[PATCH] io_uring: fix null-ptr-deref in io_uring

public inbox for io-uring@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] io_uring: fix null-ptr-deref in io_uring_poll
@ 2026-04-09 14:55 l1zao
  2026-04-09 15:28 ` Jens Axboe
  0 siblings, 1 reply; 4+ messages in thread
From: l1zao @ 2026-04-09 14:55 UTC (permalink / raw)
  To: Jens Axboe, io-uring; +Cc: linux-kernel

From: Haocheng Yu <l1zao@zju.edu.cn>

A general protection fault in io_uring_poll is reported by a
modified Syzkaller-based kernel fuzzing tool we developed. The
crash occurs due to KASAN: null-ptr-deref.

This issue is likely caused by a race condition between 
`io_uring_register` and `poll`. Specifically, in 
io_uring/register.c/io_register_resize_rings(), ctx->rings is 
set to NULL. Although this step is protected by a mutex lock 
and a spin lock, io_uring/io_uring.c/io_uring_poll() calls 
io_sqring_full and __io_cqring_events_user without holding the 
lock, in which ctx->rings is accessed.

To fix this vulnerability, I moved the two function calls in
io_uring_poll() that might access ctx->rings under the protection
of spin_lock(&ctx->completion_lock).

Signed-off-by: Haocheng Yu <l1zao@zju.edu.cn>
---
 io_uring/io_uring.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 02339b74ba8d..6fdea9eb0b39 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -2934,6 +2934,7 @@ static __poll_t io_uring_poll(struct file *file, poll_table *wait)
 	 */
 	poll_wait(file, &ctx->poll_wq, wait);

+	spin_lock(&ctx->completion_lock);
 	if (!io_sqring_full(ctx))
 		mask |= EPOLLOUT | EPOLLWRNORM;

@@ -2953,6 +2954,7 @@ static __poll_t io_uring_poll(struct file *file, poll_table *wait)

 	if (__io_cqring_events_user(ctx) || io_has_work(ctx))
 		mask |= EPOLLIN | EPOLLRDNORM;
+	spin_unlock(&ctx->completion_lock);

 	return mask;
 }

base-commit: 7d0a66e4bb9081d75c82ec4957c50034cb0ea449
-- 
2.51.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] io_uring: fix null-ptr-deref in io_uring_poll
  2026-04-09 14:55 [PATCH] io_uring: fix null-ptr-deref in io_uring_poll l1zao
@ 2026-04-09 15:28 ` Jens Axboe
  2026-04-09 15:29   ` Jens Axboe
  0 siblings, 1 reply; 4+ messages in thread
From: Jens Axboe @ 2026-04-09 15:28 UTC (permalink / raw)
  To: l1zao, io-uring; +Cc: linux-kernel

On 4/9/26 8:55 AM, l1zao@zju.edu.cn wrote:
> From: Haocheng Yu <l1zao@zju.edu.cn>
> 
> A general protection fault in io_uring_poll is reported by a
> modified Syzkaller-based kernel fuzzing tool we developed. The
> crash occurs due to KASAN: null-ptr-deref.
> 
> This issue is likely caused by a race condition between 
> `io_uring_register` and `poll`. Specifically, in 
> io_uring/register.c/io_register_resize_rings(), ctx->rings is 
> set to NULL. Although this step is protected by a mutex lock 
> and a spin lock, io_uring/io_uring.c/io_uring_poll() calls 
> io_sqring_full and __io_cqring_events_user without holding the 
> lock, in which ctx->rings is accessed.
> 
> To fix this vulnerability, I moved the two function calls in
> io_uring_poll() that might access ctx->rings under the protection
> of spin_lock(&ctx->completion_lock).

Fixed a month ago, what tree are you running?

 commit 96189080265e6bb5dde3a4afbaf947af493e3f82
Author: Jens Axboe <axboe@kernel.dk>
Date:   Mon Mar 9 14:21:37 2026 -0600

    io_uring: ensure ctx->rings is stable for task work flags manipulation

-- 
Jens Axboe

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] io_uring: fix null-ptr-deref in io_uring_poll
  2026-04-09 15:28 ` Jens Axboe
@ 2026-04-09 15:29   ` Jens Axboe
  2026-04-10  8:24     ` 章怿贺
  0 siblings, 1 reply; 4+ messages in thread
From: Jens Axboe @ 2026-04-09 15:29 UTC (permalink / raw)
  To: l1zao, io-uring; +Cc: linux-kernel

On 4/9/26 9:28 AM, Jens Axboe wrote:
> On 4/9/26 8:55 AM, l1zao@zju.edu.cn wrote:
>> From: Haocheng Yu <l1zao@zju.edu.cn>
>>
>> A general protection fault in io_uring_poll is reported by a
>> modified Syzkaller-based kernel fuzzing tool we developed. The
>> crash occurs due to KASAN: null-ptr-deref.
>>
>> This issue is likely caused by a race condition between 
>> `io_uring_register` and `poll`. Specifically, in 
>> io_uring/register.c/io_register_resize_rings(), ctx->rings is 
>> set to NULL. Although this step is protected by a mutex lock 
>> and a spin lock, io_uring/io_uring.c/io_uring_poll() calls 
>> io_sqring_full and __io_cqring_events_user without holding the 
>> lock, in which ctx->rings is accessed.
>>
>> To fix this vulnerability, I moved the two function calls in
>> io_uring_poll() that might access ctx->rings under the protection
>> of spin_lock(&ctx->completion_lock).
> 
> Fixed a month ago, what tree are you running?
> 
>  commit 96189080265e6bb5dde3a4afbaf947af493e3f82
> Author: Jens Axboe <axboe@kernel.dk>
> Date:   Mon Mar 9 14:21:37 2026 -0600
> 
>     io_uring: ensure ctx->rings is stable for task work flags manipulation

Actually the poll part is this one:

commit 61a11cf4812726aceaee17c96432e1c08f6ed6cb
Author: Jens Axboe <axboe@kernel.dk>
Date:   Tue Mar 31 07:07:47 2026 -0600

    io_uring: protect remaining lockless ctx->rings accesses with RCU

which is also upstream.

-- 
Jens Axboe


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Re: [PATCH] io_uring: fix null-ptr-deref in io_uring_poll
  2026-04-09 15:29   ` Jens Axboe
@ 2026-04-10  8:24     ` 章怿贺
  0 siblings, 0 replies; 4+ messages in thread
From: 章怿贺 @ 2026-04-10  8:24 UTC (permalink / raw)
  To: Jens Axboe; +Cc: io-uring, linux-kernel

I ran it on linux v6.18.

Anyway, thanks for reviewing the patch.

Best regards,
Haocheng Yu

> 
> On 4/9/26 9:28 AM, Jens Axboe wrote:
> > On 4/9/26 8:55 AM, l1zao@zju.edu.cn wrote:
> >> From: Haocheng Yu <l1zao@zju.edu.cn>
> >>
> >> A general protection fault in io_uring_poll is reported by a
> >> modified Syzkaller-based kernel fuzzing tool we developed. The
> >> crash occurs due to KASAN: null-ptr-deref.
> >>
> >> This issue is likely caused by a race condition between 
> >> `io_uring_register` and `poll`. Specifically, in 
> >> io_uring/register.c/io_register_resize_rings(), ctx->rings is 
> >> set to NULL. Although this step is protected by a mutex lock 
> >> and a spin lock, io_uring/io_uring.c/io_uring_poll() calls 
> >> io_sqring_full and __io_cqring_events_user without holding the 
> >> lock, in which ctx->rings is accessed.
> >>
> >> To fix this vulnerability, I moved the two function calls in
> >> io_uring_poll() that might access ctx->rings under the protection
> >> of spin_lock(&ctx->completion_lock).
> > 
> > Fixed a month ago, what tree are you running?
> > 
> >  commit 96189080265e6bb5dde3a4afbaf947af493e3f82
> > Author: Jens Axboe <axboe@kernel.dk>
> > Date:   Mon Mar 9 14:21:37 2026 -0600
> > 
> >     io_uring: ensure ctx->rings is stable for task work flags manipulation
> 
> Actually the poll part is this one:
> 
> commit 61a11cf4812726aceaee17c96432e1c08f6ed6cb
> Author: Jens Axboe <axboe@kernel.dk>
> Date:   Tue Mar 31 07:07:47 2026 -0600
> 
>     io_uring: protect remaining lockless ctx->rings accesses with RCU
> 
> which is also upstream.
> 
> -- 
> Jens Axboe

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-04-10  8:24 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-09 14:55 [PATCH] io_uring: fix null-ptr-deref in io_uring_poll l1zao
2026-04-09 15:28 ` Jens Axboe
2026-04-09 15:29   ` Jens Axboe
2026-04-10  8:24     ` 章怿贺

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox