From nobody Thu Apr 9 12:07:40 2026 Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6726D23C4FA for ; Mon, 9 Mar 2026 06:29:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773037789; cv=none; b=BAm7aB8O8CHDB0PexvyAK6re1VqM10UOEAzfLsvdTyjpC3Inf+H8qHrjy14FCN+Gv3fxO0MtkKQTxs24l5ao6WWKTY4ktey6G1DALm2YRrLRFsma6IBiIaVnitcns+WZsWTn27DdaiwEuEcGqEevirz2fQLQH34WR178zzuD7hE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773037789; c=relaxed/simple; bh=YmSaYkXI/krJqYJU24FmR6U2p3xKP7WLxMGtQn2Edkc=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=LB4+6zqaZVMje58/54Z+5Bbt4zeMYBk8kkOYNmQrv0LwO9zfy2+gzZ66ghHEQAzrGbDnkFUgrYAultkULMuMqLXbxWVx/n+vv9nWpXBOXE7VxSPGI8/Y+Kq3WCNZAL1uDo9xlGbMByfsZHcsRUC7OvubpMIDJeY8wi706JRbqXo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=CP/8EtOB; arc=none smtp.client-ip=209.85.210.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CP/8EtOB" Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-824b05d2786so8977855b3a.2 for ; Sun, 08 Mar 2026 23:29:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773037788; x=1773642588; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=bjNCRGDdNSAhVIPSG6qBbdiy5yBmSFwtP/A60KKXtlY=; b=CP/8EtOB17TWaQIgU117IjxyScUI6zCM5+bA2w7IQbKiQDGAM8Q/DP3asSJ1bnT3Pg 4aOL25feurO0W38ONsqnMTOCqAK/dRiP+axFW9lgvbVC9S+XWU5XKDvB0CZqdA2OJXaQ vNj1n645mHcDoFWHA7nbo5w7XTbglQxt5pqusz4zrwqEc1r3kBKiVaMcEd9z2skd4EEi Jtooaiz5S8V5PzGEIBJP6SyxiyCnpQbubGsbkZvpwrBTn3qyI9/DRpEo/4MZqg5+/ww+ AK75/I1qoOEm3jLzdqr2Xt4UE3tJ9sJAxhqfvKOR+Os+7LnstLFmAUNuPAS+/4aNOLk3 At5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1773037788; x=1773642588; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=bjNCRGDdNSAhVIPSG6qBbdiy5yBmSFwtP/A60KKXtlY=; b=WsFvDDhbaaT3MAYQNMMv6PfsGqOze2KdkDiXbdosxAj+qYECBo1saV9MiT43dEAWuK czsFbaPgCeecFtgiVGch2KHMDKE+2CwpSIaP4JlTb2La2B3/rJvj7Yhq5OMtWDXDMIym OkhRw6O+ha3jNTpk0GG1q3RHZIvfugx+Y3VlW5NT3rI+X0Wn9MZtF7h2fMFmFXbUxMIi yo3lz5gWA24P/d5qWugw1hUeSybuC5A+FQ49InYaAcSuFbrbuzdNhLh8S5e23dfl/xOp YXdL9nV9CyVzEb5S1Dzw26Y7B6lq2Yq0zJv8FILLL8kdtuwC8Ig023uHnmU4XV8SZVeT LilQ== X-Forwarded-Encrypted: i=1; AJvYcCWmg9Fxna2oz9jka5Rb3X7rD2CJGHqcfqnFl3OI7T5Q9yUckHvvrzRdNBZOi4MvL12iyxQpjvZ3A49QEAc=@vger.kernel.org X-Gm-Message-State: AOJu0Yx/Iiol4C4HyNV+caFJpjV3WSLbseFirooichqW2gatRKBo38rm 0nntcpVgmaGTs5bOQNGpqygrTfO0bSvTMqgobbyxIXIJMFxFz0aekWh0 X-Gm-Gg: ATEYQzyp69dkW0RXjAmcMI2mfzYZ4u6PZIlR1x9wY6whM8oAA1z+vzXLqTp5y7lw9es p7NrXfhi/SV2hnKezc+rpUY8TfSyesbm+/i386SFIL+TOI8Qi6qpcaWk4ppUSTrTOsvAgM60ayg bJQgx5/bmwoCRXkBIbvMKNZywyWjiVWgNaopQw9n8TmG3SH0zAC38NNbkwzuDS4oXCr2WXPn++n Ge76qPz7fDFdSxaj3QUqtIXBraf5fJxnVhAsP2+G8be8+taLUXLw1BwkYYEDEP4ZTVbaaXeZKOV 7bJzgdqk+CrvKVc77CMJi8yX8JDS9dCrUktzQMu1ZPRmCPvbrQMytzUIJw2t7Q26G4qP5Jd3ryF LLGQoAuQSrrMi6Y0anVzq714nluvF96wV0gUHVGu/dSdblRwPL0KIoQkDrHdJHrztcKf6V5HeOE 5Ef8+JQ1VRh/G8kJp70JfVIiNqJi45H017iSbjb0gGgKdYwYBozmLJsKl/+oTSDGtrrg== X-Received: by 2002:a05:6a00:4650:b0:829:7a2d:71b2 with SMTP id d2e1a72fcca58-829a30dfad6mr9754835b3a.57.1773037787550; Sun, 08 Mar 2026 23:29:47 -0700 (PDT) Received: from naup-virtual-machine.localdomain ([140.113.136.219]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-829a48a20c0sm10878180b3a.43.2026.03.08.23.29.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 08 Mar 2026 23:29:47 -0700 (PDT) From: Hao-Yu Yang To: security@kernel.org Cc: naxboe@kernel.dk, io-uring@vger.kernel.org, linux-kernel@vger.kernel.org, Hao-Yu Yang Subject: [PATCH v1] io_uring/register.c: fix NULL pointer dereference in io_register_resize_rings Date: Mon, 9 Mar 2026 14:27:59 +0800 Message-Id: <20260309062759.482210-1-naup96721@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" During io_register_resize_rings execution, ctx->rings is temporarily set to NULL before new ring memory is allocated. If a timer interrupt fires during this window, the interrupt handler (via timerfd_tmrproc -> io_poll_wake -> __io_req_task_work_add -> io_req_local_work_add) attempts to access ctx->rings->sq_flags, causing race condition and a NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000024 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/= 2014 Call Trace: __io_poll_execute (io_uring/poll.c:223) io_poll_wake (io_uring/poll.c:426) __wake_up_common (kernel/sched/wait.c:109) __wake_up_locked_key (kernel/sched/wait.c:167) timerfd_tmrproc (./include/linux/spinlock.h:407 fs/timerfd.c:71 fs/timerfd= .c:78) ? __pfx_timerfd_tmrproc (fs/timerfd.c:75) __hrtimer_run_queues (kernel/time/hrtimer.c:1785 kernel/time/hrtimer.c:184= 9) hrtimer_interrupt (kernel/time/hrtimer.c:1914) __sysvec_apic_timer_interrupt (./arch/x86/include/asm/jump_label.h:37 ./ar= ch/x86/include/asm/trace/irq_vectors.h:40 arch/x86/kernel/apic/apic.c:1063) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1056 arch/x86/ker= nel/apic/apic.c:1056) asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:697) RIP: 0010:io_register_resize_rings (io_uring/register.c:593) ? io_register_resize_rings (io_uring/register.c:580) __io_uring_register (io_uring/register.c:898) ? fget (fs/file.c:1114) __x64_sys_io_uring_register (io_uring/register.c:1026 io_uring/register.c:= 1001 io_uring/register.c:1001) x64_sys_call (arch/x86/entry/syscall_64.c:41) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Fix by using spin_lock_irq/spin_unlock_irq instead of spin_lock/spin_unlock in io_register_resize_rings. This disables IRQs while ctx->rings is set to NULL, preventing interrupt handlers from executing during the window when ctx->rings is NULL. Fixes: 79cfe9e59c2a ("io_uring/register: add IORING_REGISTER_RESIZE_RINGS") Reported-by: Hao-Yu Yang Signed-off-by: Hao-Yu Yang --- io_uring/register.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/io_uring/register.c b/io_uring/register.c index 6015a3e9ce69..0526301f7a25 100644 --- a/io_uring/register.c +++ b/io_uring/register.c @@ -576,7 +576,7 @@ static int io_register_resize_rings(struct io_ring_ctx = *ctx, void __user *arg) * duration of the actual swap. */ mutex_lock(&ctx->mmap_lock); - spin_lock(&ctx->completion_lock); + spin_lock_irq(&ctx->completion_lock); o.rings =3D ctx->rings; ctx->rings =3D NULL; o.sq_sqes =3D ctx->sq_sqes; @@ -640,7 +640,7 @@ static int io_register_resize_rings(struct io_ring_ctx = *ctx, void __user *arg) to_free =3D &o; ret =3D 0; out: - spin_unlock(&ctx->completion_lock); + spin_unlock_irq(&ctx->completion_lock); mutex_unlock(&ctx->mmap_lock); io_register_free_rings(ctx, to_free); =20 --=20 2.34.1