public inbox for [email protected]
 help / color / mirror / Atom feed
* [PATCH] io_uring/rsrc: require cloned buffers to share accounting contexts
@ 2025-01-14 17:49 Jann Horn
  2025-01-14 17:57 ` Jens Axboe
  2025-01-14 18:10 ` Jens Axboe
  0 siblings, 2 replies; 3+ messages in thread
From: Jann Horn @ 2025-01-14 17:49 UTC (permalink / raw)
  To: Jens Axboe, Pavel Begunkov, io-uring; +Cc: linux-kernel, stable, Jann Horn

When IORING_REGISTER_CLONE_BUFFERS is used to clone buffers from uring
instance A to uring instance B, where A and B use different MMs for
accounting, the accounting can go wrong:
If uring instance A is closed before uring instance B, the pinned memory
counters for uring instance B will be decremented, even though the pinned
memory was originally accounted through uring instance A; so the MM of
uring instance B can end up with negative locked memory.

Cc: [email protected]
Closes: https://lore.kernel.org/r/CAG48ez1zez4bdhmeGLEFxtbFADY4Czn3CV0u9d_TMcbvRA01bg@mail.gmail.com
Fixes: 7cc2a6eadcd7 ("io_uring: add IORING_REGISTER_COPY_BUFFERS method")
Signed-off-by: Jann Horn <[email protected]>
---
To be clear, I think this is a very minor issue, feel free to take your
time landing it.

I put a stable marker on this, but I'm ambivalent about whether this
issue even warrants landing a fix in stable - feel free to remove the
Cc stable marker if you think it's unnecessary.
---
 io_uring/rsrc.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c
index 077f84684c18a0b3f5e622adb4978b6a00353b2f..caecc18dd5be03054ae46179bc0918887bf609a4 100644
--- a/io_uring/rsrc.c
+++ b/io_uring/rsrc.c
@@ -931,6 +931,13 @@ static int io_clone_buffers(struct io_ring_ctx *ctx, struct io_ring_ctx *src_ctx
 	int i, ret, off, nr;
 	unsigned int nbufs;
 
+	/*
+	 * Accounting state is shared between the two rings; that only works if
+	 * both rings are accounted towards the same counters.
+	 */
+	if (ctx->user != src_ctx->user || ctx->mm_account != src_ctx->mm_account)
+		return -EINVAL;
+
 	/* if offsets are given, must have nr specified too */
 	if (!arg->nr && (arg->dst_off || arg->src_off))
 		return -EINVAL;

---
base-commit: c45323b7560ec87c37c729b703c86ee65f136d75
change-id: 20250114-uring-check-accounting-4356f8b91c37

-- 
Jann Horn <[email protected]>


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] io_uring/rsrc: require cloned buffers to share accounting contexts
  2025-01-14 17:49 [PATCH] io_uring/rsrc: require cloned buffers to share accounting contexts Jann Horn
@ 2025-01-14 17:57 ` Jens Axboe
  2025-01-14 18:10 ` Jens Axboe
  1 sibling, 0 replies; 3+ messages in thread
From: Jens Axboe @ 2025-01-14 17:57 UTC (permalink / raw)
  To: Jann Horn, Pavel Begunkov, io-uring; +Cc: linux-kernel, stable

On 1/14/25 10:49 AM, Jann Horn wrote:
> When IORING_REGISTER_CLONE_BUFFERS is used to clone buffers from uring
> instance A to uring instance B, where A and B use different MMs for
> accounting, the accounting can go wrong:
> If uring instance A is closed before uring instance B, the pinned memory
> counters for uring instance B will be decremented, even though the pinned
> memory was originally accounted through uring instance A; so the MM of
> uring instance B can end up with negative locked memory.
> 
> Cc: [email protected]
> Closes: https://lore.kernel.org/r/CAG48ez1zez4bdhmeGLEFxtbFADY4Czn3CV0u9d_TMcbvRA01bg@mail.gmail.com
> Fixes: 7cc2a6eadcd7 ("io_uring: add IORING_REGISTER_COPY_BUFFERS method")
> Signed-off-by: Jann Horn <[email protected]>
> ---
> To be clear, I think this is a very minor issue, feel free to take your
> time landing it.
> 
> I put a stable marker on this, but I'm ambivalent about whether this
> issue even warrants landing a fix in stable - feel free to remove the
> Cc stable marker if you think it's unnecessary.

I'll just queue it up for 6.14. Let's just get it towards stable, if
nothing else it provides consistent behavior across kernels. IMHO that's
enough reason to move it to stable.

-- 
Jens Axboe

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] io_uring/rsrc: require cloned buffers to share accounting contexts
  2025-01-14 17:49 [PATCH] io_uring/rsrc: require cloned buffers to share accounting contexts Jann Horn
  2025-01-14 17:57 ` Jens Axboe
@ 2025-01-14 18:10 ` Jens Axboe
  1 sibling, 0 replies; 3+ messages in thread
From: Jens Axboe @ 2025-01-14 18:10 UTC (permalink / raw)
  To: Pavel Begunkov, io-uring, Jann Horn; +Cc: linux-kernel, stable


On Tue, 14 Jan 2025 18:49:00 +0100, Jann Horn wrote:
> When IORING_REGISTER_CLONE_BUFFERS is used to clone buffers from uring
> instance A to uring instance B, where A and B use different MMs for
> accounting, the accounting can go wrong:
> If uring instance A is closed before uring instance B, the pinned memory
> counters for uring instance B will be decremented, even though the pinned
> memory was originally accounted through uring instance A; so the MM of
> uring instance B can end up with negative locked memory.
> 
> [...]

Applied, thanks!

[1/1] io_uring/rsrc: require cloned buffers to share accounting contexts
      commit: 19d340a2988d4f3e673cded9dde405d727d7e248

Best regards,
-- 
Jens Axboe




^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-01-14 18:10 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-01-14 17:49 [PATCH] io_uring/rsrc: require cloned buffers to share accounting contexts Jann Horn
2025-01-14 17:57 ` Jens Axboe
2025-01-14 18:10 ` Jens Axboe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox