Commit 77788775 authored by Jens Axboe's avatar Jens Axboe
Browse files

io_uring: don't assume mm is constant across submits 



If we COW the identity, we assume that ->mm never changes. But this
isn't true of multiple processes end up sharing the ring. Hence treat
id->mm like like any other process compontent when it comes to the
identity mapping. This is pretty trivial, just moving the existing grab
into io_grab_identity(), and including a check for the match.

Cc: stable@vger.kernel.org # 5.10
Fixes: 1e6fa521 ("io_uring: COW io_identity on mismatch")
Reported-by: default avatarChristian Brauner <christian.brauner@ubuntu.com&gt;:>
Tested-by: default avatarChristian Brauner <christian.brauner@ubuntu.com&gt;:>
Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent 5c8fe583

fs/io_uring.c

+7 −7
Original line number Diff line number Diff line
@@ -1501,6 +1501,13 @@ static bool io_grab_identity(struct io_kiocb *req) 
		spin_unlock_irq(&ctx->inflight_lock);

		req->work.flags |= IO_WQ_WORK_FILES;

	}

	if (!(req->work.flags & IO_WQ_WORK_MM) &&

	    (def->work_flags & IO_WQ_WORK_MM)) {

		if (id->mm != current->mm)

			return false;

		mmgrab(id->mm);

		req->work.flags |= IO_WQ_WORK_MM;

	}



	return true;

}
@@ -1525,13 +1532,6 @@ static void io_prep_async_work(struct io_kiocb *req) 
			req->work.flags |= IO_WQ_WORK_UNBOUND;

	}



	/* ->mm can never change on us */

	if (!(req->work.flags & IO_WQ_WORK_MM) &&

	    (def->work_flags & IO_WQ_WORK_MM)) {

		mmgrab(id->mm);

		req->work.flags |= IO_WQ_WORK_MM;

	}



	/* if we fail grabbing identity, we must COW, regrab, and retry */

	if (io_grab_identity(req))

		return;