Re: [RFC PATCH] io_uring: add support for IORING_OP_IOCTL

From: Jann Horn
Date: Sat Dec 14 2019 - 12:12:50 EST

On Sat, Dec 14, 2019 at 4:30 PM Pavel Begunkov <asml.silence@xxxxxxxxx> wrote:
> This works almost like ioctl(2), except it doesn't support a bunch of
> common opcodes, (e.g. FIOCLEX and FIBMAP, see ioctl.c), and goes
> straight to a device specific implementation.
> The case in mind is dma-buf, drm and other ioctl-centric interfaces.
> Not-yet Signed-off-by: Pavel Begunkov <asml.silence@xxxxxxxxx>
> ---
> It clearly needs some testing first, though works fine with dma-buf,
> but I'd like to discuss whether the use cases are convincing enough,
> and is it ok to desert some ioctl opcodes. For the last point it's
> fairly easy to add, maybe except three requiring fd (e.g. FIOCLEX)
> P.S. Probably, it won't benefit enough to consider using io_uring
> in drm/mesa, but anyway.
> +static int io_ioctl(struct io_kiocb *req,
> + struct io_kiocb **nxt, bool force_nonblock)
> +{
> + const struct io_uring_sqe *sqe = req->sqe;
> + unsigned int cmd = READ_ONCE(sqe->ioctl_cmd);
> + unsigned long arg = READ_ONCE(sqe->ioctl_arg);
> + int ret;
> +
> + if (!req->file)
> + return -EBADF;
> + if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
> + return -EINVAL;
> + if (unlikely(sqe->ioprio || sqe->addr || sqe->buf_index
> + || sqe->rw_flags))
> + return -EINVAL;
> + if (force_nonblock)
> + return -EAGAIN;
> +
> + ret = security_file_ioctl(req->file, cmd, arg);
> + if (!ret)
> + ret = (int)vfs_ioctl(req->file, cmd, arg);

This isn't going to work. For several of the syscalls that were added,
special care had to be taken to avoid bugs - like for RECVMSG, for the
upcoming OPEN/CLOSE stuff, and so on.

And in principle, ioctls handlers can do pretty much all of the things
syscalls can do, and more. They can look at the caller's PID, they can
open and close (well, technically that's slightly unsafe, but IIRC
autofs does it anyway) things in the file descriptor table, they can
give another process access to the calling process in some way, and so
on. If you just allow calling arbitrary ioctls through io_uring, you
will certainly get bugs, and probably security bugs, too.

Therefore, I would prefer to see this not happen at all; and if you do
have a usecase where you think the complexity is worth it, then I
think you'll have to add new infrastructure that allows each
file_operations instance to opt in to having specific ioctls called
via this mechanism, or something like that, and ensure that each of
the exposed ioctls only performs operations that are safe from uring
worker context.

Also, I'm not sure, but it might be a good idea to CC linux-api if you
continue working on this.