io_uring/af_unix: defer registered files gc to io_uring release

[ upstream commit 2b0d241d566fa268fdb1511c2b0b1e1ef0447479 ]

Instead of putting io_uring's registered files in unix_gc() we want it
to be done by io_uring itself. The trick here is to consider io_uring
registered files for cycle detection but not actually putting them down.
Because io_uring can't register other ring instances, this will remove
all refs to the ring file triggering the ->release path and clean up
with io_ring_ctx_free().

Cc: stable@vger.kernel.org
Fixes: c90c9784c76b ("io_uring: add file set registration")
Reported-and-tested-by: David Bouman <dbouman03@gmail.com>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
[axboe: add kerneldoc comment to skb, fold in skb leak fix]
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 501c7e14c07cf1113b7de8691ef6635e36784b25..e8df6345a812d29756161fde54acf0e1f95feeae 100644 (file)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -3172,6 +3172,7 @@ static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset)
        }
 
        skb->sk = sk;
+       skb->scm_io_uring = 1;
        skb->destructor = io_destruct_skb;
 
        fpl->user = get_uid(ctx->user);

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 680f71ecdc08b9eb74da6860cc8362b3cef4101d..eab3a4d02f325734ea8be9d63f5c3180c15b99e6 100644 (file)
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -659,6 +659,7 @@ typedef unsigned char *sk_buff_data_t;
  *     @wifi_acked: whether frame was acked on wifi or not
  *     @no_fcs:  Request NIC to treat last 4 bytes as Ethernet FCS
  *     @csum_not_inet: use CRC32c to resolve CHECKSUM_PARTIAL
+ *     @scm_io_uring: SKB holds io_uring registered files
  *     @dst_pending_confirm: need to confirm neighbour
  *     @decrypted: Decrypted SKB
  *     @napi_id: id of the NAPI struct this skb came from
@@ -824,6 +825,7 @@ struct sk_buff {
 #ifdef CONFIG_TLS_DEVICE
        __u8                    decrypted:1;
 #endif
+       __u8                    scm_io_uring:1;
 
 #ifdef CONFIG_NET_SCHED
        __u16                   tc_index;       /* traffic control index */

diff --git a/net/unix/garbage.c b/net/unix/garbage.c
index d45d5366115a769b21bfc1db5a67f7d53c3fa9b8..dc27635403932154f3dec069c2e10d2ae365d8cb 100644 (file)
--- a/net/unix/garbage.c
+++ b/net/unix/garbage.c
@@ -204,6 +204,7 @@ void wait_for_unix_gc(void)
 /* The external entry point: unix_gc() */
 void unix_gc(void)
 {
+       struct sk_buff *next_skb, *skb;
        struct unix_sock *u;
        struct unix_sock *next;
        struct sk_buff_head hitlist;
@@ -297,11 +298,30 @@ void unix_gc(void)
 
        spin_unlock(&unix_gc_lock);
 
+       /* We need io_uring to clean its registered files, ignore all io_uring
+        * originated skbs. It's fine as io_uring doesn't keep references to
+        * other io_uring instances and so killing all other files in the cycle
+        * will put all io_uring references forcing it to go through normal
+        * release.path eventually putting registered files.
+        */
+       skb_queue_walk_safe(&hitlist, skb, next_skb) {
+               if (skb->scm_io_uring) {
+                       __skb_unlink(skb, &hitlist);
+                       skb_queue_tail(&skb->sk->sk_receive_queue, skb);
+               }
+       }
+
        /* Here we are. Hitlist is filled. Die. */
        __skb_queue_purge(&hitlist);
 
        spin_lock(&unix_gc_lock);
 
+       /* There could be io_uring registered files, just push them back to
+        * the inflight list
+        */
+       list_for_each_entry_safe(u, next, &gc_candidates, link)
+               list_move_tail(&u->link, &gc_inflight_list);
+
        /* All candidates should have been detached by now. */
        BUG_ON(!list_empty(&gc_candidates));