Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp3418176rdh; Mon, 27 Nov 2023 13:54:40 -0800 (PST) X-Google-Smtp-Source: AGHT+IG8jbvtIVre6ohHR3mJviMjU9qToAOy+jvy8duTwzuNuqkSloy2uRwH57dAHVJC/LRLllsx X-Received: by 2002:a05:6a00:813:b0:6cb:42de:24e0 with SMTP id m19-20020a056a00081300b006cb42de24e0mr13659083pfk.28.1701122079985; Mon, 27 Nov 2023 13:54:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701122079; cv=none; d=google.com; s=arc-20160816; b=Msclot0p/0uwsQiXZqaoiMTXT+LOMnp+J+gnACn7eLXD0HypG5zl2E2ifUB1If0/fg T3afSUaW0nYSQ1498FnR/cjVn7B7lCc1e60WUi1H950KTBKwOlKJ+fhUD1H5GZXHmJwE fR0DmDAUSwJ+7SUuqGu7Am0kO5iMnKeEQqeGiTM10Ma5tOf/EEPV/+Z6KjR4BvkC21oh DT1gOHTCFfW0h1rQjRq7kMpRTmm6OsOt85mbU3IIXIoOG7RCXqMOGU+I0iDbYwZIjlFV E0lFSC6ovyABilTOn73wg5DoFtS5sX0qQtt4s3jlHXkkViTZpdSrV0dzYVXnCuT1l3Pa FO2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:mime-version :dkim-signature; bh=i5GFJDUW3MHlNrfhyC5VB4ESUR3+JVE/rcjBTTcA06g=; fh=QrRqtVFuHxGe+s1ZMVE2Z0yJ7G3uTdAEcUJIrBcf4wE=; b=Iy8Quds6RQiVIzenrz1R/m4jxNE5Os7n11sl024rsEOvCWFYGSDXzU3zCezWnrkkpV FmGf2eZwXzogVmGZVDjSvIm70YA2uWLa98DLiSFcJ08Z7EDf94HO9JoHIfL4gf4KHwv7 ok8jUxluYRhvKXwLxt8TX4+xK1ObVPDljhyGzFpg7CGb31UWrur25spMdI4ZMoEzc41E GZPd9oMgTq5cnmIfyvJTZ7GWypJ+qGYA1FOfsKnwcO1ASU/79si55flM4yAxN/MM1ziq Nvg7FtHwHmTVJD50kh7h1sBTwLHnpwVOX6X0zuOUzIsTZcJoFgESw6lQNHKVwiAYQDQW nZbA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=uey2PQoq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id d4-20020a056a0010c400b006cb835b9f7esi10594099pfu.268.2023.11.27.13.54.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Nov 2023 13:54:39 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=uey2PQoq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 6D371809E211; Mon, 27 Nov 2023 13:54:37 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233332AbjK0VyW (ORCPT + 99 others); Mon, 27 Nov 2023 16:54:22 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56410 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231437AbjK0VyV (ORCPT ); Mon, 27 Nov 2023 16:54:21 -0500 Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E317AC1 for ; Mon, 27 Nov 2023 13:54:27 -0800 (PST) Received: by mail-ed1-x530.google.com with SMTP id 4fb4d7f45d1cf-54744e66d27so822a12.0 for ; Mon, 27 Nov 2023 13:54:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1701122066; x=1701726866; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=i5GFJDUW3MHlNrfhyC5VB4ESUR3+JVE/rcjBTTcA06g=; b=uey2PQoqD4VqWR8DtFOJQMKnRAkh4NFPlOJ3yMXBQmMtS9eqfTKTaY8QyL1tfVAnUu mPBZSZvZ8boQx9NASvxQKy2fsIBX2jUiEFiURbV40NQsVowO65V7qhBeWjhQ/OQ29S/Q J0qjgPfBPiMsgYY8RNMykYngpX/Ls5cA5pGvFTC6if3jIfNHxCFvOV/Aw7P8g5EpVwV+ R+CV+PviWjPc4H76jaYqvMR+FIjZTotb5MkD+k5ADWS68ZaTwchqv8se44BS64VP9Q94 DM4sP5BOyocPYpyBiJEdTArDxmdjV17fpkalTPSLeJmFqtSBz2L2VZ5Tt1QxjnH5aCZ5 UbCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701122066; x=1701726866; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=i5GFJDUW3MHlNrfhyC5VB4ESUR3+JVE/rcjBTTcA06g=; b=mgWVFgoKupTnsGL3EC3iS9XkSdqD3sZBofIMNW8YmG4Xr/IgZ37fLSciy83UeN3Xvu zxTaiwlluR+h8SfX35CUoxET5o+V0fLkrQpteipKxfryQJp+Ld3jf/jNLtrc5oBuy+6h 155KfiSIYbW7WUHtNVMfNA57ixUjRk6/HCWE+JVVOz70UySde9Ocyp/N2K7+bVukv1AG kS696kt1VFIE1XkrySQUXhjTQ40+fP4a8jilv1qcHCRZg5HSy/V/GwjaT0d5V8Fk0m2f PiMxkfLbU2lCvYMWBFSabQK1TSPZ5RZNLO1jBfZLJxSR0TEkwZi2h4lHWjBkSaawuKyr EpmQ== X-Gm-Message-State: AOJu0Yw1Lc/iZ3PwY2BqFGjBRwCRXWBubqO5sViIA9RHIJQhTITVXMG5 KAhFeVlAtFaTIIctonj5QCthpL0ZMQJ2kN/bM8q2EKXT3jmG6ovtNWaROBqB X-Received: by 2002:a05:6402:3510:b0:54b:2abd:ad70 with SMTP id b16-20020a056402351000b0054b2abdad70mr280820edd.7.1701122066260; Mon, 27 Nov 2023 13:54:26 -0800 (PST) MIME-Version: 1.0 From: Jann Horn Date: Mon, 27 Nov 2023 22:53:48 +0100 Message-ID: Subject: io_uring: risky use of task work, especially wrt fdget() To: Jens Axboe , Pavel Begunkov Cc: io-uring , kernel list Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Mon, 27 Nov 2023 13:54:37 -0800 (PST) Hi! I noticed something that I think does not currently cause any significant security issues, but could be problematic in the future: io_uring sometimes processes task work in the middle of syscalls, including between fdget() and fdput(). My understanding of task work is that it is expected to run in a context similar to directly at syscall entry/exit: task context, no locks held, sleeping is okay, and it doesn't execute in the middle of some syscall that expects private state of the task_struct to stay the same. An example of another user of task work is the keyring subsystem, which does task_work_add() in keyctl_session_to_parent() to change the cred pointers of another task. Several places in io_uring process task work while holding an fdget() reference to some file descriptor. For example, the io_uring_enter syscall handler calls io_iopoll_check() while the io_ring_ctx is only referenced via fdget(). This means that if there were another kernel subsystem that uses task work to close file descriptors, io_uring would become unsafe. And io_uring does _almost_ that itself, I think: io_queue_worker_create() can be run on a workqueue, and uses task work to launch a worker thread from the context of a userspace thread; and this worker thread can then accept commands to close file descriptors. Except it doesn't accept commands to close io_uring file descriptors. A closer miss might be io_sync_cancel(), which holds a reference to some normal file with fdget()/fdput() while calling into io_run_task_work_sig(). However, from what I can tell, the only things that are actually done with this file pointer are pointer comparisons, so this also shouldn't have significant security impact. Would it make sense to use fget()/fput() instead of fdget()/fdput() in io_sync_cancel(), io_uring_enter and io_uring_register? These functions probably usually run in multithreaded environments anyway (thanks to the io_uring worker threads), so I would think fdget() shouldn't bring significant performance savings here?