io_uring: only allow submit from owning task

If the credentials or the mm doesn't match, don't allow the task to
submit anything on behalf of this ring. The task that owns the ring can
pass the file descriptor to another task, but we don't want to allow
that task to submit an SQE that then assumes the ring mm and creds if
it needs to go async.

Cc: stable@vger.kernel.org
Suggested-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 52e5764540e4548820a5dc91471ce13fd42bc007..187dd94fd6b124a15a45c16ee68142b08b7f52c9 100644 (file)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -5159,6 +5159,12 @@ SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
        } else if (to_submit) {
                struct mm_struct *cur_mm;
 
+               if (current->mm != ctx->sqo_mm ||
+                   current_cred() != ctx->creds) {
+                       ret = -EPERM;
+                       goto out;
+               }
+
                to_submit = min(to_submit, ctx->sq_entries);
                mutex_lock(&ctx->uring_lock);
                /* already have mm, so io_submit_sqes() won't try to grab it */