From: Stefan Metzmacher <[email protected]>
To: Jens Axboe <[email protected]>
Cc: [email protected]
Subject: Re: [PATCH 12/33] io_uring: signal worker thread unshare
Date: Thu, 4 Mar 2021 13:15:00 +0100 [thread overview]
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
Hi Jens,
> If the original task switches credentials or unshares any part of the
> task state, then we should notify the io_uring workers to they can
> re-fork as well. For credentials, this actually happens just fine for
> the io-wq workers, as we grab and pass that down. For SQPOLL, we're
> stuck with the original credentials, which means that it cannot be used
> if the task does eg seteuid().
I fear that this will be very problematic for Samba's use of io_uring.
We change credentials very often, switching between the impersonated users
and also root in order to run privileged sections.
Currently fd-based operations are not affected by the credential switches.
I guess any credential switch means that all pending io_uring requests
get canceled, correct?
It also means the usage of IORING_REGISTER_PERSONALITY isn't useful any longer,
as that requires a credential switch before (and most likely after) the
io_uring_register() syscall.
As seteuid(), unshare() and similar syscalls are per thread instead of process
in the kernel, the io_wq is also per userspace thread and not per io_ring_ctx, correct?
As I read the code any credential change in any userspace thread will
cause the sq_thread to be stopped and restarted by the next io_uring_enter(),
which means that the sq_thread may change its main credentials randomly overtime,
depending on which userspace thread calls io_uring_enter() first.
As unshare() applies only to the current task_struct I'm wondering if
we only want to refork the sq_thread if the current task is the parent of
the sq_thread.
I'm wondering if we better remove io_uring_unshare() from commit_creds()
and always handle the creds explicitly as req->work.creds.
io_init_req() then will req->work.creds from ctx->personality_idr
or from current->cred. At the same time we'd readd ctx->creds = get_current_cred();
in io_uring_setup() and use these ctx->creds in the io_sq_thread again
in order to make things sane again.
I'm also wondering if all this has an impact on IORING_SETUP_ATTACH_WQ,
in particular I'm thinking of the case where the fd was transfered via SCM_RIGHTS
or across fork(), when mm and files are not shared between the processes.
I think the IORING_FEAT_CUR_PERSONALITY section in io_uring_setup.2
should also talk about what credentials are used in the IORING_SETUP_SQPOLL case.
The IORING_SETUP_SQPOLL section should also be more detailed regarding
what state is used in particular in combination with IORING_SETUP_ATTACH_WQ.
Wasn't the idea up to 5.11 that the sq_thread would capture the whole
state at io_uring_setup()?
I think we need to maintain the overall behavior exposed to userspace...
metze
next prev parent reply other threads:[~2021-03-04 12:17 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-04 0:26 [PATCHSET 0/33] Fixes queued up for 5.12 Jens Axboe
2021-03-04 0:26 ` [PATCH 01/33] io-wq: wait for worker startup when forking a new one Jens Axboe
2021-03-04 0:26 ` [PATCH 02/33] io-wq: have manager wait for all workers to exit Jens Axboe
2021-03-04 0:26 ` [PATCH 03/33] io-wq: don't ask for a new worker if we're exiting Jens Axboe
2021-03-04 0:26 ` [PATCH 04/33] io-wq: rename wq->done completion to wq->started Jens Axboe
2021-03-04 0:26 ` [PATCH 05/33] io-wq: wait for manager exit on wq destroy Jens Axboe
2021-03-04 0:26 ` [PATCH 06/33] io-wq: fix double put of 'wq' in error path Jens Axboe
2021-03-04 0:26 ` [PATCH 07/33] io_uring: SQPOLL stop error handling fixes Jens Axboe
2021-03-04 0:26 ` [PATCH 08/33] io_uring: run fallback on cancellation Jens Axboe
2021-03-04 0:26 ` [PATCH 09/33] io_uring: don't use complete_all() on SQPOLL thread exit Jens Axboe
2021-03-04 0:26 ` [PATCH 10/33] io-wq: provide an io_wq_put_and_exit() helper Jens Axboe
2021-03-04 0:26 ` [PATCH 11/33] io_uring: fix race condition in task_work add and clear Jens Axboe
2021-03-04 0:26 ` [PATCH 12/33] io_uring: signal worker thread unshare Jens Axboe
2021-03-04 12:15 ` Stefan Metzmacher [this message]
2021-03-04 14:05 ` Jens Axboe
2021-03-04 0:26 ` [PATCH 13/33] io_uring: warn on not destroyed io-wq Jens Axboe
2021-03-04 0:26 ` [PATCH 14/33] io_uring: destroy io-wq on exec Jens Axboe
2021-03-04 0:26 ` [PATCH 15/33] io_uring: remove unused argument 'tsk' from io_req_caches_free() Jens Axboe
2021-03-04 0:26 ` [PATCH 16/33] io_uring: kill unnecessary REQ_F_WORK_INITIALIZED checks Jens Axboe
2021-03-04 0:26 ` [PATCH 17/33] io_uring: move cred assignment into io_issue_sqe() Jens Axboe
2021-03-04 0:26 ` [PATCH 18/33] io_uring: kill unnecessary io_run_ctx_fallback() in io_ring_exit_work() Jens Axboe
2021-03-04 0:26 ` [PATCH 19/33] io_uring: kill io_uring_flush() Jens Axboe
2021-03-04 0:26 ` [PATCH 20/33] io_uring: fix __tctx_task_work() ctx race Jens Axboe
2021-03-04 0:26 ` [PATCH 21/33] io_uring: replace cmpxchg in fallback with xchg Jens Axboe
2021-03-04 0:26 ` [PATCH 22/33] io_uring: ensure that SQPOLL thread is started for exit Jens Axboe
2021-03-04 0:26 ` [PATCH 23/33] io_uring: ignore double poll add on the same waitqueue head Jens Axboe
2021-03-04 0:26 ` [PATCH 24/33] io_uring: kill sqo_dead and sqo submission halting Jens Axboe
2021-03-04 0:26 ` [PATCH 25/33] io_uring: remove sqo_task Jens Axboe
2021-03-04 0:26 ` [PATCH 26/33] io-wq: fix error path leak of buffered write hash map Jens Axboe
2021-03-04 0:26 ` [PATCH 27/33] io_uring: fix -EAGAIN retry with IOPOLL Jens Axboe
2021-03-04 0:26 ` [PATCH 28/33] io_uring: choose right tctx->io_wq for try cancel Jens Axboe
2021-03-04 0:26 ` [PATCH 29/33] io_uring: inline io_req_clean_work() Jens Axboe
2021-03-04 0:26 ` [PATCH 30/33] io_uring: inline __io_queue_async_work() Jens Axboe
2021-03-04 0:26 ` [PATCH 31/33] io_uring: remove extra in_idle wake up Jens Axboe
2021-03-04 0:26 ` [PATCH 32/33] io_uring: ensure that threads freeze on suspend Jens Axboe
2021-03-04 0:27 ` [PATCH 33/33] io-wq: ensure all pending work is canceled on exit Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox