Hi Jens, > If the original task switches credentials or unshares any part of the > task state, then we should notify the io_uring workers to they can > re-fork as well. For credentials, this actually happens just fine for > the io-wq workers, as we grab and pass that down. For SQPOLL, we're > stuck with the original credentials, which means that it cannot be used > if the task does eg seteuid(). I fear that this will be very problematic for Samba's use of io_uring. We change credentials very often, switching between the impersonated users and also root in order to run privileged sections. Currently fd-based operations are not affected by the credential switches. I guess any credential switch means that all pending io_uring requests get canceled, correct? It also means the usage of IORING_REGISTER_PERSONALITY isn't useful any longer, as that requires a credential switch before (and most likely after) the io_uring_register() syscall. As seteuid(), unshare() and similar syscalls are per thread instead of process in the kernel, the io_wq is also per userspace thread and not per io_ring_ctx, correct? As I read the code any credential change in any userspace thread will cause the sq_thread to be stopped and restarted by the next io_uring_enter(), which means that the sq_thread may change its main credentials randomly overtime, depending on which userspace thread calls io_uring_enter() first. As unshare() applies only to the current task_struct I'm wondering if we only want to refork the sq_thread if the current task is the parent of the sq_thread. I'm wondering if we better remove io_uring_unshare() from commit_creds() and always handle the creds explicitly as req->work.creds. io_init_req() then will req->work.creds from ctx->personality_idr or from current->cred. At the same time we'd readd ctx->creds = get_current_cred(); in io_uring_setup() and use these ctx->creds in the io_sq_thread again in order to make things sane again. I'm also wondering if all this has an impact on IORING_SETUP_ATTACH_WQ, in particular I'm thinking of the case where the fd was transfered via SCM_RIGHTS or across fork(), when mm and files are not shared between the processes. I think the IORING_FEAT_CUR_PERSONALITY section in io_uring_setup.2 should also talk about what credentials are used in the IORING_SETUP_SQPOLL case. The IORING_SETUP_SQPOLL section should also be more detailed regarding what state is used in particular in combination with IORING_SETUP_ATTACH_WQ. Wasn't the idea up to 5.11 that the sq_thread would capture the whole state at io_uring_setup()? I think we need to maintain the overall behavior exposed to userspace... metze
