huawei.com Reviewed-by: zhangyi (F) yi.zhang@huawei.com Signed-off-by: Cheng Jian cj.chengjian@huawei.com --- fs/io_uring.c | 8 ++++++++ 1 file changed, 8 insertions(+)
diff --git a/fs/io_uring.c b/fs/io_uring.c index 6d2e1d1411ae..98243d7f5f3d 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -2532,6 +2532,7 @@ static int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) return ret; }
+ req->flags |= REQ_F_NEED_CLEANUP; return 0; }
@@ -2563,6 +2564,7 @@ static int io_openat(struct io_kiocb *req, struct io_kiocb **nxt, } err: putname(req->open.filename); + req->flags &= ~REQ_F_NEED_CLEANUP; if (ret < 0) req_set_fail_links(req); io_cqring_add_event(req, ret); @@ -2715,6 +2717,7 @@ static int io_statx_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) return ret; }
+ req->flags |= REQ_F_NEED_CLEANUP; return 0; }
@@ -2752,6 +2755,7 @@ static int io_statx(struct io_kiocb *req, struct io_kiocb **nxt, ret = cp_statx(&stat, ctx->buffer); err: putname(ctx->filename); + req->flags &= ~REQ_F_NEED_CLEANUP; if (ret < 0) req_set_fail_links(req); io_cqring_add_event(req, ret); @@ -4170,6 +4174,10 @@ static void io_cleanup_req(struct io_kiocb *req) if (io->msg.iov != io->msg.fast_iov) kfree(io->msg.iov); break; + case IORING_OP_OPENAT: + case IORING_OP_STATX: + putname(req->open.filename); + break; }
req->flags &= ~REQ_F_NEED_CLEANUP;