release/5.2.28/io_uring-use-current-task-creds-instead-of-allocatin.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From 85dc9e7adf9b4b2a99a798e59ae2f1145cb93a37 Mon Sep 17 00:00:00 2001
 From: Jens Axboe <axboe@kernel.dk>
 Date: Mon, 2 Dec 2019 08:50:00 -0700
 Subject: [PATCH] io_uring: use current task creds instead of allocating a new
  one

 commit 0b8c0ec7eedcd8f9f1a1f238d87f9b512b09e71a upstream.

 syzbot reports:

 kasan: CONFIG_KASAN_INLINE enabled
 kasan: GPF could be caused by NULL-ptr deref or user memory access
 general protection fault: 0000 [#1] PREEMPT SMP KASAN
 CPU: 0 PID: 9217 Comm: io_uring-sq Not tainted 5.4.0-syzkaller #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
 Google 01/01/2011
 RIP: 0010:creds_are_invalid kernel/cred.c:792 [inline]
 RIP: 0010:__validate_creds include/linux/cred.h:187 [inline]
 RIP: 0010:override_creds+0x9f/0x170 kernel/cred.c:550
 Code: ac 25 00 81 fb 64 65 73 43 0f 85 a3 37 00 00 e8 17 ab 25 00 49 8d 7c
 24 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84
 c0 74 08 3c 03 0f 8e 96 00 00 00 41 8b 5c 24 10 bf
 RSP: 0018:ffff88809c45fda0 EFLAGS: 00010202
 RAX: dffffc0000000000 RBX: 0000000043736564 RCX: ffffffff814f3318
 RDX: 0000000000000002 RSI: ffffffff814f3329 RDI: 0000000000000010
 RBP: ffff88809c45fdb8 R08: ffff8880a3aac240 R09: ffffed1014755849
 R10: ffffed1014755848 R11: ffff8880a3aac247 R12: 0000000000000000
 R13: ffff888098ab1600 R14: 0000000000000000 R15: 0000000000000000
 FS:  0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007ffd51c40664 CR3: 0000000092641000 CR4: 00000000001406f0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
   io_sq_thread+0x1c7/0xa20 fs/io_uring.c:3274
   kthread+0x361/0x430 kernel/kthread.c:255
   ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
 Modules linked in:
 ---[ end trace f2e1a4307fbe2245 ]---
 RIP: 0010:creds_are_invalid kernel/cred.c:792 [inline]
 RIP: 0010:__validate_creds include/linux/cred.h:187 [inline]
 RIP: 0010:override_creds+0x9f/0x170 kernel/cred.c:550
 Code: ac 25 00 81 fb 64 65 73 43 0f 85 a3 37 00 00 e8 17 ab 25 00 49 8d 7c
 24 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84
 c0 74 08 3c 03 0f 8e 96 00 00 00 41 8b 5c 24 10 bf
 RSP: 0018:ffff88809c45fda0 EFLAGS: 00010202
 RAX: dffffc0000000000 RBX: 0000000043736564 RCX: ffffffff814f3318
 RDX: 0000000000000002 RSI: ffffffff814f3329 RDI: 0000000000000010
 RBP: ffff88809c45fdb8 R08: ffff8880a3aac240 R09: ffffed1014755849
 R10: ffffed1014755848 R11: ffff8880a3aac247 R12: 0000000000000000
 R13: ffff888098ab1600 R14: 0000000000000000 R15: 0000000000000000
 FS:  0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007ffd51c40664 CR3: 0000000092641000 CR4: 00000000001406f0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

 which is caused by slab fault injection triggering a failure in
 prepare_creds(). We don't actually need to create a copy of the creds
 as we're not modifying it, we just need a reference on the current task
 creds. This avoids the failure case as well, and propagates the const
 throughout the stack.

 Fixes: 181e448d8709 ("io_uring: async workers should inherit the user creds")
 Reported-by: syzbot+5320383e16029ba057ff@syzkaller.appspotmail.com
 Signed-off-by: Jens Axboe <axboe@kernel.dk>
 [PG: drop chunks not in v5.2 as per v5.3.11-stable b'port of 181e448d8709]
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/fs/io_uring.c b/fs/io_uring.c
 index d56a78fba43d..50e9cde0288a 100644
 --- a/fs/io_uring.c
 +++ b/fs/io_uring.c
 @@ -258,7 +258,7 @@ struct io_ring_ctx {

  	struct user_struct	*user;

 -	struct cred		*creds;
 +	const struct cred	*creds;

  	struct completion	ctx_done;

 @@ -3190,7 +3190,7 @@ static int io_uring_create(unsigned entries, struct io_uring_params *p)
  	ctx->account_mem = account_mem;
  	ctx->user = user;

 -	ctx->creds = prepare_creds();
 +	ctx->creds = get_current_cred();
  	if (!ctx->creds) {
  		ret = -ENOMEM;
  		goto err;
 --
 2.7.4
	From 85dc9e7adf9b4b2a99a798e59ae2f1145cb93a37 Mon Sep 17 00:00:00 2001
	From: Jens Axboe <axboe@kernel.dk>
	Date: Mon, 2 Dec 2019 08:50:00 -0700
	Subject: [PATCH] io_uring: use current task creds instead of allocating a new
	one

	commit 0b8c0ec7eedcd8f9f1a1f238d87f9b512b09e71a upstream.

	syzbot reports:

	kasan: CONFIG_KASAN_INLINE enabled
	kasan: GPF could be caused by NULL-ptr deref or user memory access
	general protection fault: 0000 [#1] PREEMPT SMP KASAN
	CPU: 0 PID: 9217 Comm: io_uring-sq Not tainted 5.4.0-syzkaller #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
	Google 01/01/2011
	RIP: 0010:creds_are_invalid kernel/cred.c:792 [inline]
	RIP: 0010:__validate_creds include/linux/cred.h:187 [inline]
	RIP: 0010:override_creds+0x9f/0x170 kernel/cred.c:550
	Code: ac 25 00 81 fb 64 65 73 43 0f 85 a3 37 00 00 e8 17 ab 25 00 49 8d 7c
	24 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84
	c0 74 08 3c 03 0f 8e 96 00 00 00 41 8b 5c 24 10 bf
	RSP: 0018:ffff88809c45fda0 EFLAGS: 00010202
	RAX: dffffc0000000000 RBX: 0000000043736564 RCX: ffffffff814f3318
	RDX: 0000000000000002 RSI: ffffffff814f3329 RDI: 0000000000000010
	RBP: ffff88809c45fdb8 R08: ffff8880a3aac240 R09: ffffed1014755849
	R10: ffffed1014755848 R11: ffff8880a3aac247 R12: 0000000000000000
	R13: ffff888098ab1600 R14: 0000000000000000 R15: 0000000000000000
	FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007ffd51c40664 CR3: 0000000092641000 CR4: 00000000001406f0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	io_sq_thread+0x1c7/0xa20 fs/io_uring.c:3274
	kthread+0x361/0x430 kernel/kthread.c:255
	ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
	Modules linked in:
	---[ end trace f2e1a4307fbe2245 ]---
	RIP: 0010:creds_are_invalid kernel/cred.c:792 [inline]
	RIP: 0010:__validate_creds include/linux/cred.h:187 [inline]
	RIP: 0010:override_creds+0x9f/0x170 kernel/cred.c:550
	Code: ac 25 00 81 fb 64 65 73 43 0f 85 a3 37 00 00 e8 17 ab 25 00 49 8d 7c
	24 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84
	c0 74 08 3c 03 0f 8e 96 00 00 00 41 8b 5c 24 10 bf
	RSP: 0018:ffff88809c45fda0 EFLAGS: 00010202
	RAX: dffffc0000000000 RBX: 0000000043736564 RCX: ffffffff814f3318
	RDX: 0000000000000002 RSI: ffffffff814f3329 RDI: 0000000000000010
	RBP: ffff88809c45fdb8 R08: ffff8880a3aac240 R09: ffffed1014755849
	R10: ffffed1014755848 R11: ffff8880a3aac247 R12: 0000000000000000
	R13: ffff888098ab1600 R14: 0000000000000000 R15: 0000000000000000
	FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007ffd51c40664 CR3: 0000000092641000 CR4: 00000000001406f0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

	which is caused by slab fault injection triggering a failure in
	prepare_creds(). We don't actually need to create a copy of the creds
	as we're not modifying it, we just need a reference on the current task
	creds. This avoids the failure case as well, and propagates the const
	throughout the stack.

	Fixes: 181e448d8709 ("io_uring: async workers should inherit the user creds")
	Reported-by: syzbot+5320383e16029ba057ff@syzkaller.appspotmail.com
	Signed-off-by: Jens Axboe <axboe@kernel.dk>
	[PG: drop chunks not in v5.2 as per v5.3.11-stable b'port of 181e448d8709]
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/fs/io_uring.c b/fs/io_uring.c
	index d56a78fba43d..50e9cde0288a 100644
	--- a/fs/io_uring.c
	+++ b/fs/io_uring.c
	@@ -258,7 +258,7 @@ struct io_ring_ctx {

	struct user_struct *user;

	- struct cred *creds;
	+ const struct cred *creds;

	struct completion ctx_done;

	@@ -3190,7 +3190,7 @@ static int io_uring_create(unsigned entries, struct io_uring_params *p)
	ctx->account_mem = account_mem;
	ctx->user = user;

	- ctx->creds = prepare_creds();
	+ ctx->creds = get_current_cred();
	if (!ctx->creds) {
	ret = -ENOMEM;
	goto err;
	--
	2.7.4