userfaultfd: avoid the duplicated release for userfaultfd_ctx

Commit Message

Xu, Yanfei July 14, 2020, 4:12 p.m. UTC

From: Yanfei Xu <yanfei.xu@windriver.com>

when get_unused_fd_flags gets failure, userfaultfd_ctx_cachep will
be freed by userfaultfd_fops's release function which is the
userfaultfd_release. So we could return directly after fput().

userfaultfd_release()->userfaultfd_ctx_put(ctx)

Fixes: d08ac70b1e0d (Wire UFFD up to SELinux)
Reported-by: syzbot+75867c44841cb6373570@syzkaller.appspotmail.com
Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
---
 fs/userfaultfd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Xu, Yanfei July 15, 2020, 1:41 a.m. UTC | #1

Add maintainer Alexander Viro  :)

On 7/15/20 12:12 AM, yanfei.xu@windriver.com wrote:
> From: Yanfei Xu <yanfei.xu@windriver.com>
> 
> when get_unused_fd_flags gets failure, userfaultfd_ctx_cachep will
> be freed by userfaultfd_fops's release function which is the
> userfaultfd_release. So we could return directly after fput().
> 
> userfaultfd_release()->userfaultfd_ctx_put(ctx)
> 
> Fixes: d08ac70b1e0d (Wire UFFD up to SELinux)
> Reported-by: syzbot+75867c44841cb6373570@syzkaller.appspotmail.com
> Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
> ---
>   fs/userfaultfd.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
> index 3a4d6ac5a81a..e98317c15530 100644
> --- a/fs/userfaultfd.c
> +++ b/fs/userfaultfd.c
> @@ -2049,7 +2049,7 @@ SYSCALL_DEFINE1(userfaultfd, int, flags)
>   	fd = get_unused_fd_flags(O_RDONLY | O_CLOEXEC);
>   	if (fd < 0) {
>   		fput(file);
> -		goto out;
> +		return fd;
>   	}
>   
>   	ctx->owner = file_inode(file);
>

Xu, Yanfei July 19, 2020, 1:58 p.m. UTC | #2

ping Al Viro

Could you please help to review this patch? Thanks a lot.

Yanfei

On 7/15/20 12:12 AM, yanfei.xu@windriver.com wrote:
> From: Yanfei Xu <yanfei.xu@windriver.com>
> 
> when get_unused_fd_flags gets failure, userfaultfd_ctx_cachep will
> be freed by userfaultfd_fops's release function which is the
> userfaultfd_release. So we could return directly after fput().
> 
> userfaultfd_release()->userfaultfd_ctx_put(ctx)
> 
> Fixes: d08ac70b1e0d (Wire UFFD up to SELinux)
> Reported-by: syzbot+75867c44841cb6373570@syzkaller.appspotmail.com
> Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
> ---
>   fs/userfaultfd.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
> index 3a4d6ac5a81a..e98317c15530 100644
> --- a/fs/userfaultfd.c
> +++ b/fs/userfaultfd.c
> @@ -2049,7 +2049,7 @@ SYSCALL_DEFINE1(userfaultfd, int, flags)
>   	fd = get_unused_fd_flags(O_RDONLY | O_CLOEXEC);
>   	if (fd < 0) {
>   		fput(file);
> -		goto out;
> +		return fd;
>   	}
>   
>   	ctx->owner = file_inode(file);
>

Al Viro July 19, 2020, 4:57 p.m. UTC | #3

On Sun, Jul 19, 2020 at 09:58:34PM +0800, Xu, Yanfei wrote:
> ping Al Viro
> 
> Could you please help to review this patch? Thanks a lot.

That's -next, right?  As for the patch itself...  Frankly,
Daniel's patch looks seriously wrong.
	* why has O_CLOEXEC been quietly smuggled in?  It's
a userland ABI change, for fsck sake...
	* the double-put you've spotted
	* the whole out: thing - just make it
	if (IS_ERR(file)) {
		userfaultfd_ctx_put(ctx);
		return PTR_ERR(file);
	}
	and be done with that.

Xu, Yanfei July 20, 2020, 1:34 a.m. UTC | #4

On 7/20/20 12:57 AM, Al Viro wrote:
> On Sun, Jul 19, 2020 at 09:58:34PM +0800, Xu, Yanfei wrote:
>> ping Al Viro
>>
>> Could you please help to review this patch? Thanks a lot.
> 
> That's -next, right?  As for the patch itself...  Frankly,
Yes, it's -next.
> Daniel's patch looks seriously wrong.
Get it.

Regards,
Yanfei
> 	* why has O_CLOEXEC been quietly smuggled in?  It's
> a userland ABI change, for fsck sake...
> 	* the double-put you've spotted
> 	* the whole out: thing - just make it
> 	if (IS_ERR(file)) {
> 		userfaultfd_ctx_put(ctx);
> 		return PTR_ERR(file);
> 	}
> 	and be done with that.
>

Suren Baghdasaryan July 22, 2020, 12:09 a.m. UTC | #5

On Sun, Jul 19, 2020 at 6:34 PM Xu, Yanfei <yanfei.xu@windriver.com> wrote:
>
>
>
> On 7/20/20 12:57 AM, Al Viro wrote:
> > On Sun, Jul 19, 2020 at 09:58:34PM +0800, Xu, Yanfei wrote:
> >> ping Al Viro
> >>
> >> Could you please help to review this patch? Thanks a lot.
> >
> > That's -next, right?  As for the patch itself...  Frankly,
> Yes, it's -next.
> > Daniel's patch looks seriously wrong.
> Get it.
>
> Regards,
> Yanfei
> >       * why has O_CLOEXEC been quietly smuggled in?  It's
> > a userland ABI change, for fsck sake...
> >       * the double-put you've spotted
> >       * the whole out: thing - just make it
> >       if (IS_ERR(file)) {
> >               userfaultfd_ctx_put(ctx);
> >               return PTR_ERR(file);
> >       }
> >       and be done with that.
> >

Adding Lokesh to take a look.

Patch

diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index 3a4d6ac5a81a..e98317c15530 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -2049,7 +2049,7 @@  SYSCALL_DEFINE1(userfaultfd, int, flags)
 	fd = get_unused_fd_flags(O_RDONLY | O_CLOEXEC);
 	if (fd < 0) {
 		fput(file);
-		goto out;
+		return fd;
 	}
 
 	ctx->owner = file_inode(file);