From: Mauro De Gennaro <[email protected]>
To: [email protected]
Subject: Re: io_uring/recvmsg using io_provide_buffers causes kernel NULL pointer dereference bug
Date: Tue, 6 Jul 2021 17:46:02 +0200 [thread overview]
Message-ID: <CAGxp_yjChwCTcHa6PqM9-KEo5efann9brxW5+5gB_8YhooMCLQ@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
Great, thank you. Something I forgot to mention on the Bugzilla ticket
is that recvmsg() always returns the same provided buffer id even if
this buffer is being currently used in user space and hasn't been
returned to the kernel. For example, if you provide 100 buffers (ids 0
- 99) and never return them back to the kernel after each recvmsg
call, then further calls to recvmsg() will keep returning buffer id 99
until the kernel runs out of buffers. I suspect the kernel null
pointer dereference bug might be related to this behaviour as well.
Thanks again.
On Tue, Jul 6, 2021 at 12:47 PM Pavel Begunkov <[email protected]> wrote:
>
> On 7/4/21 10:50 AM, Mauro De Gennaro wrote:
> > Hi,
> >
> > First time reporting what seems to be a kernel bug, so I apologise if
> > I am not supposed to send bug reports to this mailing list as well.
> > The report was filed at Bugzilla:
>
> That's exactly the right place to report, not everyone monitor
> bugzilla, if any at all. Thanks for letting know
>
> > https://bugzilla.kernel.org/show_bug.cgi?id=213639
> >
> > It happens on 5.11 and I haven't tested the code yet on newer kernels.
>
> --
> Pavel Begunkov
prev parent reply other threads:[~2021-07-06 15:46 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-04 9:50 io_uring/recvmsg using io_provide_buffers causes kernel NULL pointer dereference bug Mauro De Gennaro
2021-07-06 10:47 ` Pavel Begunkov
2021-07-06 15:46 ` Mauro De Gennaro [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGxp_yjChwCTcHa6PqM9-KEo5efann9brxW5+5gB_8YhooMCLQ@mail.gmail.com \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox