On Tue, Oct 22, 2024 at 4:08 AM Jens Axboe <axboe@xxxxxxxxx> wrote: > Here's a stab at supporting ring resizing. It supports resizing of > both rings, SQ and CQ, as it's really no different than just doing > the CQ ring itself. liburing has a 'resize-rings' branch with a bit > of support code, and a test case: > > https://git.kernel.dk/cgit/liburing/log/?h=resize-rings > > and these patches can also be found here: > > https://git.kernel.dk/cgit/linux/log/?h=io_uring-ring-resize You'd need to properly synchronize that path with io_uring_mmap(), right? Take a lock that prevents concurrent mmap() from accessing ctx->ring_pages while the resize is concurrently freeing that array, so that you don't get UAF? And I guess ideally you'd also zap the already-mapped pages from corresponding VMAs with something like unmap_mapping_range(), though that won't make a difference security-wise since the pages are refcounted by the userspace mapping anyway.
