From nobody Sat Jun 13 04:53:57 2026
Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com
 [209.85.214.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A9B14145B27
	for <linux-kernel@vger.kernel.org>; Sun, 10 May 2026 08:41:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.179
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778402485; cv=none;
 b=Xxl6ncarE03ehdCAZD5/1qmv7vJeYAkv7Mzdw/yOl2iCiJG8lLgKDZknQY1d1TJ5G5UtVuh4waDGq/zzwWCtn+Tjk7PktrtjCTZnAQtTKEhCFTZBJFzDR+0VLmMUJnTh1vZ14ozNYvi9afXloCQXlbs2mMV6x22OLyOEMC+nt0g=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778402485; c=relaxed/simple;
	bh=nQQl8Jnr5xiENoRq9UPFaatHarty14EnHftN3n0JTkg=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=Kl4rIYnEGzDOveo4YQ8tHg1ncB/hu+M92k+z0HJTeH4mFwFHs0L7U2sxSpdfy2fHPNFA31xxzHW3Fi0IvjOLfbYQQDKrCnaeNNZWWi96kfFDkycDKtuzMCEGAPT6WaoKzgX9I0sfAvIjW5eOLAq08m6o73xCOl28mGSIYSQTLGY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=DB8NwlZP; arc=none smtp.client-ip=209.85.214.179
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="DB8NwlZP"
Received: by mail-pl1-f179.google.com with SMTP id
 d9443c01a7336-2ba17c8cfacso34291735ad.2
        for <linux-kernel@vger.kernel.org>;
 Sun, 10 May 2026 01:41:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1778402484; x=1779007284;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=b2J10JjtJjjqUTKbHQ1pnc+iGy3TkAKh2yT2vpmiKao=;
        b=DB8NwlZP4xxA2aP6Mns18XzH5EQvY23LgD/yReKwDmhI2FvWHfHvQBIpk6zv5R7Fj8
         S88j9KK3PaZe05Bi1zScwE9AEPlQCHpbIdv3aUeT0PvKDSrO2dl3FVWYc4IjF7up91TQ
         SvG9CEZWTeo9dLx/Xs20/mOOyL2zDOFgMNamBg99qy9DD3glNXC1+9vgMUNIhBeSZh+F
         Qft94iW1o1t0KFFvT70lMN3a9MGYsxz9DNpJyUu1jPZKf8vf6rqRIMQo9eafouSJqx3y
         p8ua+6/KQle/5uxoqjLDJyRNOO3nCFBa50dDmlL4LRGITBolbc3yDwmPp8cp+0zaXZAR
         fEwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778402484; x=1779007284;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=b2J10JjtJjjqUTKbHQ1pnc+iGy3TkAKh2yT2vpmiKao=;
        b=hl7n1gQRVUknovDE8h8VHaCDs5SqBVp5KUVLzEWHNoxQSa5IyOJBbaxhwVVAKsBmTH
         KQ6zJ7N9zWRFIcVD/MZ7P0zHBCvAl2gGIQbDWiTWyKS1c7YR4LRuzPNjhdXGoDR+bWt1
         EFcAU5MzsSApiH9jvpO1d1rZmzEx674AEBZ1H3EHAV7QaFXoDB11j1D4o6CUrcpgEdLB
         Tf28AkiAWB1lI9XNBlLZvPJSsFnC9oh+6HerRRB1m5GapvsdBF5s0B+j/HDW3GjHCHLF
         x0CjaqoGxVOXU+BGzWaUvxu5G1+zmoOxdbGVoBVnEwgtO/5kJ+mwd9m9HlG5epa+m7Ut
         fEpA==
X-Gm-Message-State: AOJu0YzEg9KFCeAUsPh8mK8viT1ANvhHwZTiw8MMJ7bvneCyXFT5+fTf
	ASgKWniIxhwFFw4bIwQzOYzJs/VPRqDi8Nkd+cexBPSlP8ass5XZm8mf
X-Gm-Gg: Acq92OECEk7iC8PR9mJ3+j7fu19oNDpk9ubevaDpOQAaAlqTWt3ACUW2hzhTjtmpt2X
	uoPCMeddJg8PTq+OZgW7ALzCeMVvdBB6ggIW5OvMSfeSWwPwLhFUuubX437IC+aTOuOWiEHneVj
	ZU9xfPLpYMJWiXb38pPx3f+/VEZ93+GGU97Q9ENXMYNUOf41gArs4PSVaK8lIjdE2y8Yzc64znZ
	0BflNG1Ii+hEjXrNEm6ts3w/Z4EC7i8SxmgZ/BbqiHw+9HPA4VdsZlT1vpfDtsrr81j+OEwNXgI
	81tXa3Bu14R4w0WFdpjpRO7mt1IH6urXWRnnz3HeTU3lHVyS5ckVPjFqA7VZ73Y1PLTJrPPl0Cu
	gKJxz8DhzXr5KbnwEunpRQZfNdVRNKC/3VTuXC1eC66mMmOp6u2JOmPFaMVy1ctyvzZPbqNtpIz
	DREKgc3c2PCrUpbjETM9AwKLqbp+t9uq/EeFkTWVvoNKjDsZrgofUOoDlCGyDYNddNHZY=
X-Received: by 2002:a17:903:4b03:b0:2b2:4cd2:e162 with SMTP id
 d9443c01a7336-2ba79d2e589mr195925275ad.34.1778402483988;
        Sun, 10 May 2026 01:41:23 -0700 (PDT)
Received: from csl-conti-dell7858.ntu.edu.sg ([155.69.195.57])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2baf1d52ef9sm69952575ad.35.2026.05.10.01.41.21
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 10 May 2026 01:41:23 -0700 (PDT)
From: Maoyi Xie <maoyixie.tju@gmail.com>
X-Google-Original-From: Maoyi Xie <maoyi.xie@ntu.edu.sg>
To: Jens Axboe <axboe@kernel.dk>,
	Pavel Begunkov <asml.silence@gmail.com>,
	io-uring@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
	Maoyi Xie <maoyi.xie@ntu.edu.sg>
Subject: [PATCH] io_uring/fdinfo: translate SqThread PID through caller's
 pid_ns
Date: Sun, 10 May 2026 16:41:19 +0800
Message-Id: <20260510084119.457578-1-maoyi.xie@ntu.edu.sg>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

SQPOLL stores current->pid (init_pid_ns view) in sqd->task_pid
at thread creation. fdinfo prints it raw via
seq_printf("SqThread:\t%d\n", sq_pid). A reader inside a
non-initial pid_ns sees the host PID, not the kthread's PID in
the reader's own pid_ns.

The SQPOLL kthread is created with CLONE_THREAD and no
CLONE_NEW*, so it lives in the submitter's pid_ns. An
unprivileged user_ns + pid_ns submitter can read fdinfo and
learn the host PID of a kthread whose in-namespace PID is
different.

Reproducer (mainline 7.0, KASAN): unshare CLONE_NEWUSER |
CLONE_NEWPID | CLONE_NEWNS, mount a private /proc, then have a
grandchild that is pid 1 in the new pid_ns open an io_uring
ring with IORING_SETUP_SQPOLL. /proc/self/task lists {1, 2};
the SQPOLL kthread is pid 2. Before: fdinfo prints
SqThread =3D <host pid>. After: SqThread =3D 2.

Use task_pid_nr_ns() against the proc inode's pid_ns to compute
sq_pid, instead of reading the stored sq->task_pid (which holds
the init_pid_ns view). pidfd_show_fdinfo() in kernel/pid.c
follows the same pattern.

Signed-off-by: Maoyi Xie <maoyi.xie@ntu.edu.sg>
---
 io_uring/fdinfo.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/io_uring/fdinfo.c b/io_uring/fdinfo.c
index c2d3e4554..05ce477d3 100644
--- a/io_uring/fdinfo.c
+++ b/io_uring/fdinfo.c
@@ -190,8 +190,9 @@ static void __io_uring_show_fdinfo(struct io_ring_ctx *=
ctx, struct seq_file *m)
 			get_task_struct(tsk);
 			rcu_read_unlock();
 			usec =3D io_sq_cpu_usec(tsk);
+			sq_pid =3D task_pid_nr_ns(tsk,
+						proc_pid_ns(file_inode(m->file)->i_sb));
 			put_task_struct(tsk);
-			sq_pid =3D sq->task_pid;
 			sq_cpu =3D sq->sq_cpu;
 			sq_total_time =3D usec;
 			sq_work_time =3D sq->work_time;
--=20
2.34.1