From: Linus Torvalds <torvalds@linuxfoundation.org>
To: Jens Axboe <axboe@kernel.dk>
Cc: Hao-Yu Yang <naup96721@gmail.com>,
security@kernel.org, io-uring@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1] io_uring/register.c: fix NULL pointer dereference in io_register_resize_rings
Date: Mon, 9 Mar 2026 09:04:43 -0700 [thread overview]
Message-ID: <CAHk-=wi-24g2yzRTHwJ-kD1RqK0TvuPBr0VzvuQVVzR83ddgsw@mail.gmail.com> (raw)
In-Reply-To: <959a75c9-4de5-42d1-8f43-636f4aab5df8@kernel.dk>
On Mon, 9 Mar 2026 at 06:11, Jens Axboe <axboe@kernel.dk> wrote:
>
> You probably want something ala:
>
> mutex_lock(&ctx->mmap_lock);
> spin_lock(&ctx->completion_lock();
> + local_irq_disable();
How could that ever work?
Irqs will happily continue on other CPUs, so disabling interrupts is
complete nonsense as far as I can tell - whether done with
spin_lock_irq() *or* with local_irq_disable()/.
So basically, touching ctx->rings from irq context in this section is
simply not an option - or the rings pointer just needs to be updated
atomically so that it doesn't matter.
I assume this was tested in qemu on a single-core setup, so that
fundamental mistake was hidden by an irrelevant configuration.
Where is the actual oops - for some inexplicable reason that had been
edited out, and it only had the call trace leading up toit? Based on
the incomplete information and the faulting address of 0x24, I'm
*guessing* that it is
if (ctx->flags & IORING_SETUP_TASKRUN_FLAG)
atomic_or(IORING_SQ_TASKRUN, &ctx->rings->sq_flags);
in io_req_normal_work_add(), but that may be complete garbage.
So the actual fix may be to just make damn sure that
IORING_SETUP_TASKRUN_FLAG is *not* set when the rings are resized.
But for all I know, (a) I may be looking at entirely the wrong place
and (b) there might be millions of other places that want to access
ctx->rings, so the above may be the rantings of a crazy old man.
Get off my lawn.
Linus
next prev parent reply other threads:[~2026-03-09 16:05 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-09 6:27 [PATCH v1] io_uring/register.c: fix NULL pointer dereference in io_register_resize_rings Hao-Yu Yang
2026-03-09 13:11 ` Jens Axboe
2026-03-09 16:04 ` Linus Torvalds [this message]
2026-03-09 16:29 ` Jens Axboe
2026-03-09 18:34 ` Jens Axboe
2026-03-09 18:35 ` Jens Axboe
2026-03-09 19:03 ` Linus Torvalds
2026-03-09 19:22 ` Jens Axboe
2026-03-10 8:51 ` Hao-Yu Yang
2026-03-09 18:57 ` Pavel Begunkov
2026-03-09 19:16 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHk-=wi-24g2yzRTHwJ-kD1RqK0TvuPBr0VzvuQVVzR83ddgsw@mail.gmail.com' \
--to=torvalds@linuxfoundation.org \
--cc=axboe@kernel.dk \
--cc=io-uring@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=naup96721@gmail.com \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox