From: Jens Axboe <axboe@kernel.dk>
To: Gabriel Krisman Bertazi <krisman@suse.de>,
Ali Raza <elirazamumtaz@gmail.com>
Cc: io-uring@vger.kernel.org, linux-kernel@vger.kernel.org,
bpf@vger.kernel.org, Pavel Begunkov <asml.silence@gmail.com>
Subject: Re: [PATCH] io_uring: fix missing submitter_task ownership check in bpf_io_reg()
Date: Wed, 22 Apr 2026 15:46:13 -0600 [thread overview]
Message-ID: <3296879f-4650-47f0-9186-f5482a598239@kernel.dk> (raw)
In-Reply-To: <87eck6ofo8.fsf@mailhost.krisman.be>
On 4/22/26 3:20 PM, Gabriel Krisman Bertazi wrote:
> Ali Raza <elirazamumtaz@gmail.com> writes:
>
>> bpf_io_reg() installs a BPF struct_ops loop_step on any io_uring ring
>> the caller holds a file descriptor for. io_uring_ctx_get_file() only
>> validates that the fd resolves to an io_uring file; it does not verify
>> the caller has authority over the ring's submitter_task.
>>
>> A parallel path in io_uring_register() already enforces this:
>>
>> if (ctx->submitter_task && ctx->submitter_task != current)
>> return -EEXIST; /* register.c:733 */
>
> How is this a protection? I thought ctx->submitter_task is about
> IORING_SETUP_SINGLE_ISSUER. there is no permission or capability over
> it against other processes.
>
>> Without the equivalent check in bpf_io_reg(), a local user with
>> CAP_PERFMON can exploit IORING_SETUP_R_DISABLED -- which defers
>
> I'd argue this is a non-issue. If you have CAP_PERFMON, you are able to
> mess with the process in many ways beyond this. Otherwise, how a
> process would be able to get the fd in the first place?
It is a non-issue. It relies entirely on an unrealistic scenarior. Yes
if you have a privileged task that can take over a non-privileged ring
fd, yes than you can do bad things. News at 11...
--
Jens Axboe
next prev parent reply other threads:[~2026-04-22 21:46 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-22 15:53 [PATCH] io_uring: fix missing submitter_task ownership check in bpf_io_reg() Ali Raza
2026-04-22 21:05 ` sashiko-bot
2026-04-22 21:20 ` Gabriel Krisman Bertazi
2026-04-22 21:46 ` Jens Axboe [this message]
2026-04-22 21:58 ` Pavel Begunkov
2026-04-23 8:40 ` Ali Raza
2026-04-27 8:55 ` Pavel Begunkov
2026-04-27 19:24 ` [PATCH v2] io_uring: add submitter_task consistency check to io_install_bpf() Ali Raza
2026-04-27 21:47 ` Gabriel Krisman Bertazi
2026-04-28 12:27 ` [PATCH v3] " Ali Raza
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3296879f-4650-47f0-9186-f5482a598239@kernel.dk \
--to=axboe@kernel.dk \
--cc=asml.silence@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=elirazamumtaz@gmail.com \
--cc=io-uring@vger.kernel.org \
--cc=krisman@suse.de \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.