tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

io_uring: only allow submit from owning task

If the credentials or the mm doesn't match, don't allow the task to
submit anything on behalf of this ring. The task that owns the ring can
pass the file descriptor to another task, but we don't want to allow
that task to submit an SQE that then assumes the ring mm and creds if
it needs to go async.

Cc: stable@vger.kernel.org
Suggested-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

Jens Axboe 44d28279 11ba820b

options
unified split
Changed files
+6
fs
io_uring.c
+6
fs/io_uring.c
··· 5159 5159 } else if (to_submit) { 5160 5160 struct mm_struct *cur_mm; 5161 5161 5162 + if (current->mm != ctx->sqo_mm || 5163 + current_cred() != ctx->creds) { 5164 + ret = -EPERM; 5165 + goto out; 5166 + } 5167 + 5162 5168 to_submit = min(to_submit, ctx->sq_entries); 5163 5169 mutex_lock(&ctx->uring_lock); 5164 5170 /* already have mm, so io_submit_sqes() won't try to grab it */