kernel: core_hook: refactor/hack escape_to_root a little

backslashxx · backslashxx · commit a136049e6223 · 2025-06-12T14:02:27.000+08:00
we remove that get_cred_rcu requirement by adding a hacky fallback to get_cred with smp_mb. YES, IT IS HACKY but it works well. Unlock earlier to reduce lock holding time. - !! EDIT this once tiann#2628 is merged Also properly reset refcount as said by cred.h by calling put_cred where the original unlock was. Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
diff --git a/kernel/core_hook.c b/kernel/core_hook.c
@@ -122,18 +122,24 @@ void escape_to_root(void)
 {
 	struct cred *cred;
 
+	if (current_euid().val == 0) {
+		pr_warn("Already root, don't escape!\n");
+		return;
+	}
+
 	rcu_read_lock();
 
 	do {
 		cred = (struct cred *)__task_cred((current));
-		BUG_ON(!cred);
-	} while (!get_cred_rcu(cred));
+		if (!cred) {
+			pr_info("%s: cred is null! bailing out! \n", __func__);
+			rcu_read_unlock();
+			return;
+		}
+	} while (!ksu_get_cred_rcu(cred));
+
+	rcu_read_unlock();
 
-	if (cred->euid.val == 0) {
-		pr_warn("Already root, don't escape!\n");
-		rcu_read_unlock();
-		return;
-	}
 	struct root_profile *profile = ksu_get_root_profile(cred->uid.val);
 
 	cred->uid.val = profile->uid;
@@ -164,7 +170,7 @@ void escape_to_root(void)
 
 	setup_groups(profile, cred);
 
-	rcu_read_unlock();
+	put_cred(cred); // release here - include/linux/cred.h
 
 	// Refer to kernel/seccomp.c: seccomp_set_mode_strict
 	// When disabling Seccomp, ensure that current->sighand->siglock is held during the operation.
diff --git a/kernel/kernel_compat.c b/kernel/kernel_compat.c
@@ -1,6 +1,7 @@
 #include <linux/version.h>
 #include <linux/fs.h>
 #include <linux/nsproxy.h>
+#include <linux/cred.h>
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0)
 #include <linux/sched/task.h>
 #else
@@ -173,3 +174,15 @@ long ksu_strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr,
 	return ret;
 }
 #endif
+
+const struct cred *ksu_get_cred_rcu(const struct cred *cred)
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0) || defined(KSU_HAS_GET_CRED_RCU)
+	return get_cred_rcu(cred);
+#else
+	smp_mb(); // sledgehammer!
+	const struct cred *ret = get_cred(cred);
+	smp_mb(); // again!
+	return ret;
+#endif
+}
diff --git a/kernel/kernel_compat.h b/kernel/kernel_compat.h
@@ -21,5 +21,6 @@ extern ssize_t ksu_kernel_read_compat(struct file *p, void *buf, size_t count,
 				      loff_t *pos);
 extern ssize_t ksu_kernel_write_compat(struct file *p, const void *buf,
 				       size_t count, loff_t *pos);
+extern const struct cred *ksu_get_cred_rcu(const struct cred *cred);
 
 #endif
