kernel/linux.git/include/linux/io_uring.h, branch v6.1.168Linux kernel stable tree (mirror)https://git.radix-linux.su/kernel/linux.git/atom?h=v6.1.1682024-12-27T12:53:00+00:00io_uring: Fix registered ring file refcount leak2024-12-27T12:53:00+00:00Jann Hornjannh@google.com2024-12-18T16:56:25+00:00urn:sha1:c034ce2668ae94f04ff46d29b195409614feaf75
commit 12d908116f7efd34f255a482b9afc729d7a5fb78 upstream.
Currently, io_uring_unreg_ringfd() (which cleans up registered rings) is
only called on exit, but __io_uring_free (which frees the tctx in which the
registered ring pointers are stored) is also called on execve (via
begin_new_exec -> io_uring_task_cancel -> __io_uring_cancel ->
io_uring_cancel_generic -> __io_uring_free).
This means: A process going through execve while having registered rings
will leak references to the rings' `struct file`.
Fix it by zapping registered rings on execve(). This is implemented by
moving the io_uring_unreg_ringfd() from io_uring_files_cancel() into its
callee __io_uring_cancel(), which is called from io_uring_task_cancel() on
execve.
This could probably be exploited *on 32-bit kernels* by leaking 2^32
references to the same ring, because the file refcount is stored in a
pointer-sized field and get_file() doesn't have protection against
refcount overflow, just a WARN_ONCE(); but on 64-bit it should have no
impact beyond a memory leak.
Cc: stable@vger.kernel.org
Fixes: e7a6c00dc77a ("io_uring: add support for registering ring file descriptors")
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://lore.kernel.org/r/20241218-uring-reg-ring-cleanup-v1-1-8f63e999045b@google.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
io_uring/unix: drop usage of io_uring socket2024-03-26T22:20:22+00:00Jens Axboeaxboe@kernel.dk2024-03-14T00:10:12+00:00urn:sha1:28fe81bcd3ea932e280f04e087ff0c75a4995a46
Commit a4104821ad651d8a0b374f0b2474c345bbb42f82 upstream.
Since we no longer allow sending io_uring fds over SCM_RIGHTS, move to
using io_is_uring_fops() to detect whether this is a io_uring fd or not.
With that done, kill off io_uring_get_socket() as nobody calls it
anymore.
This is in preparation to yanking out the rest of the core related to
unix gc with io_uring.
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
block/io_uring: pass in issue_flags for uring_cmd task_work handling2023-04-06T10:10:51+00:00Jens Axboeaxboe@kernel.dk2023-03-21T02:01:25+00:00urn:sha1:e5da11825ef7c3f4760b235e04e225e7c8746279
commit 9d2789ac9d60c049d26ef6d3005d9c94c5a559e9 upstream.
io_uring_cmd_done() currently assumes that the uring_lock is held
when invoked, and while it generally is, this is not guaranteed.
Pass in the issue_flags associated with it, so that we have
IO_URING_F_UNLOCKED available to be able to lock the CQ ring
appropriately when completing events.
Cc: stable@vger.kernel.org
Fixes: ee692a21e9bf ("fs,io_uring: add infrastructure for uring-cmd")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
io_uring: fix multishot accept request leaks2022-11-17T19:33:33+00:00Pavel Begunkovasml.silence@gmail.com2022-11-17T18:40:16+00:00urn:sha1:91482864768a874c4290ef93b84a78f4f1dac51b
Having REQ_F_POLLED set doesn't guarantee that the request is
executed as a multishot from the polling path. Fortunately for us, if
the code thinks it's multishot issue when it's not, it can only ask to
skip completion so leaking the request. Use issue_flags to mark
multipoll issues.
Cc: stable@vger.kernel.org
Fixes: 390ed29b5e425 ("io_uring: add IORING_ACCEPT_MULTISHOT for accept")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/7700ac57653f2823e30b34dc74da68678c0c5f13.1668710222.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
io_uring: Add missing inline to io_uring_cmd_import_fixed() dummy2022-10-04T14:13:20+00:00Geert Uytterhoevengeert+renesas@glider.be2022-10-04T12:39:10+00:00urn:sha1:0e0abad2a71bcd7ba0f30e7975f5b4199ade4e60
If CONFIG_IO_URING is not set:
include/linux/io_uring.h:65:12: error: ‘io_uring_cmd_import_fixed’ defined but not used [-Werror=unused-function]
65 | static int io_uring_cmd_import_fixed(u64 ubuf, unsigned long len, int rw,
| ^~~~~~~~~~~~~~~~~~~~~~~~~
Fix this by adding the missing "inline" keyword.
Fixes: a9216fac3ed8819c ("io_uring: add io_uring_cmd_import_fixed")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/r/7404b4a696f64e33e5ef3c5bd3754d4f26d13e50.1664887093.git.geert+renesas@glider.be
Signed-off-by: Jens Axboe <axboe@kernel.dk>
io_uring: introduce fixed buffer support for io_uring_cmd2022-09-30T13:50:59+00:00Anuj Guptaanuj20.g@samsung.com2022-09-30T06:27:39+00:00urn:sha1:9cda70f622cdcf049521a9c2886e5fd8a90a0591
Add IORING_URING_CMD_FIXED flag that is to be used for sending io_uring
command with previously registered buffers. User-space passes the buffer
index in sqe->buf_index, same as done in read/write variants that uses
fixed buffers.
Signed-off-by: Anuj Gupta <anuj20.g@samsung.com>
Signed-off-by: Kanchan Joshi <joshi.k@samsung.com>
Link: https://lore.kernel.org/r/20220930062749.152261-3-anuj20.g@samsung.com
[axboe: shuffle valid flags check before acting on it]
Signed-off-by: Jens Axboe <axboe@kernel.dk>
io_uring: add io_uring_cmd_import_fixed2022-09-30T13:49:11+00:00Anuj Guptaanuj20.g@samsung.com2022-09-30T06:27:38+00:00urn:sha1:a9216fac3ed8819cbbda5d39dd5fcaa43dfd35d8
This is a new helper that callers can use to obtain a bvec iterator for
the previously mapped buffer. This is preparatory work to enable
fixed-buffer support for io_uring_cmd.
Signed-off-by: Anuj Gupta <anuj20.g@samsung.com>
Signed-off-by: Kanchan Joshi <joshi.k@samsung.com>
Link: https://lore.kernel.org/r/20220930062749.152261-2-anuj20.g@samsung.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
io_uring: add iopoll infrastructure for io_uring_cmd2022-09-21T16:30:42+00:00Kanchan Joshijoshi.k@samsung.com2022-08-23T16:14:41+00:00urn:sha1:5756a3a7e713bcab705a5f0c810a2b1f7f4ecfaa
Put this up in the same way as iopoll is done for regular read/write IO.
Make place for storing a cookie into struct io_uring_cmd on submission.
Perform the completion using the ->uring_cmd_iopoll handler.
Signed-off-by: Kanchan Joshi <joshi.k@samsung.com>
Signed-off-by: Pankaj Raghav <p.raghav@samsung.com>
Link: https://lore.kernel.org/r/20220823161443.49436-3-joshi.k@samsung.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
fs,io_uring: add infrastructure for uring-cmd2022-05-11T13:40:47+00:00Jens Axboeaxboe@kernel.dk2022-05-11T05:47:45+00:00urn:sha1:ee692a21e9bf8354bd3ec816f1cf4bff8619ed77
file_operations->uring_cmd is a file private handler.
This is somewhat similar to ioctl but hopefully a lot more sane and
useful as it can be used to enable many io_uring capabilities for the
underlying operation.
IORING_OP_URING_CMD is a file private kind of request. io_uring doesn't
know what is in this command type, it's for the provider of ->uring_cmd()
to deal with.
Co-developed-by: Kanchan Joshi <joshi.k@samsung.com>
Signed-off-by: Kanchan Joshi <joshi.k@samsung.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20220511054750.20432-2-joshi.k@samsung.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
io_uring: add io_uring_get_opcode2022-04-26T12:50:42+00:00Dylan Yudakendylany@fb.com2022-04-26T08:29:05+00:00urn:sha1:33337d03f04f9ea3a50ac2d3490a5d7a3ba9be82
In some debug scenarios it is useful to have the text representation of
the opcode. Add this function in preparation.
Signed-off-by: Dylan Yudaken <dylany@fb.com>
Link: https://lore.kernel.org/r/20220426082907.3600028-3-dylany@fb.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>