From: Pavel Begunkov <asml.silence@gmail.com>
Date: Thu, 9 Apr 2020 05:17:59 +0000 (+0300)
Subject: io_uring: fix fs cleanup on cqe overflow
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=c398ecb3d611925e4a5411afdf7489914a5c0460;p=linux.git

io_uring: fix fs cleanup on cqe overflow

If completion queue overflow occurs, __io_cqring_fill_event() will
update req->cflags, which is in a union with req->work and happens to
be aliased to req->work.fs. Following io_free_req() ->
io_req_work_drop_env() may get a bunch of different problems (miscount
fs->users, segfault, etc) on cleaning @fs.

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 21e1c69b9c438..be65eda059ac5 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -608,6 +608,7 @@ struct io_kiocb {
 	};
 
 	struct io_async_ctx		*io;
+	int				cflags;
 	bool				needs_fixed_file;
 	u8				opcode;
 
@@ -638,7 +639,6 @@ struct io_kiocb {
 			struct callback_head	task_work;
 			struct hlist_node	hash_node;
 			struct async_poll	*apoll;
-			int			cflags;
 		};
 		struct io_wq_work	work;
 	};