| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Sep 2020 11:53:55 +0800
From: 朱寅寅 <zhuyinyin@...edance.com>
To: Jens Axboe <axboe@...nel.dk>
Cc: viro@...iv.linux.org.uk, linux-fsdevel@...r.kernel.org,
linux-block@...r.kernel.org, linux-kernel@...r.kernel.org,
宋牧春 <songmuchun@...edance.com>,
duanxiongchun <duanxiongchun@...edance.com>,
朱寅寅 <zhuyinyin@...edance.com>
Subject: Re: [External] Re: [PATCH] io_uring: fix the bug of child process
can't do io task
Dear Jens Axboe:
Thanks for your reply. Yeah,My approach indeed has a problem as you
said. Yours is obviously better than mine.
But I think your approach is not perfect , still has a problem. Think
that same case I mentioned before, when parent
process Setup an io_uring instance with the flag of
IORING_SETUP_SQPOLL, means the sqo_thread is created,
and ctx->sqo_mm is assigned to the parent process's mm. Then the
parent process forks a child process. Of course ,
the child process inherits the fd of io_uring instance.
Then the child process submits an io task without ever context
switching into kernel. So the sqo_thead even doesn't
know whether the parent process has submit the io task or the child
one, it just use the ctx->sqo_mm as its mm,
but ctx->sqo_mm is the parent process's, not child process's, so the
problem occurred again.
Two more things:
1、I think 5.9 also has this problem -- "sqo_thread doesn't know who
has submit the io task, it will use wrong mm"
2、Attachment of this mail is the test application. If the child
process exits quickly, the problem is occured.
On Tue, Sep 15, 2020 at 9:36 PM Jens Axboe <axboe@...nel.dk> wrote:
>
> On 9/15/20 7:25 AM, Jens Axboe wrote:
> > On 9/15/20 7:02 AM, Yinyin Zhu wrote:
> >> when parent process setup a io_uring_instance, the ctx->sqo_mm was
> >> assigned of parent process'mm. Then it fork a child
> >> process. So the child process inherits the io_uring_instance fd from
> >> parent process. Then the child process submit a io task to the io_uring
> >> instance. The kworker will do the io task actually, and use
> >> the ctx->sqo_mm as its mm, but this ctx->sqo_mm is parent process's mm,
> >> not the child process's mm. so child do the io task unsuccessfully. To
> >> fix this bug, when a process submit a io task to the kworker, assign the
> >> ctx->sqo_mm with this process's mm.
> >
> > Hmm, what's the test case for this? There's a 5.9 regression where we
> > don't always grab the right context for certain linked cases, below
> > is the fix. Does that fix your case?
>
> Ah hang on, you're on the 5.4 code base... I think this is a better
> approach. Any chance you can test it?
>
> The problem with yours is that you can have multiple pending async
> ones, and you can't just re-assign ctx->sqo_mm. That one should only
> be used by the SQPOLL thread.
>
>
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index 2a539b794f3b..e8a4b4ae7006 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -514,7 +514,7 @@ static inline void io_queue_async_work(struct io_ring_ctx *ctx,
> }
> }
>
> - req->task = current;
> + req->task = get_task_struct(current);
>
> spin_lock_irqsave(&ctx->task_lock, flags);
> list_add(&req->task_list, &ctx->task_list);
> @@ -1832,6 +1832,7 @@ static void io_poll_complete_work(struct work_struct *work)
> spin_unlock_irq(&ctx->completion_lock);
>
> io_cqring_ev_posted(ctx);
> + put_task_struct(req->task);
> io_put_req(req);
> out:
> revert_creds(old_cred);
> @@ -2234,11 +2235,11 @@ static void io_sq_wq_submit_work(struct work_struct *work)
>
> ret = 0;
> if (io_req_needs_user(req) && !cur_mm) {
> - if (!mmget_not_zero(ctx->sqo_mm)) {
> + if (!mmget_not_zero(req->task->mm)) {
> ret = -EFAULT;
> goto end_req;
> } else {
> - cur_mm = ctx->sqo_mm;
> + cur_mm = req->task->mm;
> use_mm(cur_mm);
> old_fs = get_fs();
> set_fs(USER_DS);
> @@ -2275,6 +2276,7 @@ static void io_sq_wq_submit_work(struct work_struct *work)
> }
>
> /* drop submission reference */
> + put_task_struct(req->task);
> io_put_req(req);
>
> if (ret) {
>
> --
> Jens Axboe
>
View attachment "test_fork.txt" of type "text/plain" (2425 bytes)
Powered by blists - more mailing lists