io_uring/zcrx: fix user_struct uaf

io_free_rbuf_ring() usees a struct user_struct, which io_zcrx_ifq_free() puts it down before destroying the ring. Cc: stable@vger.kernel.org Fixes: 5c686456a4e83 ("io_uring/zcrx: add user_struct and mm_struct to io_zcrx_ifq") Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Link: https://patch.msgid.link/e560ae00960d27a810522a7efc0e201c82dff351.1776760917.git.asml.silence@gmail.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
author: Pavel Begunkov <asml.silence@gmail.com> 2026-04-21 11:47:04 +0300
committer: Jens Axboe <axboe@kernel.dk> 2026-04-21 21:19:11 +0300
commit: 0fcccfd87152f957fa8312b841f6efef42a05a20 (patch)
tree: abf0d104d4050181383b15538abe367e23a01741
parent: 45cd95763e198d74d369ede43aef0b1955b8dea4 (diff)
download: linux-0fcccfd87152f957fa8312b841f6efef42a05a20.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
index 9a83d7eb4210..fab3693ecb0d 100644
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -579,13 +579,13 @@ static void io_zcrx_ifq_free(struct io_zcrx_ifq *ifq)
 
 	if (ifq->area)
 		io_zcrx_free_area(ifq, ifq->area);
-	free_uid(ifq->user);
 	if (ifq->mm_account)
 		mmdrop(ifq->mm_account);
 	if (ifq->dev)
 		put_device(ifq->dev);
 
 	io_free_rbuf_ring(ifq);
+	free_uid(ifq->user);
 	mutex_destroy(&ifq->pp_lock);
 	kfree(ifq);
 }
author	Pavel Begunkov <asml.silence@gmail.com>	2026-04-21 11:47:04 +0300
committer	Jens Axboe <axboe@kernel.dk>	2026-04-21 21:19:11 +0300
commit	0fcccfd87152f957fa8312b841f6efef42a05a20 (patch)
tree	abf0d104d4050181383b15538abe367e23a01741
parent	45cd95763e198d74d369ede43aef0b1955b8dea4 (diff)
download	linux-0fcccfd87152f957fa8312b841f6efef42a05a20.tar.xz