io_uring: reference ->nsproxy for file table commands

If we don't get and assign the namespace for the async work, then certain
paths just don't work properly (like /dev/stdin, /proc/mounts, etc).
Anything that references the current namespace of the given task should
be assigned for async work on behalf of that task.

Cc: stable@vger.kernel.org # v5.5+
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/fs/io-wq.c b/fs/io-wq.c
index 414beb5438836cf4c28935bbdfd376e74078e19f..09e20bbf0d37fd77e6a854a0f9b77e3d3e4eb6c0 100644 (file)
--- a/fs/io-wq.c
+++ b/fs/io-wq.c
@@ -60,6 +60,7 @@ struct io_worker {
        const struct cred *cur_creds;
        const struct cred *saved_creds;
        struct files_struct *restore_files;
+       struct nsproxy *restore_nsproxy;
        struct fs_struct *restore_fs;
 };
 
@@ -153,6 +154,7 @@ static bool __io_worker_unuse(struct io_wqe *wqe, struct io_worker *worker)
 
                task_lock(current);
                current->files = worker->restore_files;
+               current->nsproxy = worker->restore_nsproxy;
                task_unlock(current);
        }
 
@@ -318,6 +320,7 @@ static void io_worker_start(struct io_wqe *wqe, struct io_worker *worker)
 
        worker->flags |= (IO_WORKER_F_UP | IO_WORKER_F_RUNNING);
        worker->restore_files = current->files;
+       worker->restore_nsproxy = current->nsproxy;
        worker->restore_fs = current->fs;
        io_wqe_inc_running(wqe, worker);
 }
@@ -454,6 +457,7 @@ static void io_impersonate_work(struct io_worker *worker,
        if (work->files && current->files != work->files) {
                task_lock(current);
                current->files = work->files;
+               current->nsproxy = work->nsproxy;
                task_unlock(current);
        }
        if (work->fs && current->fs != work->fs)

diff --git a/fs/io-wq.h b/fs/io-wq.h
index ddaf9614cf9bc180e7beab75dd10ad04d3707901..2519830c8c55c0085fc8d7f2e5720056d597d767 100644 (file)
--- a/fs/io-wq.h
+++ b/fs/io-wq.h
@@ -88,6 +88,7 @@ struct io_wq_work {
        struct files_struct *files;
        struct mm_struct *mm;
        const struct cred *creds;
+       struct nsproxy *nsproxy;
        struct fs_struct *fs;
        unsigned long fsize;
        unsigned flags;

diff --git a/fs/io_uring.c b/fs/io_uring.c
index ee75ba7113cfe21fd6b79e63e8e1ba6435446462..05ec385a609495412a29493aac04a21eb6b03c6d 100644 (file)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -5678,6 +5678,7 @@ static void io_req_drop_files(struct io_kiocb *req)
        spin_unlock_irqrestore(&ctx->inflight_lock, flags);
        req->flags &= ~REQ_F_INFLIGHT;
        put_files_struct(req->work.files);
+       put_nsproxy(req->work.nsproxy);
        req->work.files = NULL;
 }
 
@@ -6086,6 +6087,8 @@ static int io_grab_files(struct io_kiocb *req)
                return 0;
 
        req->work.files = get_files_struct(current);
+       get_nsproxy(current->nsproxy);
+       req->work.nsproxy = current->nsproxy;
        req->flags |= REQ_F_INFLIGHT;
 
        spin_lock_irq(&ctx->inflight_lock);