* io_uring/recvmsg using io_provide_buffers causes kernel NULL pointer dereference bug
@ 2021-07-04 9:50 Mauro De Gennaro
2021-07-06 10:47 ` Pavel Begunkov
0 siblings, 1 reply; 3+ messages in thread
From: Mauro De Gennaro @ 2021-07-04 9:50 UTC (permalink / raw)
To: io-uring
Hi,
First time reporting what seems to be a kernel bug, so I apologise if
I am not supposed to send bug reports to this mailing list as well.
The report was filed at Bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=213639
It happens on 5.11 and I haven't tested the code yet on newer kernels.
Thank you.
Best,
Mauro
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: io_uring/recvmsg using io_provide_buffers causes kernel NULL pointer dereference bug
2021-07-04 9:50 io_uring/recvmsg using io_provide_buffers causes kernel NULL pointer dereference bug Mauro De Gennaro
@ 2021-07-06 10:47 ` Pavel Begunkov
2021-07-06 15:46 ` Mauro De Gennaro
0 siblings, 1 reply; 3+ messages in thread
From: Pavel Begunkov @ 2021-07-06 10:47 UTC (permalink / raw)
To: Mauro De Gennaro, io-uring
On 7/4/21 10:50 AM, Mauro De Gennaro wrote:
> Hi,
>
> First time reporting what seems to be a kernel bug, so I apologise if
> I am not supposed to send bug reports to this mailing list as well.
> The report was filed at Bugzilla:
That's exactly the right place to report, not everyone monitor
bugzilla, if any at all. Thanks for letting know
> https://bugzilla.kernel.org/show_bug.cgi?id=213639
>
> It happens on 5.11 and I haven't tested the code yet on newer kernels.
--
Pavel Begunkov
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: io_uring/recvmsg using io_provide_buffers causes kernel NULL pointer dereference bug
2021-07-06 10:47 ` Pavel Begunkov
@ 2021-07-06 15:46 ` Mauro De Gennaro
0 siblings, 0 replies; 3+ messages in thread
From: Mauro De Gennaro @ 2021-07-06 15:46 UTC (permalink / raw)
To: io-uring
Great, thank you. Something I forgot to mention on the Bugzilla ticket
is that recvmsg() always returns the same provided buffer id even if
this buffer is being currently used in user space and hasn't been
returned to the kernel. For example, if you provide 100 buffers (ids 0
- 99) and never return them back to the kernel after each recvmsg
call, then further calls to recvmsg() will keep returning buffer id 99
until the kernel runs out of buffers. I suspect the kernel null
pointer dereference bug might be related to this behaviour as well.
Thanks again.
On Tue, Jul 6, 2021 at 12:47 PM Pavel Begunkov <[email protected]> wrote:
>
> On 7/4/21 10:50 AM, Mauro De Gennaro wrote:
> > Hi,
> >
> > First time reporting what seems to be a kernel bug, so I apologise if
> > I am not supposed to send bug reports to this mailing list as well.
> > The report was filed at Bugzilla:
>
> That's exactly the right place to report, not everyone monitor
> bugzilla, if any at all. Thanks for letting know
>
> > https://bugzilla.kernel.org/show_bug.cgi?id=213639
> >
> > It happens on 5.11 and I haven't tested the code yet on newer kernels.
>
> --
> Pavel Begunkov
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-07-06 15:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-07-04 9:50 io_uring/recvmsg using io_provide_buffers causes kernel NULL pointer dereference bug Mauro De Gennaro
2021-07-06 10:47 ` Pavel Begunkov
2021-07-06 15:46 ` Mauro De Gennaro
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox