Re: general protection fault in override_creds

[Jens Axboe]

On 12/1/19 10:40 PM, Dmitry Vyukov wrote:
> On Mon, Dec 2, 2019 at 7:35 AM syzbot
> <syzbot+5320383e16029ba057ff@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:    b94ae8ad Merge tag 'seccomp-v5.5-rc1' of git://git.kernel...
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=10f9ffcee00000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=ff560c3de405258c
> > dashboard link: https://syzkaller.appspot.com/bug?extid=5320383e16029ba057ff
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12dd682ae00000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16290abce00000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+5320383e16029ba057ff@xxxxxxxxxxxxxxxxxxxxxxxxx
>
> I think this relates to fs/io_uring.c rather than kernel/cred.c.
> +io_uring maintainers

Yeah that's my fault, guessing the below will fix it. I'll test and
queue it up.


diff --git a/fs/io_uring.c b/fs/io_uring.c
index ec53aa7cdc94..afafe0463d2d 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4361,7 +4361,8 @@ static void io_ring_ctx_free(struct io_ring_ctx *ctx)
 		io_unaccount_mem(ctx->user,
 				ring_pages(ctx->sq_entries, ctx->cq_entries));
 	free_uid(ctx->user);
-	put_cred(ctx->creds);
+	if (ctx->creds)
+		put_cred(ctx->creds);
 	kfree(ctx->completions);
 	kmem_cache_free(req_cachep, ctx->fallback_req);
 	kfree(ctx);
@@ -4759,7 +4760,12 @@ static int io_uring_create(unsigned entries, struct io_uring_params *p)
 	ctx->compat = in_compat_syscall();
 	ctx->account_mem = account_mem;
 	ctx->user = user;
+
 	ctx->creds = prepare_creds();
+	if (!ctx->creds) {
+		ret = -ENOMEM;
+		goto err;
+	}
 
 	ret = io_allocate_scq_urings(ctx, p);
 	if (ret)

--
Jens Axboe