From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dQL+qM4s" Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 28879122 for ; Wed, 6 Dec 2023 05:29:55 -0800 (PST) Received: by mail-lf1-x12b.google.com with SMTP id 2adb3069b0e04-50bf26f8988so4870512e87.2 for ; Wed, 06 Dec 2023 05:29:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701869393; x=1702474193; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=ysehmX4Pt24WsrUEQ3QJu+I81wy32Tt8NuJKvK6AdqQ=; b=dQL+qM4sm/uw5RBTX73bjHvHORjgbRpam9pHyJN1MZRzMrxqdSbvHTH0VlcEb3I+OE mJo/e5j8P+2IdH42HPOWA9rDP1ZGgW/PUMEKKy5Ud1RePXwEHD+aDRB3DLuwuhOseH5L S5V3brtR4R8kEtpo+E+zB7hbFiA78FD2h5bmLdzbNRVTpRnC89akayW56ysGX7pNowIz 1J4KJOlwHnsPatQ2Gn8YNs6XOKjKho/79OlUf3wbquDY5uGvKEhvkUSasBz7+JmRHtvC qfq6dpgH/iyc4gmNg0aCpoXom+26VFP4c/L7zx78TfWWosmiziI19fFYpHIi5V/+hPtp 0tag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701869393; x=1702474193; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ysehmX4Pt24WsrUEQ3QJu+I81wy32Tt8NuJKvK6AdqQ=; b=IFFhN4c0Iig4Q9+6sGXRXqUawGFdXBuQHa4kJeQY+fJejLS8yisis5paij3Z9X+85T TNvYfE3/FpVtx5SvNUJvWDpXWJYlnAcribyJRr/KoHrTO5tOG1xUQWxWWqIzYIH41QKW zf/Z69xuoEqsVbboV5QaBHAmmsSZTBdDgCYfKzKvFGZTFgqvDZ5WIN/XHObkrwU5Yepx c7MDTJchzhLNFJ3ITvmLHmG12IW9nJEEAPFgYZY5WMSPD9XnzQECr9feddAZtcUOoNen qnybouCgPLtzGtLPUDWO1i63BNjnDd9nOEQoo0hO7XYJubVtGCYT673ChnvzggUwwKV9 387Q== X-Gm-Message-State: AOJu0YzjhKVaeh7rGRTqCCUrSuwCBmflEJCaZ4NQpPiBPFH9dIYQkO5d fjIXe5efzPgx2PHH2+B2zoXE2S1vVmU= X-Google-Smtp-Source: AGHT+IHWj1yYCreHfdsfyOwIHBQQ1IxH2ewW01g9Jb1lNJRWewMDD/whc8VoIZPhxh7AJ/K9EeheMQ== X-Received: by 2002:a19:7018:0:b0:50b:c24d:9284 with SMTP id h24-20020a197018000000b0050bc24d9284mr592119lfc.49.1701869392926; Wed, 06 Dec 2023 05:29:52 -0800 (PST) Received: from 127.com ([2620:10d:c092:600::2:15ce]) by smtp.gmail.com with ESMTPSA id y10-20020a056402134a00b0054c86f882bcsm2416561edw.22.2023.12.06.05.29.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Dec 2023 05:29:52 -0800 (PST) From: Pavel Begunkov To: io-uring@vger.kernel.org Cc: Jens Axboe , asml.silence@gmail.com, jannh@google.com Subject: [PATCH 1/1] io_uring/af_unix: disable sending io_uring over sockets Date: Wed, 6 Dec 2023 13:26:47 +0000 Message-ID: X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: io-uring@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit File reference cycles have caused lots of problems for io_uring in the past, and it still doesn't work exactly right and races with unix_stream_read_generic(). The safest fix would be to completely disallow sending io_uring files via sockets via SCM_RIGHT, so there are no possible cycles invloving registered files and thus rendering SCM accounting on the io_uring side unnecessary. Cc: stable@vger.kernel.org Fixes: 0091bfc81741b ("io_uring/af_unix: defer registered files gc to io_uring release") Reported-and-suggested-by: Jann Horn Signed-off-by: Pavel Begunkov --- Note, it's a minimal patch intended for backporting, all the leftovers will be cleaned up separately. io_uring/rsrc.h | 7 ------- net/core/scm.c | 6 ++++++ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/io_uring/rsrc.h b/io_uring/rsrc.h index 8625181fb87a..08ac0d8e07ef 100644 --- a/io_uring/rsrc.h +++ b/io_uring/rsrc.h @@ -77,17 +77,10 @@ int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg, int __io_scm_file_account(struct io_ring_ctx *ctx, struct file *file); -#if defined(CONFIG_UNIX) -static inline bool io_file_need_scm(struct file *filp) -{ - return !!unix_get_socket(filp); -} -#else static inline bool io_file_need_scm(struct file *filp) { return false; } -#endif static inline int io_scm_file_account(struct io_ring_ctx *ctx, struct file *file) diff --git a/net/core/scm.c b/net/core/scm.c index 880027ecf516..7dc47c17d863 100644 --- a/net/core/scm.c +++ b/net/core/scm.c @@ -26,6 +26,7 @@ #include #include #include +#include #include @@ -103,6 +104,11 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) if (fd < 0 || !(file = fget_raw(fd))) return -EBADF; + /* don't allow io_uring files */ + if (io_uring_get_socket(file)) { + fput(file); + return -EINVAL; + } *fpp++ = file; fpl->count++; } -- 2.43.0 From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="C5Kycxyx" Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5B7C412B; Wed, 6 Dec 2023 05:58:45 -0800 (PST) Received: by mail-lj1-x22f.google.com with SMTP id 38308e7fff4ca-2c9fe0b5b28so48661441fa.1; Wed, 06 Dec 2023 05:58:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701871123; x=1702475923; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=ysehmX4Pt24WsrUEQ3QJu+I81wy32Tt8NuJKvK6AdqQ=; b=C5KycxyxaOvlRSfGwcNQUGmA5kgnc4bVcA4ljNUbe9fFjTpYSMTWH7uVwmh5wqithu /cSG7Pbo4Gn+Qe4N2ajssAja1CLQWaz1fprwbCKadUQfIYqsjUxwY9OSNS2YTZDslZF+ geuAUSV/JLmLjYKxVJj4dg4YDluo1a6HfsmKWBIC1qKloZxyG/PQvfFicMuFwE+cokqf Bdsqv/eILGcg5A6P60XFxpavFk35pukP+lINBew7CU+6tGcE5HpdL4mWv0e1kVIk7Ho5 VA5/687IuLMeD5W47yf5q2KRw8KO9v5ZlpwZiIrb6ehrEeAILabMiHapodb5MWQMEVln 5nHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701871123; x=1702475923; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ysehmX4Pt24WsrUEQ3QJu+I81wy32Tt8NuJKvK6AdqQ=; b=iM2B6DYdbWqVKQ6c3kyssa/o7pPgFtpd7TMZOoO5zXIKCp3xpCijuht1bzIHotgDV+ 8rbxjMqYnaFHlAGm/rkgmfSrxGF2d6fZJr9bk53tNHd+OjlDHFgtIksjSnUobobnKNHZ 0hjtKF+l/dfiyhHEM1zvmGuUCPQHLY9hKHwzKdYrdcCo8EoZn/sfcnWm4ZMCL2Ba2gAq 6UXaGgdPOl51rjmlaIewEYM6Fc9d+CVuJhR104N1SC90rT5WHkXbkpj65YZdSLlt6DKR ilraU1699WP4t7ls6CsukjEcas3BBbnTz/w1R2Vu8yPLdxbaoabnPRmf1fTE/gLsM1Rx Tiwg== X-Gm-Message-State: AOJu0Yw0j8zfAug/tiACR35bfhgGumiA6vjr6x7pIH0+2dDZwrauG14C zpfRpg20mHeq2GSpAQt0UJ8wkILv2R0= X-Google-Smtp-Source: AGHT+IHIJ4rzxIE3cF1KqRrszjBGmYzbzhE3snj7i/rSEsicZWKt3h3Qn5xDOdTY1dk+XIf0oZZXrQ== X-Received: by 2002:a05:651c:204:b0:2c9:ffbb:34fd with SMTP id y4-20020a05651c020400b002c9ffbb34fdmr696685ljn.12.1701871122704; Wed, 06 Dec 2023 05:58:42 -0800 (PST) Received: from 127.com ([2620:10d:c092:600::2:15ce]) by smtp.gmail.com with ESMTPSA id m23-20020a1709061ed700b00a1ddf81b4ffsm624546ejj.207.2023.12.06.05.58.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Dec 2023 05:58:42 -0800 (PST) From: Pavel Begunkov To: io-uring@vger.kernel.org Cc: Jens Axboe , asml.silence@gmail.com, jannh@google.com, davem@davemloft.net, kuba@kernel.org, edumazet@google.com, pabeni@redhat.com, netdev@vger.kernel.org Subject: [PATCH RESEND] io_uring/af_unix: disable sending io_uring over sockets Date: Wed, 6 Dec 2023 13:55:19 +0000 Message-ID: X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: io-uring@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: <20231206135519.yBMlNoeFNa7HFhE2CuH-5kgU6pwEGY_P6xlXBgW6qEY@z> File reference cycles have caused lots of problems for io_uring in the past, and it still doesn't work exactly right and races with unix_stream_read_generic(). The safest fix would be to completely disallow sending io_uring files via sockets via SCM_RIGHT, so there are no possible cycles invloving registered files and thus rendering SCM accounting on the io_uring side unnecessary. Cc: stable@vger.kernel.org Fixes: 0091bfc81741b ("io_uring/af_unix: defer registered files gc to io_uring release") Reported-and-suggested-by: Jann Horn Signed-off-by: Pavel Begunkov --- Note, it's a minimal patch intended for backporting, all the leftovers will be cleaned up separately. io_uring/rsrc.h | 7 ------- net/core/scm.c | 6 ++++++ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/io_uring/rsrc.h b/io_uring/rsrc.h index 8625181fb87a..08ac0d8e07ef 100644 --- a/io_uring/rsrc.h +++ b/io_uring/rsrc.h @@ -77,17 +77,10 @@ int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg, int __io_scm_file_account(struct io_ring_ctx *ctx, struct file *file); -#if defined(CONFIG_UNIX) -static inline bool io_file_need_scm(struct file *filp) -{ - return !!unix_get_socket(filp); -} -#else static inline bool io_file_need_scm(struct file *filp) { return false; } -#endif static inline int io_scm_file_account(struct io_ring_ctx *ctx, struct file *file) diff --git a/net/core/scm.c b/net/core/scm.c index 880027ecf516..7dc47c17d863 100644 --- a/net/core/scm.c +++ b/net/core/scm.c @@ -26,6 +26,7 @@ #include #include #include +#include #include @@ -103,6 +104,11 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) if (fd < 0 || !(file = fget_raw(fd))) return -EBADF; + /* don't allow io_uring files */ + if (io_uring_get_socket(file)) { + fput(file); + return -EINVAL; + } *fpp++ = file; fpl->count++; } -- 2.43.0