Re: [PATCH v1] io_uring/register.c: fix NULL pointer dereference in io_register_resize_rings

public inbox for io-uring@vger.kernel.org
 help / color / mirror / Atom feed

From: Jens Axboe <axboe@kernel.dk>
To: Hao-Yu Yang <naup96721@gmail.com>, security@kernel.org
Cc: io-uring@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1] io_uring/register.c: fix NULL pointer dereference in io_register_resize_rings
Date: Mon, 9 Mar 2026 07:11:21 -0600	[thread overview]
Message-ID: <959a75c9-4de5-42d1-8f43-636f4aab5df8@kernel.dk> (raw)
In-Reply-To: <20260309062759.482210-1-naup96721@gmail.com>

On 3/9/26 12:27 AM, Hao-Yu Yang wrote:
> During io_register_resize_rings execution, ctx->rings is temporarily
> set to NULL before new ring memory is allocated. If a timer interrupt
> fires during this window, the interrupt handler (via timerfd_tmrproc
> -> io_poll_wake -> __io_req_task_work_add -> io_req_local_work_add)
> attempts to access ctx->rings->sq_flags, causing race condition and
> a NULL pointer dereference.
> 
> BUG: kernel NULL pointer dereference, address: 0000000000000024
> PF: supervisor read access in kernel mode
> PF: error_code(0x0000) - not-present page
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> Call Trace:
>  <IRQ>
>  __io_poll_execute (io_uring/poll.c:223)
>  io_poll_wake (io_uring/poll.c:426)
>  __wake_up_common (kernel/sched/wait.c:109)
>  __wake_up_locked_key (kernel/sched/wait.c:167)
>  timerfd_tmrproc (./include/linux/spinlock.h:407 fs/timerfd.c:71 fs/timerfd.c:78)
>  ? __pfx_timerfd_tmrproc (fs/timerfd.c:75)
>  __hrtimer_run_queues (kernel/time/hrtimer.c:1785 kernel/time/hrtimer.c:1849)
>  hrtimer_interrupt (kernel/time/hrtimer.c:1914)
>  __sysvec_apic_timer_interrupt (./arch/x86/include/asm/jump_label.h:37 ./arch/x86/include/asm/trace/irq_vectors.h:40 arch/x86/kernel/apic/apic.c:1063)
>  sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1056 arch/x86/kernel/apic/apic.c:1056)
>  </IRQ>
>  <TASK>
>  asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:697)
>  RIP: 0010:io_register_resize_rings (io_uring/register.c:593)
>  ? io_register_resize_rings (io_uring/register.c:580)
>  __io_uring_register (io_uring/register.c:898)
>  ? fget (fs/file.c:1114)
>  __x64_sys_io_uring_register (io_uring/register.c:1026 io_uring/register.c:1001 io_uring/register.c:1001)
>  x64_sys_call (arch/x86/entry/syscall_64.c:41)
>  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall)
>  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
>  </TASK>
> 
> Fix by using spin_lock_irq/spin_unlock_irq instead of spin_lock/spin_unlock
> in io_register_resize_rings. This disables IRQs while ctx->rings is set to
> NULL, preventing interrupt handlers from executing during the window when
> ctx->rings is NULL.

I see the your crash, but this isn't the right fix - you can't just have
that one spot turn the completion lock into an IRQ disabling one,
that'll mess up the rest of the use cases in terms of lockdep. This lock
is never grabbed from IRQ context, hence it'd be misleading too.

You probably want something ala:

mutex_lock(&ctx->mmap_lock);
spin_lock(&ctx->completion_lock();
+ local_irq_disable();

...

+ local_irq_enable();
spin_unlock(&ctx->completion_lock);
mutex_unlock(&ctx->mmap_lock);

which I think should make lockdep happy with it too.

And then I think it wants a comment on top of that local_irq_disable(),
explaining how this is meant to prevent any irq/bh from triggering
task_work additions that touch ctx->rings to set the IORING_SQ_TASKRUN
flag.

Does that makes sense? If so, please do send a v2!

-- 
Jens Axboe

next prev parent reply	other threads:[~2026-03-09 13:11 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-09  6:27 [PATCH v1] io_uring/register.c: fix NULL pointer dereference in io_register_resize_rings Hao-Yu Yang
2026-03-09 13:11 ` Jens Axboe [this message]
2026-03-09 16:04   ` Linus Torvalds
2026-03-09 16:29     ` Jens Axboe
2026-03-09 18:34       ` Jens Axboe
2026-03-09 18:35         ` Jens Axboe
2026-03-09 19:03           ` Linus Torvalds
2026-03-09 19:22             ` Jens Axboe
2026-03-09 18:57         ` Pavel Begunkov
2026-03-09 19:16           ` Jens Axboe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=959a75c9-4de5-42d1-8f43-636f4aab5df8@kernel.dk \
    --to=axboe@kernel.dk \
    --cc=io-uring@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=naup96721@gmail.com \
    --cc=security@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox