From: Pavel Begunkov asml.silence@gmail.com
mainline inclusion from mainline-5.9-rc1 commit d3cac64c498c4fb2df46b97ee6f4c7d6d75f5e3d category: feature bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=27 CVE: NA ---------------------------
__io_queue_sqe() tries to handle all request of a link, so it's not enough to grab mm in io_sq_thread_acquire_mm() based just on the head.
Don't check req->needs_mm and do it always.
Signed-off-by: Pavel Begunkov asml.silence@gmail.com
Conflicts: fs/io_uring.c
Signed-off-by: yangerkun yangerkun@huawei.com Reviewed-by: zhangyi (F) yi.zhang@huawei.com Signed-off-by: Cheng Jian cj.chengjian@huawei.com --- fs/io_uring.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c index a8218ff4df42..a3de263431df 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -4294,10 +4294,9 @@ static void io_sq_thread_drop_mm(void) } }
-static int io_sq_thread_acquire_mm(struct io_ring_ctx *ctx, - struct io_kiocb *req) +static int __io_sq_thread_acquire_mm(struct io_ring_ctx *ctx) { - if (io_op_defs[req->opcode].needs_mm && !current->mm) { + if (!current->mm) { if (unlikely(!mmget_not_zero(ctx->sqo_mm))) return -EFAULT; use_mm(ctx->sqo_mm); @@ -4306,6 +4305,14 @@ static int io_sq_thread_acquire_mm(struct io_ring_ctx *ctx, return 0; }
+static int io_sq_thread_acquire_mm(struct io_ring_ctx *ctx, + struct io_kiocb *req) +{ + if (!io_op_defs[req->opcode].needs_mm) + return 0; + return __io_sq_thread_acquire_mm(ctx); +} + static void io_async_task_func(struct callback_head *cb) { struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work); @@ -4344,7 +4351,7 @@ static void io_async_task_func(struct callback_head *cb)
if (!canceled) { __set_current_state(TASK_RUNNING); - if (io_sq_thread_acquire_mm(ctx, req)) { + if (__io_sq_thread_acquire_mm(ctx)) { io_cqring_add_event(req, -EFAULT); goto end_req; }