On 10/24/24 9:47 AM, Jann Horn wrote: > On Tue, Oct 22, 2024 at 4:08 AM Jens Axboe <axboe@xxxxxxxxx> wrote: >> Here's a stab at supporting ring resizing. It supports resizing of >> both rings, SQ and CQ, as it's really no different than just doing >> the CQ ring itself. liburing has a 'resize-rings' branch with a bit >> of support code, and a test case: >> >> https://git.kernel.dk/cgit/liburing/log/?h=resize-rings >> >> and these patches can also be found here: >> >> https://git.kernel.dk/cgit/linux/log/?h=io_uring-ring-resize > > You'd need to properly synchronize that path with io_uring_mmap(), > right? Take a lock that prevents concurrent mmap() from accessing > ctx->ring_pages while the resize is concurrently freeing that array, > so that you don't get UAF? Yep indeed! It's missing the mmap_lock, I'll add that. > And I guess ideally you'd also zap the already-mapped pages from > corresponding VMAs with something like unmap_mapping_range(), though > that won't make a difference security-wise since the pages are > refcounted by the userspace mapping anyway. Yes don't think we need to do anything there, just have userspace unmap the old range upon return. -- Jens Axboe
