io_uring: abort file assignment prior to assigning creds

We need to either restore creds properly if we fail on the file
assignment, or just do the file assignment first instead. Let's do
the latter as it's simpler, should make no difference here for
file assignment.

Link: https://lore.kernel.org/lkml/000000000000a7edb305dca75a50@google.com/
Reported-by: syzbot+60c52ca98513a8760a91@syzkaller.appspotmail.com
Fixes: fb187901eb95 ("io_uring: defer file assignment")
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/fs/io_uring.c b/fs/io_uring.c
index ab674a0d269bd08e8fb817253898d2f90c7a1d37..4479013854d200c689b5864ce3b46d9170a6042a 100644 (file)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -7111,13 +7111,14 @@ static int io_issue_sqe(struct io_kiocb *req, unsigned int issue_flags)
        const struct cred *creds = NULL;
        int ret;
 
+       if (unlikely(!io_assign_file(req, issue_flags)))
+               return -EBADF;
+
        if (unlikely((req->flags & REQ_F_CREDS) && req->creds != current_cred()))
                creds = override_creds(req->creds);
 
        if (!io_op_defs[req->opcode].audit_skip)
                audit_uring_entry(req->opcode);
-       if (unlikely(!io_assign_file(req, issue_flags)))
-               return -EBADF;
 
        switch (req->opcode) {
        case IORING_OP_NOP: