diff options
| author | Pavel Begunkov <asml.silence@gmail.com> | 2025-08-14 15:40:57 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-11-13 15:36:47 -0500 |
| commit | d664a3ce3a604231a0b144c152a3755d03b18b60 (patch) | |
| tree | 55b45e341932b3512ff36e2cb75e88f78c5762e9 /io_uring/notif.c | |
| parent | fd06538d8fc11c4bab48883a92b063b5949acd20 (diff) | |
| download | linux-d664a3ce3a604231a0b144c152a3755d03b18b60.tar.gz linux-d664a3ce3a604231a0b144c152a3755d03b18b60.tar.bz2 linux-d664a3ce3a604231a0b144c152a3755d03b18b60.zip | |
io_uring/zctx: check chained notif contexts
[ Upstream commit ab3ea6eac5f45669b091309f592c4ea324003053 ]
Send zc only links ubuf_info for requests coming from the same context.
There are some ambiguous syz reports, so let's check the assumption on
notification completion.
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/fd527d8638203fe0f1c5ff06ff2e1d8fd68f831b.1755179962.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'io_uring/notif.c')
| -rw-r--r-- | io_uring/notif.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/io_uring/notif.c b/io_uring/notif.c index ea9c0116cec2..d8ba1165c949 100644 --- a/io_uring/notif.c +++ b/io_uring/notif.c @@ -14,10 +14,15 @@ static const struct ubuf_info_ops io_ubuf_ops; static void io_notif_tw_complete(struct io_kiocb *notif, io_tw_token_t tw) { struct io_notif_data *nd = io_notif_to_data(notif); + struct io_ring_ctx *ctx = notif->ctx; + + lockdep_assert_held(&ctx->uring_lock); do { notif = cmd_to_io_kiocb(nd); + if (WARN_ON_ONCE(ctx != notif->ctx)) + return; lockdep_assert(refcount_read(&nd->uarg.refcnt) == 0); if (unlikely(nd->zc_report) && (nd->zc_copied || !nd->zc_used)) |