On 5/7/20 5:31 PM, Al Viro wrote:
On Thu, May 07, 2020 at 05:03:17PM -0600, Jens Axboe wrote:
On 5/7/20 4:44 PM, Al Viro wrote:
On Thu, May 07, 2020 at 04:25:24PM -0600, Jens Axboe wrote:
static int io_close(struct io_kiocb *req, bool force_nonblock) {
- struct files_struct *files = current->files; int ret;
req->close.put_file = NULL;
- ret = __close_fd_get_file(req->close.fd, &req->close.put_file);
- spin_lock(&files->file_lock);
- if (req->file->f_op == &io_uring_fops ||
req->close.fd == req->ctx->ring_fd) {
spin_unlock(&files->file_lock);
return -EBADF;
- }
- ret = __close_fd_get_file_locked(files, req->close.fd,
&req->close.put_file);
Pointless. By that point req->file might have nothing in common with anything in any descriptor table.
How about the below then? Stop using req->file, defer the lookup until we're in the handler instead. Not sure the 'fd' check makes sense at this point, but at least we should be consistent in terms of once we lookup the file and check the f_op.
Actually, what _is_ the reason for that check? Note, BTW, that if the file in question happens to be an AF_UNIX socket, closing it will close all references held in SCM_RIGHTS datagrams sitting in its queue, which might very well include io_uring files.
IOW, if tries to avoid something really unpleasant, it's not enough. And if it doesn't, then what is it for?
Maybe there is no issue at all, the point was obviously to not have io_uring close itself. But we might just need an ordering of the fput vs put_request to make that just fine. Let me experiment a bit and see what's going on.