From: Lokesh Gidra <lokeshgidra@google.com>
To: viro@zeniv.linux.org.uk, stephen.smalley.work@gmail.com,
casey@schaufler-ca.com, jmorris@namei.org
Cc: kaleshsingh@google.com, dancol@dancol.org, surenb@google.com,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
nnk@google.com, jeffv@google.com, calin@google.com,
kernel-team@android.com, yanfei.xu@windriver.com,
Lokesh Gidra <lokeshgidra@google.com>,
syzbot+75867c44841cb6373570@syzkaller.appspotmail.com
Subject: [PATCH] Userfaultfd: Avoid double free of userfault_ctx and remove O_CLOEXEC
Date: Tue, 4 Aug 2020 13:31:55 -0700 [thread overview]
Message-ID: <20200804203155.2181099-1-lokeshgidra@google.com> (raw)
when get_unused_fd_flags returns error, ctx will be freed by
userfaultfd's release function, which is indirectly called by fput().
Also, if anon_inode_getfile_secure() returns an error, then
userfaultfd_ctx_put() is called, which calls mmdrop() and frees ctx.
Also, the O_CLOEXEC was inadvertently added to the call to
get_unused_fd_flags() [1].
Adding Al Viro's suggested-by, based on [2].
[1] https://lore.kernel.org/lkml/1f69c0ab-5791-974f-8bc0-3997ab1d61ea@dancol.org/
[2] https://lore.kernel.org/lkml/20200719165746.GJ2786714@ZenIV.linux.org.uk/
Fixes: d08ac70b1e0d (Wire UFFD up to SELinux)
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Reported-by: syzbot+75867c44841cb6373570@syzkaller.appspotmail.com
Signed-off-by: Lokesh Gidra <lokeshgidra@google.com>
---
fs/userfaultfd.c | 14 ++++----------
1 file changed, 4 insertions(+), 10 deletions(-)
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index ae859161908f..e15eb8fdc083 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -2042,24 +2042,18 @@ SYSCALL_DEFINE1(userfaultfd, int, flags)
O_RDWR | (flags & UFFD_SHARED_FCNTL_FLAGS),
NULL);
if (IS_ERR(file)) {
- fd = PTR_ERR(file);
- goto out;
+ userfaultfd_ctx_put(ctx);
+ return PTR_ERR(file);
}
- fd = get_unused_fd_flags(O_RDONLY | O_CLOEXEC);
+ fd = get_unused_fd_flags(O_RDONLY);
if (fd < 0) {
fput(file);
- goto out;
+ return fd;
}
ctx->owner = file_inode(file);
fd_install(fd, file);
-
-out:
- if (fd < 0) {
- mmdrop(ctx->mm);
- kmem_cache_free(userfaultfd_ctx_cachep, ctx);
- }
return fd;
}
--
2.28.0.163.g6104cc2f0b6-goog
next reply other threads:[~2020-08-04 20:32 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-04 20:31 Lokesh Gidra [this message]
2020-08-04 20:45 ` [PATCH] Userfaultfd: Avoid double free of userfault_ctx and remove O_CLOEXEC Eric Biggers
2020-08-04 20:49 ` Lokesh Gidra
2020-08-04 20:58 ` Eric Biggers
2020-08-04 23:34 ` Lokesh Gidra
2020-08-05 3:47 ` Aleksa Sarai
2020-08-05 4:08 ` Eric Biggers
2020-08-05 4:54 ` Lokesh Gidra
2020-08-06 23:59 ` Aleksa Sarai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200804203155.2181099-1-lokeshgidra@google.com \
--to=lokeshgidra@google.com \
--cc=calin@google.com \
--cc=casey@schaufler-ca.com \
--cc=dancol@dancol.org \
--cc=jeffv@google.com \
--cc=jmorris@namei.org \
--cc=kaleshsingh@google.com \
--cc=kernel-team@android.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nnk@google.com \
--cc=stephen.smalley.work@gmail.com \
--cc=surenb@google.com \
--cc=syzbot+75867c44841cb6373570@syzkaller.appspotmail.com \
--cc=viro@zeniv.linux.org.uk \
--cc=yanfei.xu@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).