Commit 0fcccfd8 authored Apr 21, 2026 by Pavel Begunkov Committed by Jens Axboe Apr 21, 2026

io_uring/zcrx: fix user_struct uaf



io_free_rbuf_ring() usees a struct user_struct, which
io_zcrx_ifq_free() puts it down before destroying the ring.

Cc: stable@vger.kernel.org
Fixes: 5c686456 ("io_uring/zcrx: add user_struct and mm_struct to io_zcrx_ifq")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://patch.msgid.link/e560ae00960d27a810522a7efc0e201c82dff351.1776760917.git.asml.silence@gmail.com


Signed-off-by: Jens Axboe <axboe@kernel.dk>

parent 45cd9576

io_uring/zcrx.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -579,13 +579,13 @@ static void io_zcrx_ifq_free(struct io_zcrx_ifq *ifq)

		if (ifq->area)
		io_zcrx_free_area(ifq, ifq->area);
		free_uid(ifq->user);
		if (ifq->mm_account)
		mmdrop(ifq->mm_account);
		if (ifq->dev)
		put_device(ifq->dev);

		io_free_rbuf_ring(ifq);
		free_uid(ifq->user);
		mutex_destroy(&ifq->pp_lock);
		kfree(ifq);
		}