torvalds/linux
torvalds/linux
2
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-09-04 20:19:47 +08:00
Code
41b70df5b3
linux/io_uring
History
Jens Axboe 41b70df5b3 io_uring/net: commit partial buffers on retry 
Ring provided buffers are potentially only valid within the single
execution context in which they were acquired. io_uring deals with this
and invalidates them on retry. But on the networking side, if
MSG_WAITALL is set, or if the socket is of the streaming type and too
little was processed, then it will hang on to the buffer rather than
recycle or commit it. This is problematic for two reasons:

1) If someone unregisters the provided buffer ring before a later retry,
   then the req->buf_list will no longer be valid.

2) If multiple sockers are using the same buffer group, then multiple
   receives can consume the same memory. This can cause data corruption
   in the application, as either receive could land in the same
   userspace buffer.

Fix this by disallowing partial retries from pinning a provided buffer
across multiple executions, if ring provided buffers are used.

Cc: stable@vger.kernel.org
Reported-by: pt x <superman.xpt@gmail.com>
Fixes: c56e022c0a ("io_uring: add support for user mapped provided buffer ring")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2025-08-12 13:41:26 -06:00
..
advise.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
advise.h io_uring: split out fadvise/madvise operations 2022-07-24 18:39:11 -06:00
alloc_cache.c io_uring: add alloc_cache.c 2025-01-28 15:10:40 -07:00
alloc_cache.h io_uring/net: convert to struct iou_vec 2025-03-07 13:41:08 -07:00
cancel.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
cancel.h io_uring/cancel: add generic cancel helper 2025-02-17 05:34:45 -07:00
cmd_net.c io_uring/netcmd: add tx timestamping cmd support 2025-06-23 09:00:12 -06:00
epoll.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
epoll.h io_uring/epoll: add support for IORING_OP_EPOLL_WAIT 2025-02-20 07:59:56 -07:00
eventfd.c io_uring/eventfd: open code io_eventfd_grab() 2025-04-24 08:33:54 -06:00
eventfd.h io_uring/eventfd: dedup signalling helpers 2025-04-24 08:33:54 -06:00
fdinfo.c io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo() 2025-06-10 11:20:04 -06:00
fdinfo.h io_uring: move fdinfo helpers to its own file 2022-07-24 18:39:12 -06:00
filetable.c io_uring: cache nodes and mapped buffers 2025-02-28 07:05:46 -07:00
filetable.h io_uring/rsrc: pass 'struct io_ring_ctx' reference to rsrc helpers 2024-11-07 15:24:33 -07:00
fs.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
fs.h io_uring: split out filesystem related operations 2022-07-24 18:39:11 -06:00
futex.c io_uring/futex: mark wait requests as inflight 2025-06-04 10:50:14 -06:00
futex.h io_uring: move cancelations to be io_uring_task based 2024-11-06 13:55:38 -07:00
io_uring.c for-6.17/io_uring-20250728 2025-07-28 16:30:12 -07:00
io_uring.h io_uring: deduplicate wakeup handling 2025-07-15 12:20:06 -06:00
io-wq.c io_uring: fix task leak issue in io_wq_create() 2025-06-15 12:58:39 -06:00
io-wq.h io_uring/wq: avoid indirect do_work/free_work calls 2025-04-21 05:06:58 -06:00
kbuf.c io_uring/kbuf: flag partial buffer mappings 2025-06-26 12:17:48 -06:00
kbuf.h io_uring/kbuf: flag partial buffer mappings 2025-06-26 12:17:48 -06:00
Kconfig io_uring: make zcrx depend on CONFIG_IO_URING 2025-03-31 07:07:44 -06:00
Makefile io_uring/mock: add basic infra for test mock files 2025-07-02 08:10:26 -06:00
memmap.c io_uring/memmap: cast nr_pages to size_t before shifting 2025-08-08 06:35:14 -06:00
memmap.h io_uring: update parameter name in io_pin_pages function declaration 2025-05-09 07:58:22 -06:00
mock_file.c io_uring/mock: add trivial poll handler 2025-07-02 08:10:26 -06:00
msg_ring.c io_uring/msg_ring: ensure io_kiocb freeing is deferred for RCU 2025-07-08 11:08:31 -06:00
msg_ring.h io_uring/msg_ring: Drop custom destructor 2024-12-27 10:08:21 -07:00
napi.c net: use napi_id_valid helper 2025-02-17 16:43:04 -08:00
napi.h io_uring/napi: add static napi tracking strategy 2024-11-06 13:55:38 -07:00
net.c io_uring/net: commit partial buffers on retry 2025-08-12 13:41:26 -06:00
net.h io_uring/net: convert to struct iou_vec 2025-03-07 13:41:08 -07:00
nop.c io_uring/nop: add IORING_NOP_TW completion flag 2025-06-23 08:59:13 -06:00
nop.h io_uring: move nop into its own file 2022-07-24 18:39:11 -06:00
notif.c io_uring: remove io_preinit_req() 2025-05-06 10:11:23 -06:00
notif.h io_uring/notif: implement notification stacking 2024-04-22 19:31:18 -06:00
opdef.c Merge branch 'io_uring-6.16' into for-6.17/io_uring 2025-07-06 16:42:23 -06:00
opdef.h io_uring: add struct io_cold_def->sqe_copy() method 2025-06-23 08:59:13 -06:00
openclose.c fs/pipe: set FMODE_NOWAIT in create_pipe_files() 2025-06-10 13:16:19 +02:00
openclose.h io_uring: add support for IORING_OP_PIPE 2025-04-21 05:06:58 -06:00
poll.c for-6.17/io_uring-20250728 2025-07-28 16:30:12 -07:00
poll.h io_uring/poll: introduce io_arm_apoll() 2025-06-23 09:00:12 -06:00
refs.h io_uring: always do atomic put from iowq 2025-04-03 08:31:57 -06:00
register.c io_uring: consistently use rcu semantics with sqpoll thread 2025-06-12 08:17:09 -06:00
register.h io_uring: clean up a type in io_uring_register_get_file() 2024-09-16 12:04:10 -06:00
rsrc.c io_uring: export io_[un]account_mem 2025-07-16 16:23:28 -06:00
rsrc.h io_uring: export io_[un]account_mem 2025-07-16 16:23:28 -06:00
rw.c io_uring/rw: cast rw->flags assignment to rwf_t 2025-07-07 16:46:30 -06:00
rw.h io_uring/kbuf: pass bgid to io_buffer_select() 2025-04-21 05:06:58 -06:00
slist.h io_uring: silence variable ‘prev’ set but not used warning 2023-03-09 10:10:58 -07:00
splice.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
splice.h io_uring/splice: open code 2nd direct file assignment 2024-10-29 13:43:28 -06:00
sqpoll.c io_uring/sqpoll: don't put task_struct on tctx setup failure 2025-06-17 06:43:18 -06:00
sqpoll.h io_uring: consistently use rcu semantics with sqpoll thread 2025-06-12 08:17:09 -06:00
statx.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
statx.h io_uring: move statx handling to its own file 2022-07-24 18:39:11 -06:00
sync.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
sync.h io_uring: split out fs related sync/fallocate functions 2022-07-24 18:39:11 -06:00
tctx.c io_uring/wq: avoid indirect do_work/free_work calls 2025-04-21 05:06:58 -06:00
tctx.h io_uring: simplify __io_uring_add_tctx_node 2022-10-07 12:25:30 -06:00
timeout.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
timeout.h io_uring/timeout: don't export link t-out disarm helper 2025-05-06 10:11:23 -06:00
truncate.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
truncate.h io_uring: add support for ftruncate 2024-02-09 09:04:39 -07:00
uring_cmd.c io_uring/cmd: remove struct io_uring_cmd_data 2025-07-18 12:34:56 -06:00
uring_cmd.h io_uring/cmd: remove struct io_uring_cmd_data 2025-07-18 12:34:56 -06:00
waitid.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
waitid.h io_uring: move cancelations to be io_uring_task based 2024-11-06 13:55:38 -07:00
xattr.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
xattr.h io_uring: move xattr related opcodes to its own file 2022-07-24 18:39:11 -06:00
zcrx.c for-6.17/io_uring-20250728 2025-07-28 16:30:12 -07:00
zcrx.h io_uring/zcrx: account area memory 2025-07-16 16:23:28 -06:00