git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blob

   1 From be8046cd68b521f8e5e2744b4e226e4ab10854b5 Mon Sep 17 00:00:00 2001
   2 From: Sasha Levin <sashal@kernel.org>
   3 Date: Mon, 2 Nov 2020 10:39:05 -0700
   4 Subject: io_uring: ensure consistent view of original task ->mm from SQPOLL
   5
   6 From: Jens Axboe <axboe@kernel.dk>
   7
   8 [ Upstream commit 4b70cf9dea4cd239b425f3282fa56ce19e234c8a ]
   9
  10 Ensure we get a valid view of the task mm, by using task_lock() when
  11 attempting to grab the original task mm.
  12
  13 Reported-by: syzbot+b57abf7ee60829090495@syzkaller.appspotmail.com
  14 Fixes: 2aede0e417db ("io_uring: stash ctx task reference for SQPOLL")
  15 Signed-off-by: Jens Axboe <axboe@kernel.dk>
  16 Signed-off-by: Sasha Levin <sashal@kernel.org>
  17 ---
  18  fs/io_uring.c | 27 ++++++++++++++++++++-------
  19  1 file changed, 20 insertions(+), 7 deletions(-)
  20
  21 diff --git a/fs/io_uring.c b/fs/io_uring.c
  22 index 1033e0e18f24f..2d5ca9476814d 100644
  23 --- a/fs/io_uring.c
  24 +++ b/fs/io_uring.c
  25 @@ -952,20 +952,33 @@ static void io_sq_thread_drop_mm(void)
  26         if (mm) {
  27                 kthread_unuse_mm(mm);
  28                 mmput(mm);
  29 +               current->mm = NULL;
  30         }
  31  }
  32
  33  static int __io_sq_thread_acquire_mm(struct io_ring_ctx *ctx)
  34  {
  35 -       if (!current->mm) {
  36 -               if (unlikely(!(ctx->flags & IORING_SETUP_SQPOLL) ||
  37 -                            !ctx->sqo_task->mm ||
  38 -                            !mmget_not_zero(ctx->sqo_task->mm)))
  39 -                       return -EFAULT;
  40 -               kthread_use_mm(ctx->sqo_task->mm);
  41 +       struct mm_struct *mm;
  42 +
  43 +       if (current->mm)
  44 +               return 0;
  45 +
  46 +       /* Should never happen */
  47 +       if (unlikely(!(ctx->flags & IORING_SETUP_SQPOLL)))
  48 +               return -EFAULT;
  49 +
  50 +       task_lock(ctx->sqo_task);
  51 +       mm = ctx->sqo_task->mm;
  52 +       if (unlikely(!mm || !mmget_not_zero(mm)))
  53 +               mm = NULL;
  54 +       task_unlock(ctx->sqo_task);
  55 +
  56 +       if (mm) {
  57 +               kthread_use_mm(mm);
  58 +               return 0;
  59         }
  60
  61 -       return 0;
  62 +       return -EFAULT;
  63  }
  64
  65  static int io_sq_thread_acquire_mm(struct io_ring_ctx *ctx,
  66 --
  67 2.27.0
  68