From: Linus Torvalds <torvalds@linuxfoundation.org>
To: Jens Axboe <axboe@kernel.dk>
Cc: Hao-Yu Yang <naup96721@gmail.com>,
security@kernel.org, io-uring@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1] io_uring/register.c: fix NULL pointer dereference in io_register_resize_rings
Date: Mon, 9 Mar 2026 12:03:36 -0700 [thread overview]
Message-ID: <CAHk-=wgqyb7M3LZK=+mZOmrS2YDfvh-WKeMeTDCXsoMMkLXfPw@mail.gmail.com> (raw)
In-Reply-To: <e9a7152d-3be9-44c2-8626-75ca9da7d408@kernel.dk>
On Mon, 9 Mar 2026 at 11:35, Jens Axboe <axboe@kernel.dk> wrote:
>
> --- a/io_uring/register.c
> +++ b/io_uring/register.c
> @@ -575,6 +575,7 @@ static int io_register_resize_rings(struct io_ring_ctx *ctx, void __user *arg)
> * ctx->mmap_lock as well. Likewise, hold the completion lock over the
> * duration of the actual swap.
> */
> + smp_store_release(&ctx->in_resize, 1);
> mutex_lock(&ctx->mmap_lock);
> spin_lock(&ctx->completion_lock);
The store-release doesn't actually make sense here. It just says "this
store is visible after all previous stores".
It can still be delayed arbitraritly, and migrate down into the locked
regions, and be visible to other cpus much later.
On x86, getting a lock will be a full memory barrier, but that's not
true everywhere else: locks keep things *inside* the locked region
inside the lock, but don't stop things *outside* the locked region
from moving into it.
End result: the smp_store_release does nothing. You should use a write
barrier (or a smp_store_mb(), but that's expensive).
But even *that* won't work - because the irq can already be running on
another CPU, and maybe it already tested 'in_resize', and saw a zero,
and then did that
atomic_or(IORING_SQ_TASKRUN, &ctx->rings->sq_flags);
afterwards.
> @@ -647,6 +648,7 @@ static int io_register_resize_rings(struct io_ring_ctx *ctx, void __user *arg)
> if (ctx->sq_data)
> io_sq_thread_unpark(ctx->sq_data);
>
> + smp_store_release(&ctx->in_resize, 0);
On the release side, the store_release would make sense - the store is
visible to others after all the other stores are done (including,
obviously, the new 'rings' calue)
But see above. This just doesn't *work*, because the irq - running on
another cpu - will do the flag test and the cts->rings access as two
separate operations.
All these semantics means that 'in_resize' needs to basically be a lock.
You can then use 'trylock()' in irq context *around* the whole
sequence of using ctx->rings, to avoid disabling interrupts.
Linus
next prev parent reply other threads:[~2026-03-09 19:03 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-09 6:27 [PATCH v1] io_uring/register.c: fix NULL pointer dereference in io_register_resize_rings Hao-Yu Yang
2026-03-09 13:11 ` Jens Axboe
2026-03-09 16:04 ` Linus Torvalds
2026-03-09 16:29 ` Jens Axboe
2026-03-09 18:34 ` Jens Axboe
2026-03-09 18:35 ` Jens Axboe
2026-03-09 19:03 ` Linus Torvalds [this message]
2026-03-09 19:22 ` Jens Axboe
2026-03-10 8:51 ` Hao-Yu Yang
2026-03-09 18:57 ` Pavel Begunkov
2026-03-09 19:16 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHk-=wgqyb7M3LZK=+mZOmrS2YDfvh-WKeMeTDCXsoMMkLXfPw@mail.gmail.com' \
--to=torvalds@linuxfoundation.org \
--cc=axboe@kernel.dk \
--cc=io-uring@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=naup96721@gmail.com \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox