diff options
| author | Jann Horn <jannh@google.com> | 2025-01-14 18:49:00 +0100 |
|---|---|---|
| committer | Jens Axboe <axboe@kernel.dk> | 2025-01-14 10:59:48 -0700 |
| commit | 19d340a2988d4f3e673cded9dde405d727d7e248 (patch) | |
| tree | a972160c33c1120f172f2ef330f0b8bee376eff7 /io_uring | |
| parent | a13030fd194c88961be4679f87a1380f1bda0ebe (diff) | |
io_uring/rsrc: require cloned buffers to share accounting contexts
When IORING_REGISTER_CLONE_BUFFERS is used to clone buffers from uring
instance A to uring instance B, where A and B use different MMs for
accounting, the accounting can go wrong:
If uring instance A is closed before uring instance B, the pinned memory
counters for uring instance B will be decremented, even though the pinned
memory was originally accounted through uring instance A; so the MM of
uring instance B can end up with negative locked memory.
Cc: stable@vger.kernel.org
Closes: https://lore.kernel.org/r/CAG48ez1zez4bdhmeGLEFxtbFADY4Czn3CV0u9d_TMcbvRA01bg@mail.gmail.com
Fixes: 7cc2a6eadcd7 ("io_uring: add IORING_REGISTER_COPY_BUFFERS method")
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://lore.kernel.org/r/20250114-uring-check-accounting-v1-1-42e4145aa743@google.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'io_uring')
| -rw-r--r-- | io_uring/rsrc.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c index 964a47c8d85e..688e277f0335 100644 --- a/io_uring/rsrc.c +++ b/io_uring/rsrc.c @@ -928,6 +928,13 @@ static int io_clone_buffers(struct io_ring_ctx *ctx, struct io_ring_ctx *src_ctx int i, ret, off, nr; unsigned int nbufs; + /* + * Accounting state is shared between the two rings; that only works if + * both rings are accounted towards the same counters. + */ + if (ctx->user != src_ctx->user || ctx->mm_account != src_ctx->mm_account) + return -EINVAL; + /* if offsets are given, must have nr specified too */ if (!arg->nr && (arg->dst_off || arg->src_off)) return -EINVAL; |