[PATCH for-current 0/2] sqo files/mm fixes

[PATCH for-current 0/2] sqo files/mm fixes

[Pavel Begunkov]

Neither of issues is confirmed, but should be a good hardening in any
case. Inefficiencies will be removed for-next.

Pavel Begunkov (2):
  io_uring: drop mm and files after task_work_run
  io_uring: don't take files/mm for a dead task

 fs/io_uring.c | 7 +++++++
 1 file changed, 7 insertions(+)

-- 
2.24.0

[PATCH 1/2] io_uring: drop mm and files after task_work_run

[Pavel Begunkov]

__io_req_task_submit() run by task_work can set mm and files, but
io_sq_thread() in some cases, and because __io_sq_thread_acquire_mm()
and __io_sq_thread_acquire_files() do a simple current->mm/files check
it may end up submitting IO with mm/files of another task.

We also need to drop it after in the end to drop potentially grabbed
references to them.

Cc: stable@vger.kernel.org # 5.9+
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
---
 fs/io_uring.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 2f305c097bd5..7af74c1ec909 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -7056,6 +7056,7 @@ static int io_sq_thread(void *data)
 
 		if (sqt_spin || !time_after(jiffies, timeout)) {
 			io_run_task_work();
+			io_sq_thread_drop_mm_files();
 			cond_resched();
 			if (sqt_spin)
 				timeout = jiffies + sqd->sq_thread_idle;
@@ -7093,6 +7094,7 @@ static int io_sq_thread(void *data)
 	}
 
 	io_run_task_work();
+	io_sq_thread_drop_mm_files();
 
 	if (cur_css)
 		io_sq_thread_unassociate_blkcg();
-- 
2.24.0

[PATCH 2/2] io_uring: don't take files/mm for a dead task

[Pavel Begunkov]

In rare cases a task may be exiting while io_ring_exit_work() trying to
cancel/wait its requests. It's ok for __io_sq_thread_acquire_mm()
because of SQPOLL check, but is not for __io_sq_thread_acquire_files().
Play safe and fail for both of them.

Cc: stable@vger.kernel.org # 5.5+
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
---
 fs/io_uring.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 7af74c1ec909..b0e6d8e607a3 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -1106,6 +1106,9 @@ static void io_sq_thread_drop_mm_files(void)
 
 static int __io_sq_thread_acquire_files(struct io_ring_ctx *ctx)
 {
+	if (current->flags & PF_EXITING)
+		return -EFAULT;
+
 	if (!current->files) {
 		struct files_struct *files;
 		struct nsproxy *nsproxy;
@@ -1133,6 +1136,8 @@ static int __io_sq_thread_acquire_mm(struct io_ring_ctx *ctx)
 {
 	struct mm_struct *mm;
 
+	if (current->flags & PF_EXITING)
+		return -EFAULT;
 	if (current->mm)
 		return 0;
 
-- 
2.24.0

Re: [PATCH for-current 0/2] sqo files/mm fixes

[Pavel Begunkov]

On 11/01/2021 04:00, Pavel Begunkov wrote:
> Neither of issues is confirmed, but should be a good hardening in any
> case. Inefficiencies will be removed for-next.

A reminder just in case it was lost

> 
> Pavel Begunkov (2):
>   io_uring: drop mm and files after task_work_run
>   io_uring: don't take files/mm for a dead task
> 
>  fs/io_uring.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 

-- 
Pavel Begunkov

Re: [PATCH for-current 0/2] sqo files/mm fixes

[Jens Axboe]

On 1/14/21 2:12 PM, Pavel Begunkov wrote:
> On 11/01/2021 04:00, Pavel Begunkov wrote:
>> Neither of issues is confirmed, but should be a good hardening in any
>> case. Inefficiencies will be removed for-next.
> 
> A reminder just in case it was lost

Maybe I forgot to send out a reply, but they are in the io_uring-5.11
branch.

-- 
Jens Axboe

Re: [PATCH for-current 0/2] sqo files/mm fixes

[Pavel Begunkov]

On 14/01/2021 23:28, Jens Axboe wrote:
> On 1/14/21 2:12 PM, Pavel Begunkov wrote:
>> On 11/01/2021 04:00, Pavel Begunkov wrote:
>>> Neither of issues is confirmed, but should be a good hardening in any
>>> case. Inefficiencies will be removed for-next.
>>
>> A reminder just in case it was lost
> 
> Maybe I forgot to send out a reply, but they are in the io_uring-5.11
> branch.

Missed it in the tree. Thanks!

-- 
Pavel Begunkov