| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5jvih6bn7pv5p4btf65bvuxnnt4hli7gf2zlibejyjswmnk5dg@xwfuf3womp5b> Date: Wed, 27 Nov 2024 15:23:51 -0500 From: Kent Overstreet <kent.overstreet@...ux.dev> To: Jann Horn <jannh@...gle.com> Cc: linux-bcachefs@...r.kernel.org, kernel list <linux-kernel@...r.kernel.org>, Jens Axboe <axboe@...nel.dk>, Pavel Begunkov <asml.silence@...il.com>, io-uring <io-uring@...r.kernel.org> Subject: Re: bcachefs: suspicious mm pointer in struct dio_write On Wed, Nov 27, 2024 at 05:57:03PM +0100, Jann Horn wrote: > Hi! > > In fs/bcachefs/fs-io-direct.c, "struct dio_write" contains a pointer > to an mm_struct. This pointer is grabbed in bch2_direct_write() > (without any kind of refcount increment), and used in > bch2_dio_write_continue() for kthread_use_mm()/kthread_unuse_mm() > which are used to enable userspace memory access from kthread context. > I believe kthread_use_mm()/kthread_unuse_mm() require that the caller > guarantees that the MM hasn't gone through exit_mmap() yet (normally > by holding an mmget() reference). > > If we reach this codepath via io_uring, do we have a guarantee that > the mm_struct that called bch2_direct_write() is still alive and > hasn't yet gone through exit_mmap() when it is accessed from > bch2_dio_write_continue()? > > I don't know the async direct I/O codepath particularly well, so I > cc'ed the uring maintainers, who probably know this better than me. I don't know about io_uring but aio guarantees that outstanding kiocbs are completed before exiting the mm_struct - I would expect some sort of similar guarantee to hold, because otherwise where are we going to deliver the completion?
Powered by blists - more mailing lists