io_uring: fix fs->users overflow

There is a bunch of cases where we can grab req->fs but not put it, this
can be used to cause a controllable overflow with further implications.
Release req->fs in the request free path and make sure we zero the field
to be sure we don't do it twice.

Fixes: cac68d12c531 ("io_uring: grab ->fs as part of async offload")
Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 1a623d361ffe5cecd4244a02f449528416360038)
Signed-off-by: Robert Kolchmeyer <rkolchmeyer@google.com>

BUG=b/230125933
TEST=presubmit
RELEASE_NOTE=Fixed CVE-2022-1116 in the Linux kernel.

cos-patch: security-high
Change-Id: I3011d7291dbb2d797c09c269c029b50429f76b93
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/32085
Reviewed-by: Roy Yang <royyang@google.com>
Reviewed-by: Oleksandr Tymoshenko <ovt@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
1 file changed