1 files changed, 43 insertions, 0 deletions

diff --git a/0066-io_uring-fix-races-with-file-table-unregister.patch b/0066-io_uring-fix-races-with-file-table-unregister.patch
new file mode 100644
index 000000000000..d4287b4b96bd
--- /dev/null
+++ b/0066-io_uring-fix-races-with-file-table-unregister.patch
@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Mon, 13 Jun 2022 06:32:44 +0100
+Subject: [PATCH] io_uring: fix races with file table unregister
+
+[ Upstream commit b0380bf6dad4601d92025841e2b7a135d566c6e3 ]
+
+Fixed file table quiesce might unlock ->uring_lock, potentially letting
+new requests to be submitted, don't allow those requests to use the
+table as they will race with unregistration.
+
+Reported-and-tested-by: van fantasy <g1042620637@gmail.com>
+Fixes: 05f3fb3c53975 ("io_uring: avoid ring quiesce for fixed file set unregister and update")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index 3582db014aadfd76ee8c6e7e36c3c2edeed87c23..0a9f9000fc802cdf44c465e1f9064b1f3916e6a2 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -8508,11 +8508,19 @@ static void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
+ 
+ static int io_sqe_files_unregister(struct io_ring_ctx *ctx)
+ {
++	unsigned nr = ctx->nr_user_files;
+ 	int ret;
+ 
+ 	if (!ctx->file_data)
+ 		return -ENXIO;
++
++	/*
++	 * Quiesce may unlock ->uring_lock, and while it's not held
++	 * prevent new requests using the table.
++	 */
++	ctx->nr_user_files = 0;
+ 	ret = io_rsrc_ref_quiesce(ctx->file_data, ctx);
++	ctx->nr_user_files = nr;
+ 	if (!ret)
+ 		__io_sqe_files_unregister(ctx);
+ 	return ret;