From: Jens Axboe <axboe@kernel.dk>
To: Federico Brasili <federico.brasili@gmail.com>
Cc: io-uring@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [BUG io_uring] Failed RECVSEND_BUNDLE can persistently shrink non-INC pbuf ring len and affect later READ operations
Date: Sun, 7 Jun 2026 15:38:53 -0600 [thread overview]
Message-ID: <36351bf5-fb6a-4712-ae27-5b907452bdab@kernel.dk> (raw)
In-Reply-To: <CAAEr8jZDdiYB2vp9VJzSqq2J-GssH8GhrLYYn_2W2KAjYwDzSQ@mail.gmail.com>
On 6/7/26 2:08 PM, Federico Brasili wrote:
> Hi Jens,
>
> Sure, attaching the minimal reproducer and the output from my Ubuntu
> 7.0.0-22-generic test system.
Great thanks, I'll take a look. For the record, please don't top post
reply. It makes a mess of conversations on the mailing list.
> The reproducer runs unprivileged and demonstrates:
>
> 1. non-INC provided-buffer ring with entry0.len = 4096 and entry1.len = 4096
> 2. IORING_OP_RECV + IOSQE_BUFFER_SELECT + IORING_RECVSEND_BUNDLE on an
> empty SOCK_DGRAM socket
> 3. CQE returns -EAGAIN, but entry0.len is changed from 4096 to 1
> 4. a later unrelated IORING_OP_READ from a pipe using the same buffer
> group returns 1 byte instead of 4096
> 5. a second READ uses entry1 and returns 4096, so head/bid accounting
> appears coherent in this repro
>
> I am not claiming privilege escalation from this. The demonstrated
> issue is persistent provided-buffer descriptor length corruption after
> a failed/no-data RECV_BUNDLE, affecting a later READ operation.
Right, I believe you already mentioned in the first email. It's just
a bug that can cause the app to (rightfully) get confused about the
state of a buffer.
And it's not a corruption in the sense that something else writes
to this buffer length field, the kernel is deliberately writing
to that valid piece of memory. It just misses restoring it when
the operation fails.
--
Jens Axboe
next prev parent reply other threads:[~2026-06-07 21:38 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-07 11:41 [BUG io_uring] Failed RECVSEND_BUNDLE can persistently shrink non-INC pbuf ring len and affect later READ operations Federico Brasili
2026-06-07 19:07 ` Jens Axboe
2026-06-07 20:08 ` Federico Brasili
2026-06-07 21:22 ` Nyakundi Emmanuel
2026-06-07 21:39 ` Jens Axboe
2026-06-07 22:10 ` [PATCH] test/recv-bundle-pbuf-len-poison: add regression test for pbuf len corruption Nyakundi Emmanuel
2026-06-07 22:16 ` Jens Axboe
2026-06-07 21:38 ` Jens Axboe [this message]
2026-06-07 21:52 ` [BUG io_uring] Failed RECVSEND_BUNDLE can persistently shrink non-INC pbuf ring len and affect later READ operations Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=36351bf5-fb6a-4712-ae27-5b907452bdab@kernel.dk \
--to=axboe@kernel.dk \
--cc=federico.brasili@gmail.com \
--cc=io-uring@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox