io_uring/af_unix: defer registered files gc to io_uring release

[ upstream commit 0091bfc81741b8d3aeb3b7ab8636f911b2de6e80 ]

Instead of putting io_uring's registered files in unix_gc() we want it
to be done by io_uring itself. The trick here is to consider io_uring
registered files for cycle detection but not actually putting them down.
Because io_uring can't register other ring instances, this will remove
all refs to the ring file triggering the ->release path and clean up
with io_ring_ctx_free().

Fixes: 6b06314c47e1 ("io_uring: add file set registration")
Reported-and-tested-by: David Bouman <>
Signed-off-by: Pavel Begunkov <>
Signed-off-by: Thadeu Lima de Souza Cascardo <>
[axboe: add kerneldoc comment to skb, fold in skb leak fix]
Signed-off-by: Jens Axboe <>
Signed-off-by: Greg Kroah-Hartman <>

RELEASE_NOTE=Fixed CVE-2022-2602 in the Linux kernel.

cos-patch: security-high
Change-Id: I627aa666fe0f4686202b8a4f4bfec26e131c3134
Reviewed-by: Oleksandr Tymoshenko <>
Tested-by: Cusky Presubmit Bot <>
Main-Branch-Verified: Cusky Presubmit Bot <>
3 files changed