Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp3966728rdh; Tue, 28 Nov 2023 08:19:19 -0800 (PST) X-Google-Smtp-Source: AGHT+IHCKwE9MQp8VAUgjjLkKft8O7xWohPRhfv8QMElPsjTeWNohYQXtpfGTvU+iR2c3Ll2+oIb X-Received: by 2002:a17:90b:3d2:b0:27d:8a04:f964 with SMTP id go18-20020a17090b03d200b0027d8a04f964mr18682589pjb.24.1701188358819; Tue, 28 Nov 2023 08:19:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701188358; cv=none; d=google.com; s=arc-20160816; b=mlEP/N/tfb2EazryFuLKkoRSiKIEhoTdbuIUlO9vc8ZctLPjB7MufRHm8RAnaxXs/r t0VPsuQ04CV/8apF+MIo6ZQ7e5hF6vkixDjfcBUvoEPw7eRx9rETe2pZPZrO5kzWqS3M IsALcXTc6KwxO2wzOHBQmFcUqUMM75EzPL1NRNaRRPxSYEy4JxrNzy16NaRqQXUgHViw zCUok38neCh8SRZMX595WgPP5dW803lDE0Vr1/pjSrEt3JCQpYUWd95+Ggf0bRxxJMVu iY7t2dBtuk62iNB0LuRdQI2Jo2la2XSfBSwIdkcHpKquif3GRlCsJnH4s4/KiKMQXa0T Iskg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:references :cc:to:from:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature; bh=fJ9CvBFLcS4e8dYxcVCJmKmG4rKyLYxn+rJAYEOUpJo=; fh=VUL/ECkOX+BkSJ+FINYenTQ70tG+/BQgesrqPc+2cNo=; b=kwGqZ3OexcLxM0yiv4Mh4DQqdc3HB/BoPWmjReKbF4O834taz+yDcw+cX2EPHRmdxy M3BJvIUkrXoa91HxmMHKMnTGmf69M82rdOOceifUpvHETrbFR/5wPKksjnIL6TDZ9wC9 YmAwB9HkdQ/sq/WBALXI0Y9aiHqtvzI+kOQI9EG37EWo/apMQLireDfPCA19QzXahP3G ot1K9hLhMpnJcq5cxKRCNbDsnES8xwmamw+ua+8qeFBYk+pZEroq2pcO0m0NFhndcMoq Pq3LLbgTwGQowAf8YrWwICC+WCP9x1uKvxjfo6PQVThiqC8biyjRgM85j85Ix8aovWt1 QxUw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel-dk.20230601.gappssmtp.com header.s=20230601 header.b=cyTXT8+C; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id w18-20020a17090aea1200b0027769032e57si13049735pjy.52.2023.11.28.08.19.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Nov 2023 08:19:18 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel-dk.20230601.gappssmtp.com header.s=20230601 header.b=cyTXT8+C; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 84B12806CF60; Tue, 28 Nov 2023 08:19:17 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344168AbjK1QTE (ORCPT + 99 others); Tue, 28 Nov 2023 11:19:04 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39206 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232890AbjK1QTB (ORCPT ); Tue, 28 Nov 2023 11:19:01 -0500 Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 22A02D5D for ; Tue, 28 Nov 2023 08:19:07 -0800 (PST) Received: by mail-io1-xd35.google.com with SMTP id ca18e2360f4ac-7b03ed4463bso36406439f.1 for ; Tue, 28 Nov 2023 08:19:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20230601.gappssmtp.com; s=20230601; t=1701188346; x=1701793146; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:references:cc:to:from :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=fJ9CvBFLcS4e8dYxcVCJmKmG4rKyLYxn+rJAYEOUpJo=; b=cyTXT8+CIdwDCvdZB9gr6Mh1t143QT37aKkTAA6+0Krzmkz9MIwfccCY6osXAEFqme ER/jNpL/iFBfzsTZmIaQl/ypXDD8nfFyRmVJxOer+0+nZSR59y8lTYjxvLHgRrmQ3a9S nVX6UZQ7kdcWNYtSpdzwMbPUSoFSxtIxo1rKhXcT4ZvsWmeouu8WTqt/mrqBfrsYfEAg +KL1zA1207D4kfPVJ3YXmg5+tlHL1I0K5SXIbee3W967tx5hlrGbTCv6vH/MJrIjZI7b PZrL/fhmZcoMyrqaSTQ4B/0xL8YAuwv7JEhQhqoanwH1t5c1HdcpTulmaI8TJWI2jWqo 12LQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701188346; x=1701793146; h=content-transfer-encoding:in-reply-to:references:cc:to:from :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=fJ9CvBFLcS4e8dYxcVCJmKmG4rKyLYxn+rJAYEOUpJo=; b=WOtzFtecBbtMrR/fEZLFsPft9LRcfG8iYfVl5N2nvnC2TSmn6s89jGOVJMB7l+QmEK cY/WngfImjfANDm6vg3wBFhXk1D1YIQcxwWIdlpaZHdnwBCy6DJ9cWHIH8Mrn8tEWdqh vwnRKK9h+PASR9+Syl2XJM7Im42A3nPGmzODF4rpqB4j+cCrdjiy7ZmXa7+cw4L6uT8V U1aowyoewnAynPStAjPHPcGZyieJCQ3C0yPYoqZ9PID6ZaOSMiicFmodWw+cKqolQALc zLNxb7dfyuUMHHslNV2rchZRUTbqHBexqXaXSl8XM7Ht328aRdoT+jTpwYVaidBucioV U8VQ== X-Gm-Message-State: AOJu0Yz0wkE6NPWaaMOTDgqQBUp39givzAYLondDEsSfFvs6WSx5Z5me 6ZNKSQkqjcPyG2DrdHeMMxaKC8/3jzK7O/2RtSioxQ== X-Received: by 2002:a5d:8b98:0:b0:790:958e:a667 with SMTP id p24-20020a5d8b98000000b00790958ea667mr16809490iol.2.1701188346297; Tue, 28 Nov 2023 08:19:06 -0800 (PST) Received: from [192.168.1.116] ([96.43.243.2]) by smtp.gmail.com with ESMTPSA id q7-20020a02c8c7000000b00451b5feb80fsm2931488jao.8.2023.11.28.08.19.05 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 28 Nov 2023 08:19:05 -0800 (PST) Message-ID: Date: Tue, 28 Nov 2023 09:19:04 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: io_uring: risky use of task work, especially wrt fdget() Content-Language: en-US From: Jens Axboe To: Jann Horn , Pavel Begunkov Cc: io-uring , kernel list References: In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Tue, 28 Nov 2023 08:19:17 -0800 (PST) On 11/28/23 8:58 AM, Jens Axboe wrote: > On 11/27/23 2:53 PM, Jann Horn wrote: >> Hi! >> >> I noticed something that I think does not currently cause any >> significant security issues, but could be problematic in the future: >> >> io_uring sometimes processes task work in the middle of syscalls, >> including between fdget() and fdput(). My understanding of task work >> is that it is expected to run in a context similar to directly at >> syscall entry/exit: task context, no locks held, sleeping is okay, and >> it doesn't execute in the middle of some syscall that expects private >> state of the task_struct to stay the same. >> >> An example of another user of task work is the keyring subsystem, >> which does task_work_add() in keyctl_session_to_parent() to change the >> cred pointers of another task. >> >> Several places in io_uring process task work while holding an fdget() >> reference to some file descriptor. For example, the io_uring_enter >> syscall handler calls io_iopoll_check() while the io_ring_ctx is only >> referenced via fdget(). This means that if there were another kernel >> subsystem that uses task work to close file descriptors, io_uring >> would become unsafe. And io_uring does _almost_ that itself, I think: >> io_queue_worker_create() can be run on a workqueue, and uses task work >> to launch a worker thread from the context of a userspace thread; and >> this worker thread can then accept commands to close file descriptors. >> Except it doesn't accept commands to close io_uring file descriptors. >> >> A closer miss might be io_sync_cancel(), which holds a reference to >> some normal file with fdget()/fdput() while calling into >> io_run_task_work_sig(). However, from what I can tell, the only things >> that are actually done with this file pointer are pointer comparisons, >> so this also shouldn't have significant security impact. >> >> Would it make sense to use fget()/fput() instead of fdget()/fdput() in >> io_sync_cancel(), io_uring_enter and io_uring_register? These >> functions probably usually run in multithreaded environments anyway >> (thanks to the io_uring worker threads), so I would think fdget() >> shouldn't bring significant performance savings here? > > Let me run some testing on that. It's a mistake to think that it's > usually multithreaded, generally if you end up using io-wq then it's not > a fast path. A fast networked setup, for example, would never touch the > threads and hence no threading would be implied by using io_uring. Ditto > on the storage front, if you're just reading/writing or eg doing polled > IO. That said, those workloads are generally threaded _anyway_ - not > because of io_uring, but because that's how these kinds of workloads are > written to begin with. > > So probably won't be much of a concern to do the swap. The only > "interesting" part of the above mix of cancel/register/enter is > obviously the enter part. The rest are not really fast path. Did all three and ran the usual testing, which just so happens to be multithreaded to begin with anyway. No discernable change from using fget/fput over fdget/fdput. IOW, we may as well do this. Do you want to send a patch? Or I can send out mine, up to you. -- Jens Axboe