io_uring: don't touch scm_fp_list after queueing skb

It's safer to not touch scm_fp_list after we queued an skb to which it
was assigned, there might be races lurking if we screw subtle sync
guarantees on the io_uring side.

Fixes: 6b06314c47e14 ("io_uring: add file set registration")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/fs/io_uring.c b/fs/io_uring.c
index b517fd9c3f6001940568734e5854f7d866a164e3..7e672464dcb3849a998f2ebc6c139ae16c703df8 100644 (file)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -8631,8 +8631,12 @@ static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset)
                refcount_add(skb->truesize, &sk->sk_wmem_alloc);
                skb_queue_head(&sk->sk_receive_queue, skb);
 
-               for (i = 0; i < nr_files; i++)
-                       fput(fpl->fp[i]);
+               for (i = 0; i < nr; i++) {
+                       struct file *file = io_file_from_index(ctx, i + offset);
+
+                       if (file)
+                               fput(file);
+               }
        } else {
                kfree_skb(skb);
                free_uid(fpl->user);