io_uring: fix fs->users overflow

There is a bunch of cases where we can grab req->fs but not put it, this
can be used to cause a controllable overflow with further implications.
Release req->fs in the request free path and make sure we zero the field
to be sure we don't do it twice.

Fixes: cac68d12c531 ("io_uring: grab ->fs as part of async offload")
Reported-by: Bing-Jhong Billy Jheng <>
Signed-off-by: Pavel Begunkov <>
Signed-off-by: Greg Kroah-Hartman <>
(cherry picked from commit 1a623d361ffe5cecd4244a02f449528416360038)
Signed-off-by: Robert Kolchmeyer <>

RELEASE_NOTE=Fixed CVE-2022-1116 in the Linux kernel.

cos-patch: security-high
Change-Id: I3011d7291dbb2d797c09c269c029b50429f76b93
Reviewed-by: Roy Yang <>
Reviewed-by: Oleksandr Tymoshenko <>
Tested-by: Cusky Presubmit Bot <>
1 file changed