From: Bertie Tryner Date: Tue, 19 May 2026 11:44:30 +0000 (+0100) Subject: io_uring/zcrx: reorder fd allocation in zcrx_export() X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=84f7d0931c42cb0690615a431738cf6913d265f2;p=thirdparty%2Fkernel%2Flinux.git io_uring/zcrx: reorder fd allocation in zcrx_export() Currently, zcrx_export() allocates a file descriptor and copies the control structure to userspace before the backing file is created. While the operation returns an error on failure, it is cleaner to follow the standard kernel pattern of performing the copy_to_user() and fd_install() only after all resource allocations (like the anon_inode) have succeeded. This aligns the code with other fd-publishing paths in the VFS. Signed-off-by: Bertie Tryner Signed-off-by: Pavel Begunkov Link: https://patch.msgid.link/1513a3f4ae7161692ca6e991b9f01278a6bc60e4.1779189667.git.asml.silence@gmail.com Signed-off-by: Jens Axboe --- diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c index d610e0f968448..7ac9eb6a09348 100644 --- a/io_uring/zcrx.c +++ b/io_uring/zcrx.c @@ -698,19 +698,10 @@ static int zcrx_export(struct io_ring_ctx *ctx, struct io_zcrx_ifq *ifq, { struct zcrx_ctrl_export *ce = &ctrl->zc_export; struct file *file; - int fd = -1; + int fd; if (!mem_is_zero(ce, sizeof(*ce))) return -EINVAL; - fd = get_unused_fd_flags(O_CLOEXEC); - if (fd < 0) - return fd; - - ce->zcrx_fd = fd; - if (copy_to_user(arg, ctrl, sizeof(*ctrl))) { - put_unused_fd(fd); - return -EFAULT; - } refcount_inc(&ifq->refs); refcount_inc(&ifq->user_refs); @@ -718,11 +709,23 @@ static int zcrx_export(struct io_ring_ctx *ctx, struct io_zcrx_ifq *ifq, file = anon_inode_create_getfile("[zcrx]", &zcrx_box_fops, ifq, O_CLOEXEC, NULL); if (IS_ERR(file)) { - put_unused_fd(fd); zcrx_unregister(ifq); return PTR_ERR(file); } + fd = get_unused_fd_flags(O_CLOEXEC); + if (fd < 0) { + fput(file); + return fd; + } + + ce->zcrx_fd = fd; + if (copy_to_user(arg, ctrl, sizeof(*ctrl))) { + fput(file); + put_unused_fd(fd); + return -EFAULT; + } + fd_install(fd, file); return 0; }