io_uring: abort file assignment prior to assigning creds

[ Upstream commit 701521403cfb228536b3947035c8a6eca40d8e58 ]

We need to either restore creds properly if we fail on the file
assignment, or just do the file assignment first instead. Let's do
the latter as it's simpler, should make no difference here for
file assignment.

Link: https://lore.kernel.org/lkml/000000000000a7edb305dca75a50@google.com/
Reported-by: syzbot+60c52ca98513a8760a91@syzkaller.appspotmail.com
Fixes: 6bf9c47a3989 ("io_uring: defer file assignment")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 7a652c8eeed277af113fb2328e0aee961f00bbc2..6f93bff7633c528e73bac33dd92aa2270905eaaf 100644 (file)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -6729,13 +6729,14 @@ static int io_issue_sqe(struct io_kiocb *req, unsigned int issue_flags)
        const struct cred *creds = NULL;
        int ret;
 
+       if (unlikely(!io_assign_file(req, issue_flags)))
+               return -EBADF;
+
        if (unlikely((req->flags & REQ_F_CREDS) && req->creds != current_cred()))
                creds = override_creds(req->creds);
 
        if (!io_op_defs[req->opcode].audit_skip)
                audit_uring_entry(req->opcode);
-       if (unlikely(!io_assign_file(req, issue_flags)))
-               return -EBADF;
 
        switch (req->opcode) {
        case IORING_OP_NOP: