From patchwork Mon Nov 14 14:50:40 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Lin Ma <linma@zju.edu.cn>
X-Patchwork-Id: 19848
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp2186459wru;
        Mon, 14 Nov 2022 06:51:30 -0800 (PST)
X-Google-Smtp-Source: 
 AA0mqf4qBWssS3bgkU/enRatQ+T52AqL3DpJp/Xj1fjeo3tg5OX6goSrxfXAREqHF4Xr0R22zVx5
X-Received: by 2002:a05:6402:518:b0:467:8813:cab5 with SMTP id
 m24-20020a056402051800b004678813cab5mr8317257edv.369.1668437490669;
        Mon, 14 Nov 2022 06:51:30 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1668437490; cv=none;
        d=google.com; s=arc-20160816;
        b=PS2s6C3+K4xlZ57Qfa5gtCilM5fslnN5cbsAchiAk0aXzCCcXEZwwMCjZ4Ahz8uIFh
         lLro+0ZgiF1IXS0RAZ9pxHKRslSCvHPJKyI6Y0ogU14TdzbOBT7FyHXx5EUvITYAr6Qy
         /dq5qU9zz7JO/HGxcE9niR+iVzyQxMWoPAV05SBQpqK5Ee8MG39iFY4PVH0x6wTEqkcx
         GGFsJhUwudgHaY3zJhcIoyO0wKUJKax/bBmLmcuG7D3XO8S4pJ+X5T1l5lpLBrFq6luN
         FVcz/9AAI4oxnXF5rrHvwtFL4Pf7+YT2btNUusD58JkEEuwP3SPjDDtFk9aTE9vggVYR
         bmRQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=L9WNBuKmwZRUsDIV8HAJxZaTF+UdVPPYX/CRgrt/6OU=;
        b=Qvrsm3+5HVp1zir2kr8LnXr2D+KtXdzmuKOnBmEFppbUR9y77vPW/yZZE+o6KJL9ve
         9MJCTE4/BAc0jr+TQmyv7m0boWSfqHvHR6HH8/KLjKtfiXXv5xbqDnJjY8zgbMkKLVd6
         rHjv81aBSCSfVPnLRQAibUSOZDwk+fHcU6IfgRY+gLH/ormTQQcXiZNRLMwrKgqYde9k
         VBXrwmHiXHEz/wFXuS2w/juP63NkSfQ0b3hijI8AbknRPg9o2qUXkMa5Fqv4wjW6dS++
         374CsOmaD+/bcpEnmjAxZ3qurugC0KDGStIujJFlFSlYstqLzl5t9zGHBzEFquXlsWwO
         6fJw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 z2-20020a056402274200b004617e8811c4si10591910edd.28.2022.11.14.06.51.05;
        Mon, 14 Nov 2022 06:51:30 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236220AbiKNOut (ORCPT <rfc822;winker.wchi@gmail.com>
        + 99 others); Mon, 14 Nov 2022 09:50:49 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56792 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230520AbiKNOur (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 14 Nov 2022 09:50:47 -0500
Received: from zju.edu.cn (mail.zju.edu.cn [61.164.42.155])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 3BB8B23BE5;
        Mon, 14 Nov 2022 06:50:44 -0800 (PST)
Received: from zju.edu.cn (unknown [10.12.77.33])
        by mail-app3 (Coremail) with SMTP id cC_KCgB376rAVXJj+uwGCQ--.58627S4;
        Mon, 14 Nov 2022 22:50:40 +0800 (CST)
From: Lin Ma <linma@zju.edu.cn>
To: axboe@kernel.dk, asml.silence@gmail.com, io-uring@vger.kernel.org,
        linux-kernel@vger.kernel.org
Cc: Lin Ma <linma@zju.edu.cn>
Subject: [PATCH v1] io_uring/filetable: fix file reference underflow
Date: Mon, 14 Nov 2022 22:50:40 +0800
Message-Id: <20221114145040.14365-1-linma@zju.edu.cn>
X-Mailer: git-send-email 2.38.1
MIME-Version: 1.0
X-CM-TRANSID: cC_KCgB376rAVXJj+uwGCQ--.58627S4
X-Coremail-Antispam: 1UD129KBjvJXoW7WFykuF1xtw18tw47Kr47CFg_yoW8KryrpF
        Z8J3W0qF1DG348K3ZrGFWrAF95C3yxAF1DZr95ur4Skr1UZFnYyr4S9a4Y9a1jkr4kAa4Y
        qr48K398urW8Jw7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
        9KBjDU0xBIdaVrnRJUUUkI1xkIjI8I6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AE
        w4v_Jr0_Jr4l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2
        IY67AKxVWDJVCq3wA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxVW8Jr0_Cr1UM28EF7xvwVC2
        z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s0DM2AIxVAIcxkEcV
        Aq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v26r1j
        6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64
        vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7MxAIw28IcxkI7VAKI48JMxAIw28IcVCjz48v
        1sIEY20_GFWkJr1UJwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14v26r1j6r
        18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_JF0_Jw1lIxkGc2Ij64vI
        r41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI0_Jr0_Gr
        1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvE
        x4A2jsIEc7CjxVAFwI0_Jr0_GrUvcSsGvfC2KfnxnUUI43ZEXa7VUbXdbUUUUUU==
X-CM-SenderInfo: qtrwiiyqvtljo62m3hxhgxhubq/
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS,
        SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1749483510200901470?=
X-GMAIL-MSGID: =?utf-8?q?1749483510200901470?=

There is an interesting reference bug when -ENOMEM occurs in calling of
io_install_fixed_file(). The tracing of this bug is shown below:

commit 8c71fe750215 ("io_uring: ensure fput() called correspondingly
when direct install fails") adds an additional fput() in
io_fixed_fd_install() when io_file_bitmap_get() returns error values. In
that case, the routine will never make it to io_install_fixed_file() due
to an early return.

static int io_fixed_fd_install(...)
{
  if (alloc_slot) {
    ...
    ret = io_file_bitmap_get(ctx);
    if (unlikely(ret < 0)) {
      io_ring_submit_unlock(ctx, issue_flags);
      fput(file);
      return ret;
    }
    ...
  }
  ...
  ret = io_install_fixed_file(req, file, issue_flags, file_slot);
  ...
}

In the above scenario, the reference is okay as io_fixed_fd_install()
ensures the fput() is called when something bad happens, either via
bitmap or via inner io_install_fixed_file().

However, the commit 61c1b44a21d7 ("io_uring: fix deadlock on iowq file
slot alloc") breaks the balance because it places fput() into the common
path for both io_file_bitmap_get() and io_install_fixed_file(). Since
io_install_fixed_file() handles the fput() itself, the reference
underflow come across then.

There are some extra commits make the current code into
io_fixed_fd_install() -> __io_fixed_fd_install() ->
io_install_fixed_file()

However, the fact that there is an extra fput() is called if
io_install_fixed_file() calls fput(). Traversing through the code, I
find that the existing two callers to __io_fixed_fd_install():
io_fixed_fd_install() and io_msg_send_fd() have fput() when handling
error return, this patch simply removes the fput() in
io_install_fixed_file() to fix the bug.

Fixes: 61c1b44a21d7 ("io_uring: fix deadlock on iowq file slot alloc")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
---
 io_uring/filetable.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/io_uring/filetable.c b/io_uring/filetable.c
index 7b473259f3f4..68dfc6936aa7 100644
--- a/io_uring/filetable.c
+++ b/io_uring/filetable.c
@@ -101,8 +101,6 @@ static int io_install_fixed_file(struct io_ring_ctx *ctx, struct file *file,
 err:
 	if (needs_switch)
 		io_rsrc_node_switch(ctx, ctx->file_data);
-	if (ret)
-		fput(file);
 	return ret;
 }