public inbox for io-uring@vger.kernel.org
 help / color / mirror / Atom feed
From: Jens Axboe <axboe@kernel.dk>
To: Pavel Begunkov <asml.silence@gmail.com>, io-uring@vger.kernel.org
Subject: Re: [PATCH 2/2] io_uring/timeout: immediate timeout arg
Date: Tue, 24 Feb 2026 11:31:01 -0700	[thread overview]
Message-ID: <3ad0525b-6635-4d4a-af3d-92f60604da45@kernel.dk> (raw)
In-Reply-To: <e2382dc6580567e12b892af8bc1b5a0e3fdcf3e2.1771949518.git.asml.silence@gmail.com>

On 2/24/26 9:12 AM, Pavel Begunkov wrote:
> One the things the user has always keep in mind is that any user
> pointers they put into an SQE is not going to be read by the kernel
> until submission happens, and the user has to ensure the pointee
> stays alive until then. For example, this snippet:
> 
> void prep_timeout(struct io_uring_sqe *sqe) {
> 	struct __kernel_timespec ts = {...};
> 	prep_timeout(sqe, &ts);
> }
> 
> void submit() {
> 	sqe = get_sqe();
> 	prep_timeout(sqe);
> 	io_uring_submit();
> }
> 
> Would lead to UAF for the on stack variable ts. Instead of passing
> the timeout value as a pointer allow to store it immediately in the SQE.
> The user has to set a new flag called IORING_TIMEOUT_IMMEDIATE_ARG,
> in which case sqe->addr will be interpreted as the timeout value in ns.
> It only works with relative timeouts and rejected if set together with
> IORING_TIMEOUT_ABS out of concerns of not having enough range in u64 to
> represent a good long term API.
> 
> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
> ---
>  include/uapi/linux/io_uring.h |  5 +++++
>  io_uring/timeout.c            | 11 +++++++++--
>  2 files changed, 14 insertions(+), 2 deletions(-)
> 
> diff --git a/include/uapi/linux/io_uring.h b/include/uapi/linux/io_uring.h
> index 6750c383a2ab..8f4de786e6e9 100644
> --- a/include/uapi/linux/io_uring.h
> +++ b/include/uapi/linux/io_uring.h
> @@ -340,6 +340,10 @@ enum io_uring_op {
>  
>  /*
>   * sqe->timeout_flags
> + *
> + * IORING_TIMEOUT_IMMEDIATE_ARG:	If set, sqe->addr stores the timeout
> + *					value in nanoseconds instead of
> + *					pointing to a timespec.
>   */
>  #define IORING_TIMEOUT_ABS		(1U << 0)
>  #define IORING_TIMEOUT_UPDATE		(1U << 1)
> @@ -348,6 +352,7 @@ enum io_uring_op {
>  #define IORING_LINK_TIMEOUT_UPDATE	(1U << 4)
>  #define IORING_TIMEOUT_ETIME_SUCCESS	(1U << 5)
>  #define IORING_TIMEOUT_MULTISHOT	(1U << 6)
> +#define IORING_TIMEOUT_IMMEDIATE_ARG	(1U << 7)
>  #define IORING_TIMEOUT_CLOCK_MASK	(IORING_TIMEOUT_BOOTTIME | IORING_TIMEOUT_REALTIME)
>  #define IORING_TIMEOUT_UPDATE_MASK	(IORING_TIMEOUT_UPDATE | IORING_LINK_TIMEOUT_UPDATE)
>  /*
> diff --git a/io_uring/timeout.c b/io_uring/timeout.c
> index d97f67d85ea3..e051c8374c1a 100644
> --- a/io_uring/timeout.c
> +++ b/io_uring/timeout.c
> @@ -528,7 +528,8 @@ static int __io_timeout_prep(struct io_kiocb *req,
>  	flags = READ_ONCE(sqe->timeout_flags);
>  	if (flags & ~(IORING_TIMEOUT_ABS | IORING_TIMEOUT_CLOCK_MASK |
>  		      IORING_TIMEOUT_ETIME_SUCCESS |
> -		      IORING_TIMEOUT_MULTISHOT))
> +		      IORING_TIMEOUT_MULTISHOT |
> +		      IORING_TIMEOUT_IMMEDIATE_ARG))
>  		return -EINVAL;
>  	/* more than one clock specified is invalid, obviously */
>  	if (hweight32(flags & IORING_TIMEOUT_CLOCK_MASK) > 1)
> @@ -557,8 +558,14 @@ static int __io_timeout_prep(struct io_kiocb *req,
>  	data->req = req;
>  	data->flags = flags;
>  
> -	if (get_timespec64(&data->ts, u64_to_user_ptr(READ_ONCE(sqe->addr))))
> +	if (flags & IORING_TIMEOUT_IMMEDIATE_ARG) {
> +		if (flags & IORING_TIMEOUT_ABS)
> +			return -EINVAL;
> +		data->ts = ns_to_timespec64(READ_ONCE(sqe->addr));
> +	} else if (get_timespec64(&data->ts,
> +				  u64_to_user_ptr(READ_ONCE(sqe->addr)))) {
>  		return -EFAULT;
> +	}
>  
>  	if (data->ts.tv_sec < 0 || data->ts.tv_nsec < 0)
>  		return -EINVAL;

Looks good to me on the feature side, makes sense. But like the 1/2
patch, this one needs to update the remove side as well to support the
immediate arg.

-- 
Jens Axboe

      reply	other threads:[~2026-02-24 18:31 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-24 16:12 [PATCH 0/2] timeout immediate arg Pavel Begunkov
2026-02-24 16:12 ` [PATCH 1/2] io_uring/timeout: READ_ONCE sqe->addr Pavel Begunkov
2026-02-24 16:47   ` Keith Busch
2026-02-24 18:28     ` Jens Axboe
2026-02-24 16:12 ` [PATCH 2/2] io_uring/timeout: immediate timeout arg Pavel Begunkov
2026-02-24 18:31   ` Jens Axboe [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3ad0525b-6635-4d4a-af3d-92f60604da45@kernel.dk \
    --to=axboe@kernel.dk \
    --cc=asml.silence@gmail.com \
    --cc=io-uring@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox