mirror of https://lore.kernel.org/lkml/
 help / color / mirror / Atom feed
From: Jens Axboe <axboe@kernel.dk>
To: Gabriel Krisman Bertazi <krisman@suse.de>,
	Feng Xue <feng.xue@outlook.com>,
	"io-uring@vger.kernel.org" <io-uring@vger.kernel.org>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Pavel Begunkov <asml.silence@gmail.com>
Subject: Re: [PATCH] io_uring/net: clear stale vec on buffer peek error after expansion
Date: Wed, 8 Jul 2026 09:50:45 -0600	[thread overview]
Message-ID: <18ebc6be-f76e-43f5-ba73-8ab4f83c3b2b@kernel.dk> (raw)
In-Reply-To: <87ldblwkm5.fsf@mailhost.krisman.be>

On 7/8/26 9:45 AM, Gabriel Krisman Bertazi wrote:
> Feng Xue <feng.xue@outlook.com> writes:
> 
>> Subject: [PATCH] io_uring/net: clear stale vec on buffer peek error after expansion
>>
>> When io_ring_buffers_peek() expands the iovec array during a bundle
>> recv retry, it frees the old array (A) and allocates a new one (B).
>> If access_ok() then fails, B is also freed and -EFAULT is returned.
>>
>> The callers io_recv_buf_select() and io_send_select_buffer() only
>> update kmsg->vec.iovec on success, so on this error path vec.iovec
>> still points to freed A. The stale pointer survives into the netmsg
>> alloc cache via io_netmsg_recycle() (vec.nr < IO_VEC_CACHE_SOFT_CAP
>> so io_vec_free is not called). A subsequent bundle operation reuses
>> the cached hdr, sees vec.iovec non-NULL, sets REQ_F_NEED_CLEANUP,
>> and passes the dangling pointer back to io_ring_buffers_peek() ?
>> which writes iovec entries to freed memory (use-after-free).
>>
>> If the alloc cache is full, the alternative cleanup path through
>> io_clean_op() ? io_vec_free() kfree()s the already-freed A
>> (double-free).
>>
>> Fix this by NULLing vec.iovec and zeroing vec.nr on the error path
>> when expansion occurred (detected by arg.iovs != kmsg->vec.iovec).
>> Do not call io_vec_free() here ? A is already freed by the expansion
>> block, so kfree()ing it again would itself be a double-free.
>>
>> Apply the same fix to io_send_select_buffer() which has the identical
>> update-after-success pattern.
> 
> cleaning in the caller makes the issue much more likely to happen again
> in a future use of this function.  It would be better to fix the bad
> semantics of io_ring_buffers_peek instead.
> 
> In fact, this is exactly the point of this patch, which I believe
> already fixed this issue:
> 
> https://lore.kernel.org/io-uring/178338543579.49877.9882374687710864124.b4-ty@b4/T/#t

Indeed, this version is just a terrible LLM version of trying to fix the
same thing, but not understanding the issue.

-- 
Jens Axboe

      reply	other threads:[~2026-07-08 15:50 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-08  6:08 Feng Xue
2026-07-08 15:45 ` Gabriel Krisman Bertazi
2026-07-08 15:50   ` Jens Axboe [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=18ebc6be-f76e-43f5-ba73-8ab4f83c3b2b@kernel.dk \
    --to=axboe@kernel.dk \
    --cc=asml.silence@gmail.com \
    --cc=feng.xue@outlook.com \
    --cc=io-uring@vger.kernel.org \
    --cc=krisman@suse.de \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Powered by JetHome