Re: general protection fault in override_creds

From: Jens Axboe
Date: Mon Dec 02 2019 - 10:40:50 EST


On 12/1/19 10:40 PM, Dmitry Vyukov wrote:
On Mon, Dec 2, 2019 at 7:35 AM syzbot
<syzbot+5320383e16029ba057ff@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Hello,

syzbot found the following crash on:

HEAD commit: b94ae8ad Merge tag 'seccomp-v5.5-rc1' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10f9ffcee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=ff560c3de405258c
dashboard link: https://syzkaller.appspot.com/bug?extid=5320383e16029ba057ff
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12dd682ae00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16290abce00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+5320383e16029ba057ff@xxxxxxxxxxxxxxxxxxxxxxxxx

I think this relates to fs/io_uring.c rather than kernel/cred.c.
+io_uring maintainers

Yeah that's my fault, guessing the below will fix it. I'll test and
queue it up.


diff --git a/fs/io_uring.c b/fs/io_uring.c
index ec53aa7cdc94..afafe0463d2d 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4361,7 +4361,8 @@ static void io_ring_ctx_free(struct io_ring_ctx *ctx)
io_unaccount_mem(ctx->user,
ring_pages(ctx->sq_entries, ctx->cq_entries));
free_uid(ctx->user);
- put_cred(ctx->creds);
+ if (ctx->creds)
+ put_cred(ctx->creds);
kfree(ctx->completions);
kmem_cache_free(req_cachep, ctx->fallback_req);
kfree(ctx);
@@ -4759,7 +4760,12 @@ static int io_uring_create(unsigned entries, struct io_uring_params *p)
ctx->compat = in_compat_syscall();
ctx->account_mem = account_mem;
ctx->user = user;
+
ctx->creds = prepare_creds();
+ if (!ctx->creds) {
+ ret = -ENOMEM;
+ goto err;
+ }
ret = io_allocate_scq_urings(ctx, p);
if (ret)

--
Jens Axboe