io_uring: ensure consistent view of original task ->mm from SQPOLL (4b70cf9d) · Commits · 戴 / test

Ensure we get a valid view of the task mm, by using task_lock() when attempting to grab the original task mm. Reported-by:

<syzbot+b57abf7ee60829090495@syzkaller.appspotmail.com> Fixes: ("io_uring: stash ctx task reference for SQPOLL") Signed-off-by:

fs/io_uring.c

+20 −7

Original line number	Diff line number	Diff line
		@@ -995,22 +995,35 @@ static void io_sq_thread_drop_mm(void)
		if (mm) {
		kthread_unuse_mm(mm);
		mmput(mm);
		current->mm = NULL;
		}
		}

		static int __io_sq_thread_acquire_mm(struct io_ring_ctx *ctx)
		{
		if (!current->mm) {
		if (unlikely(!(ctx->flags & IORING_SETUP_SQPOLL) \|\|
		!ctx->sqo_task->mm \|\|
		!mmget_not_zero(ctx->sqo_task->mm)))
		struct mm_struct *mm;

		if (current->mm)
		return 0;

		/* Should never happen */
		if (unlikely(!(ctx->flags & IORING_SETUP_SQPOLL)))
		return -EFAULT;
		kthread_use_mm(ctx->sqo_task->mm);
		}

		task_lock(ctx->sqo_task);
		mm = ctx->sqo_task->mm;
		if (unlikely(!mm \|\| !mmget_not_zero(mm)))
		mm = NULL;
		task_unlock(ctx->sqo_task);

		if (mm) {
		kthread_use_mm(mm);
		return 0;
		}

		return -EFAULT;
		}

		static int io_sq_thread_acquire_mm(struct io_ring_ctx *ctx,
		struct io_kiocb *req)
		{