io_uring/zcrx: fix user_struct uaf · tjh.dev/kernel@0fcccfd

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

io_uring/zcrx: fix user_struct uaf

io_free_rbuf_ring() usees a struct user_struct, which
io_zcrx_ifq_free() puts it down before destroying the ring.

Cc: stable@vger.kernel.org
Fixes: 5c686456a4e83 ("io_uring/zcrx: add user_struct and mm_struct to io_zcrx_ifq")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://patch.msgid.link/e560ae00960d27a810522a7efc0e201c82dff351.1776760917.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

authored by

Pavel Begunkov and committed by

Jens Axboe 1 week ago 0fcccfd8 45cd9576

+1 -1

1 changed file

expand all

io_uring

zcrx.c

+1 -1

io_uring/zcrx.c

··· 579 579 580 580 if (ifq->area) 581 581 io_zcrx_free_area(ifq, ifq->area); 582 - free_uid(ifq->user); 583 582 if (ifq->mm_account) 584 583 mmdrop(ifq->mm_account); 585 584 if (ifq->dev) 586 585 put_device(ifq->dev); 587 586 588 587 io_free_rbuf_ring(ifq); 588 + free_uid(ifq->user); 589 589 mutex_destroy(&ifq->pp_lock); 590 590 kfree(ifq); 591 591 }

Configure Feed

Configure Feed