Skip to main content

Browse the archive

Revision 0b8c0ec7eedcd8f9f1a1f238d87f9b512b09e71a authored by Jens Axboe on 02 December 2019, 15:50:00 UTC, committed by Jens Axboe on 02 December 2019, 15:50:00 UTC 
io_uring: use current task creds instead of allocating a new one
 
syzbot reports:

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 9217 Comm: io_uring-sq Not tainted 5.4.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:creds_are_invalid kernel/cred.c:792 [inline]
RIP: 0010:__validate_creds include/linux/cred.h:187 [inline]
RIP: 0010:override_creds+0x9f/0x170 kernel/cred.c:550
Code: ac 25 00 81 fb 64 65 73 43 0f 85 a3 37 00 00 e8 17 ab 25 00 49 8d 7c
24 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84
c0 74 08 3c 03 0f 8e 96 00 00 00 41 8b 5c 24 10 bf
RSP: 0018:ffff88809c45fda0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000043736564 RCX: ffffffff814f3318
RDX: 0000000000000002 RSI: ffffffff814f3329 RDI: 0000000000000010
RBP: ffff88809c45fdb8 R08: ffff8880a3aac240 R09: ffffed1014755849
R10: ffffed1014755848 R11: ffff8880a3aac247 R12: 0000000000000000
R13: ffff888098ab1600 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd51c40664 CR3: 0000000092641000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  io_sq_thread+0x1c7/0xa20 fs/io_uring.c:3274
  kthread+0x361/0x430 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Modules linked in:
---[ end trace f2e1a4307fbe2245 ]---
RIP: 0010:creds_are_invalid kernel/cred.c:792 [inline]
RIP: 0010:__validate_creds include/linux/cred.h:187 [inline]
RIP: 0010:override_creds+0x9f/0x170 kernel/cred.c:550
Code: ac 25 00 81 fb 64 65 73 43 0f 85 a3 37 00 00 e8 17 ab 25 00 49 8d 7c
24 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84
c0 74 08 3c 03 0f 8e 96 00 00 00 41 8b 5c 24 10 bf
RSP: 0018:ffff88809c45fda0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000043736564 RCX: ffffffff814f3318
RDX: 0000000000000002 RSI: ffffffff814f3329 RDI: 0000000000000010
RBP: ffff88809c45fdb8 R08: ffff8880a3aac240 R09: ffffed1014755849
R10: ffffed1014755848 R11: ffff8880a3aac247 R12: 0000000000000000
R13: ffff888098ab1600 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd51c40664 CR3: 0000000092641000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

which is caused by slab fault injection triggering a failure in
prepare_creds(). We don't actually need to create a copy of the creds
as we're not modifying it, we just need a reference on the current task
creds. This avoids the failure case as well, and propagates the const
throughout the stack.

Fixes: 181e448d8709 ("io_uring: async workers should inherit the user creds")
Reported-by: syzbot+5320383e16029ba057ff@syzkaller.appspotmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
1 parent 72c0870
History
File Mode Size
9p
adfs
affs
afs
autofs
befs
bfs
btrfs
cachefiles
ceph
cifs
coda
configfs
cramfs
crypto
debugfs
devpts
dlm
ecryptfs
efivarfs
efs
erofs
exportfs
ext2
ext4
f2fs
fat
freevxfs
fscache
fuse
gfs2
hfs
hfsplus
hostfs
hpfs
hugetlbfs
iomap
isofs
jbd2
jffs2
jfs
kernfs
lockd
minix
nfs
nfs_common
nfsd
nilfs2
nls
notify
ntfs
ocfs2
omfs
openpromfs
orangefs
overlayfs
proc
pstore
qnx4
qnx6
quota
ramfs
reiserfs
romfs
squashfs
sysfs
sysv
tracefs
ubifs
udf
ufs
unicode
verity
xfs
Kconfig -rw-r--r-- 7.6 KB
Kconfig.binfmt -rw-r--r-- 7.6 KB
Makefile -rw-r--r-- 4.4 KB
aio.c -rw-r--r-- 56.0 KB
anon_inodes.c -rw-r--r-- 4.6 KB
attr.c -rw-r--r-- 9.6 KB
bad_inode.c -rw-r--r-- 5.3 KB
binfmt_aout.c -rw-r--r-- 8.3 KB
binfmt_elf.c -rw-r--r-- 63.1 KB
binfmt_elf_fdpic.c -rw-r--r-- 47.2 KB
binfmt_em86.c -rw-r--r-- 2.8 KB
binfmt_flat.c -rw-r--r-- 28.0 KB
binfmt_misc.c -rw-r--r-- 18.5 KB
binfmt_script.c -rw-r--r-- 4.4 KB
block_dev.c -rw-r--r-- 56.5 KB
buffer.c -rw-r--r-- 91.1 KB
char_dev.c -rw-r--r-- 16.5 KB
compat.c -rw-r--r-- 3.2 KB
compat_binfmt_elf.c -rw-r--r-- 3.3 KB
compat_ioctl.c -rw-r--r-- 6.1 KB
coredump.c -rw-r--r-- 22.1 KB
d_path.c -rw-r--r-- 11.3 KB
dax.c -rw-r--r-- 46.0 KB
dcache.c -rw-r--r-- 83.9 KB
dcookies.c -rw-r--r-- 7.1 KB
direct-io.c -rw-r--r-- 40.8 KB
drop_caches.c -rw-r--r-- 1.8 KB
eventfd.c -rw-r--r-- 11.1 KB
eventpoll.c -rw-r--r-- 64.5 KB
exec.c -rw-r--r-- 46.9 KB
fcntl.c -rw-r--r-- 23.3 KB
fhandle.c -rw-r--r-- 6.8 KB
file.c -rw-r--r-- 24.2 KB
file_table.c -rw-r--r-- 10.2 KB
filesystems.c -rw-r--r-- 6.4 KB
fs-writeback.c -rw-r--r-- 74.6 KB
fs_context.c -rw-r--r-- 18.1 KB
fs_parser.c -rw-r--r-- 11.0 KB
fs_pin.c -rw-r--r-- 1.9 KB
fs_struct.c -rw-r--r-- 3.3 KB
fs_types.c -rw-r--r-- 2.5 KB
fsopen.c -rw-r--r-- 11.2 KB
inode.c -rw-r--r-- 60.7 KB
internal.h -rw-r--r-- 5.1 KB
io-wq.c -rw-r--r-- 26.0 KB
io-wq.h -rw-r--r-- 3.0 KB
io_uring.c -rw-r--r-- 118.9 KB
ioctl.c -rw-r--r-- 19.6 KB
libfs.c -rw-r--r-- 32.9 KB
locks.c -rw-r--r-- 78.9 KB
mbcache.c -rw-r--r-- 12.0 KB
mount.h -rw-r--r-- 4.0 KB
mpage.c -rw-r--r-- 21.1 KB
namei.c -rw-r--r-- 123.0 KB
namespace.c -rw-r--r-- 97.0 KB
no-block.c -rw-r--r-- 478 bytes
nsfs.c -rw-r--r-- 6.1 KB
open.c -rw-r--r-- 30.2 KB
pipe.c -rw-r--r-- 29.0 KB
pnode.c -rw-r--r-- 15.1 KB
pnode.h -rw-r--r-- 1.9 KB
posix_acl.c -rw-r--r-- 21.5 KB
proc_namespace.c -rw-r--r-- 7.8 KB
read_write.c -rw-r--r-- 51.6 KB
readdir.c -rw-r--r-- 13.3 KB
select.c -rw-r--r-- 34.3 KB
seq_file.c -rw-r--r-- 24.7 KB
signalfd.c -rw-r--r-- 9.0 KB
splice.c -rw-r--r-- 41.4 KB
stack.c -rw-r--r-- 2.5 KB
stat.c -rw-r--r-- 19.4 KB
statfs.c -rw-r--r-- 9.6 KB
super.c -rw-r--r-- 47.9 KB
sync.c -rw-r--r-- 10.4 KB
timerfd.c -rw-r--r-- 13.5 KB
userfaultfd.c -rw-r--r-- 51.2 KB
utimes.c -rw-r--r-- 7.4 KB
xattr.c -rw-r--r-- 23.5 KB
back to top