Bug 258698

Summary: aio(4): ucred leak in aio_aqueue()'s failure path
Product: Base System Reporter: sigsys
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Many People CC: asomers
Priority: --- Keywords: needs-qa
Version: CURRENTFlags: koobs: maintainer-feedback? (asomers)
asomers: mfc-stable13+
koobs: mfc-stable12-
koobs: mfc-stable11-
Hardware: Any   
OS: Any   
URL: https://github.com/freebsd/freebsd-src/commit/022ca2fc7fe08d51f33a1d23a9be49e6d132914e
See Also: https://reviews.freebsd.org/D27743

Description sigsys 2021-09-23 22:44:30 UTC 
diff --git c/sys/kern/vfs_aio.c i/sys/kern/vfs_aio.c
index ebe91ff0fdaf..a3a099873ff1 100644
--- c/sys/kern/vfs_aio.c
+++ i/sys/kern/vfs_aio.c
@@ -1714,7 +1714,7 @@ aio_aqueue(struct thread *td, struct aiocb *ujob, struct aioliojob *lj,
 	else
 		error = fo_aio_queue(fp, job);
 	if (error)
-		goto err3;
+		goto err4;
 
 	AIO_LOCK(ki);
 	job->jobflags &= ~KAIOCB_QUEUEING;
@@ -1735,6 +1735,8 @@ aio_aqueue(struct thread *td, struct aiocb *ujob, struct aioliojob *lj,
 	AIO_UNLOCK(ki);
 	return (0);
 
+err4:
+	crfree(job->cred);
 err3:
 	if (fp)
 		fdrop(fp, td);
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2021-09-24 00:10:43 UTC 
Thank you for your report. Please include your proposed patch as an attachment 

Appears introduced in src 022ca2fc7fe08d51f33a1d23a9be49e6d132914e via https://reviews.freebsd.org/D27743
Comment 2 commit-hook freebsd_committer freebsd_triage 2021-09-24 00:19:18 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=45c2c7c484de7747014492b17ff89e323ee66496

commit 45c2c7c484de7747014492b17ff89e323ee66496
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2021-09-24 00:14:56 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2021-09-24 00:18:34 +0000

    aio_aqueue(): avoid ucred leak on failure path

    PR:     258698
    Submitted by:   sigsys@gmail.com
    MFC after:      1 week

 sys/kern/vfs_aio.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2021-10-01 00:34:06 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=9499d3c1e40dfeb1f63f61af7cdf25ee27f9a2ec

commit 9499d3c1e40dfeb1f63f61af7cdf25ee27f9a2ec
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2021-09-24 00:14:56 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2021-10-01 00:32:22 +0000

    aio_aqueue(): avoid ucred leak on failure path

    PR:     258698

    (cherry picked from commit 45c2c7c484de7747014492b17ff89e323ee66496)

 sys/kern/vfs_aio.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
Comment 4 commit-hook freebsd_committer freebsd_triage 2022-06-27 17:27:09 UTC 
A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=76ed54dda74ffe8c7284cab10a4b30445a8db12f

commit 76ed54dda74ffe8c7284cab10a4b30445a8db12f
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2021-09-24 00:14:56 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-06-27 17:25:44 +0000

    aio_aqueue(): avoid ucred leak on failure path

    PR:             258698
    Submitted by:   sigsys@gmail.com

    (cherry picked from commit 45c2c7c484de7747014492b17ff89e323ee66496)

 sys/kern/vfs_aio.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
Comment 5 commit-hook freebsd_committer freebsd_triage 2022-08-09 19:59:14 UTC 
A commit in branch releng/12.3 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=7f83d23ecfce15cc83f51aa9d1c4f95c24448ab9

commit 7f83d23ecfce15cc83f51aa9d1c4f95c24448ab9
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2021-09-24 00:14:56 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-07-25 20:07:02 +0000

    aio_aqueue(): avoid ucred leak on failure path

    Approved by:    so
    Security:       FreeBSD-SA-22:10.aio
    PR:             258698
    Submitted by:   sigsys@gmail.com

    (cherry picked from commit 45c2c7c484de7747014492b17ff89e323ee66496)
    (cherry picked from commit 76ed54dda74ffe8c7284cab10a4b30445a8db12f)

 sys/kern/vfs_aio.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
Comment 6 commit-hook freebsd_committer freebsd_triage 2022-08-09 20:01:15 UTC 
A commit in branch releng/13.0 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=c864c8cf08a9dc197612d5ffffd239aa72de7c97

commit c864c8cf08a9dc197612d5ffffd239aa72de7c97
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2021-09-24 00:14:56 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-07-25 20:01:25 +0000

    aio_aqueue(): avoid ucred leak on failure path

    Approved by:    so
    Security:       FreeBSD-SA-22:10.aio
    PR:             258698

    (cherry picked from commit 45c2c7c484de7747014492b17ff89e323ee66496)
    (cherry picked from commit 9499d3c1e40dfeb1f63f61af7cdf25ee27f9a2ec)

 sys/kern/vfs_aio.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)