[RFC] migrating mm

[RFC] migrating mm

[Pavel Begunkov]

There is a case I'm not sure about, but which bothers me.
What would happen, if we try to use io_uring with offloading (i.e.
IORING_SETUP_SQPOLL), after its creator is gone? The thing is that
io_sq_thread() is getting mm by using ctx->sqo_mm, which is current->mm
of the creator process, which potentially may be released.


The case in mind:
let: @parent has a @child process

@child:
    uring_fd = io_uring_create(IORING_SETUP_SQPOLL)
    pass_fd_via_pipe(uring_fd, to=@parent);
    exit()

@parent:
    uring_fd = get_fd_from_pipe()
    wait(@child)

    sqe = create_sqe_which_needs_mm();
    io_submit_sqe(uring_fd, sqe)
    // io_uring tries to grab mm of @child, which is gone.



What do you think?

-- 
Pavel Begunkov

Re: [RFC] migrating mm

[Pavel Begunkov]

On 11/12/2019 2:14 PM, Pavel Begunkov wrote:
> There is a case I'm not sure about, but which bothers me.
> What would happen, if we try to use io_uring with offloading (i.e.
> IORING_SETUP_SQPOLL), after its creator is gone? The thing is that
> io_sq_thread() is getting mm by using ctx->sqo_mm, which is current->mm
> of the creator process, which potentially may be released.
> 

Please ignore this. The answer is obvious, I just missed
mmgrab(current->mm) right at the beginning of io_sq_offload_start().


> 
> The case in mind:
> let: @parent has a @child process
> 
> @child:
>     uring_fd = io_uring_create(IORING_SETUP_SQPOLL)
>     pass_fd_via_pipe(uring_fd, to=@parent);
>     exit()
> 
> @parent:
>     uring_fd = get_fd_from_pipe()
>     wait(@child)
> 
>     sqe = create_sqe_which_needs_mm();
>     io_submit_sqe(uring_fd, sqe)
>     // io_uring tries to grab mm of @child, which is gone.
> 
> 
> 
> What do you think?
>