From: Al Viro <[email protected]>
To: Jens Axboe <[email protected]>
Cc: Pavel Begunkov <[email protected]>,
[email protected], [email protected],
Linus Torvalds <[email protected]>
Subject: Re: [PATCH 3/3] io_uring: refactor io_sq_offload_create()
Date: Fri, 23 Jul 2021 20:19:49 +0000 [thread overview]
Message-ID: <YPskZS1uLctRWz/[email protected]> (raw)
In-Reply-To: <[email protected]>
On Fri, Jul 23, 2021 at 07:00:40PM +0000, Al Viro wrote:
> On Fri, Jul 23, 2021 at 11:56:29AM -0600, Jens Axboe wrote:
>
> > Will send out two patches for this. Note that I don't see this being a
> > real issue, as we explicitly gave the ring fd to another task, and being
> > that this is purely for read/write, it would result in -EFAULT anyway.
>
> You do realize that ->release() might come from seriously unexpected places,
> right? E.g. recvmsg() by something that doesn't expect SCM_RIGHTS attached
> to it will end up with all struct file references stashed into the sucker
> dropped, and if by that time that's the last reference - welcome to ->release()
> run as soon as recepient hits task_work_run().
>
> What's more, if you stash that into garbage for unix_gc() to pick, *any*
> process closing an AF_UNIX socket might end up running your ->release().
>
> So you really do *not* want to spawn any threads there, let alone
> possibly exfiltrating memory contents of happy recepient of your present...
To elaborate: ->release() instance may not assume anything about current->mm,
or assume anything about current, for that matter. It is entirely possible
to arrange its execution in context of a process that is not yours and had not
consent to doing that. In particular, it's a hard bug to have _any_ visible
effects depending upon the memory mappings, memory contents or the contents of
descriptor table of the process in question.
There's really no way around that.
next prev parent reply other threads:[~2021-07-23 20:19 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-20 11:03 [PATCH 0/3] small 5.13 cleanups Pavel Begunkov
2021-04-20 11:03 ` [PATCH 1/3] io_uring: move inflight un-tracking into cleanup Pavel Begunkov
2021-04-20 11:03 ` [PATCH 2/3] io_uring: safer sq_creds putting Pavel Begunkov
2021-04-20 11:03 ` [PATCH 3/3] io_uring: refactor io_sq_offload_create() Pavel Begunkov
2021-07-22 21:59 ` Al Viro
2021-07-22 23:06 ` Jens Axboe
2021-07-22 23:30 ` Al Viro
2021-07-22 23:42 ` Jens Axboe
2021-07-23 0:10 ` Al Viro
2021-07-23 0:12 ` Al Viro
2021-07-23 16:17 ` Jens Axboe
2021-07-23 17:11 ` Al Viro
2021-07-23 17:32 ` Jens Axboe
2021-07-23 17:36 ` Jens Axboe
2021-07-23 17:56 ` Jens Axboe
2021-07-23 19:00 ` Al Viro
2021-07-23 20:10 ` Jens Axboe
2021-07-23 20:24 ` Al Viro
2021-07-23 22:32 ` Jens Axboe
2021-07-23 20:19 ` Al Viro [this message]
2021-07-23 23:45 ` Matthew Wilcox
2021-07-23 23:57 ` Jens Axboe
2021-07-24 1:31 ` Al Viro
2021-07-23 0:03 ` Al Viro
2021-07-23 9:59 ` Pavel Begunkov
2021-04-20 18:55 ` [PATCH 0/3] small 5.13 cleanups Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YPskZS1uLctRWz/[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox