[PATCH 7.0.y,6.18.y 0/2] Backport io_uring commit to affected

[PATCH 7.0.y,6.18.y 0/2] Backport io_uring commit to affected

[Harshit Mogalapalli]

Hi Jens and stable maintainers,

The intent of this series is to backport commit: 770594e78c39
("io_uring/zcrx: warn on freelist violations") to 6.18.y and 7.0.y.

This above commit likely is fixing commit: 34a3e60821ab ("io_uring/zcrx:
implement zerocopy receive pp memory provider") in 6.18.y and 7.0.y.

Pulled in a prerequisite to cleanly apply the fix. Only build tested.

Please review.

Thanks,
Harshit

Pavel Begunkov (2):
  io_uring/zcrx: use guards for locking
  io_uring/zcrx: warn on freelist violations

 io_uring/zcrx.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

-- 
2.50.1

[PATCH 7.0.y,6.18.y 1/2] io_uring/zcrx: use guards for locking

[Harshit Mogalapalli]

From: Pavel Begunkov <asml.silence@gmail.com>

[ Upstream commit 898ad80d1207cbdb22b21bafb6de4adfd7627bd0 ]

Convert last several places using manual locking to guards to simplify
the code.

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://patch.msgid.link/eb4667cfaf88c559700f6399da9e434889f5b04a.1774261953.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
(cherry picked from commit 898ad80d1207cbdb22b21bafb6de4adfd7627bd0)
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
---
 io_uring/zcrx.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
index af4b88e106ab..517b8ddb2cc2 100644
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -586,9 +586,8 @@ static void io_zcrx_return_niov_freelist(struct net_iov *niov)
 {
 	struct io_zcrx_area *area = io_zcrx_iov_to_area(niov);
 
-	spin_lock_bh(&area->freelist_lock);
+	guard(spinlock_bh)(&area->freelist_lock);
 	area->freelist[area->free_count++] = net_iov_idx(niov);
-	spin_unlock_bh(&area->freelist_lock);
 }
 
 static void io_zcrx_return_niov(struct net_iov *niov)
@@ -1029,7 +1028,8 @@ static void io_zcrx_refill_slow(struct page_pool *pp, struct io_zcrx_ifq *ifq)
 {
 	struct io_zcrx_area *area = ifq->area;
 
-	spin_lock_bh(&area->freelist_lock);
+	guard(spinlock_bh)(&area->freelist_lock);
+
 	while (area->free_count && pp->alloc.count < PP_ALLOC_CACHE_REFILL) {
 		struct net_iov *niov = __io_zcrx_get_free_niov(area);
 		netmem_ref netmem = net_iov_to_netmem(niov);
@@ -1038,7 +1038,6 @@ static void io_zcrx_refill_slow(struct page_pool *pp, struct io_zcrx_ifq *ifq)
 		io_zcrx_sync_for_device(pp, niov);
 		net_mp_netmem_place_in_cache(pp, netmem);
 	}
-	spin_unlock_bh(&area->freelist_lock);
 }
 
 static netmem_ref io_pp_zc_alloc_netmems(struct page_pool *pp, gfp_t gfp)
@@ -1264,10 +1263,10 @@ static struct net_iov *io_alloc_fallback_niov(struct io_zcrx_ifq *ifq)
 	if (area->mem.is_dmabuf)
 		return NULL;
 
-	spin_lock_bh(&area->freelist_lock);
-	if (area->free_count)
-		niov = __io_zcrx_get_free_niov(area);
-	spin_unlock_bh(&area->freelist_lock);
+	scoped_guard(spinlock_bh, &area->freelist_lock) {
+		if (area->free_count)
+			niov = __io_zcrx_get_free_niov(area);
+	}
 
 	if (niov)
 		page_pool_fragment_netmem(net_iov_to_netmem(niov), 1);
-- 
2.50.1

[PATCH 7.0.y,6.18.y 2/2] io_uring/zcrx: warn on freelist violations

[Harshit Mogalapalli]

From: Pavel Begunkov <asml.silence@gmail.com>

[ Upstream commit 770594e78c3964cf23cf5287f849437cdde9b7d0 ]

The freelist is appropriately sized to always be able to take a free
niov, but let's be more defensive and check the invariant with a
warning. That should help to catch any double-free issues.

Suggested-by: Kai Aizen <kai@snailsploit.com>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://patch.msgid.link/2f3cea363b04649755e3b6bb9ab66485a95936d5.1776760901.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
(cherry picked from commit 770594e78c3964cf23cf5287f849437cdde9b7d0)
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
---
 io_uring/zcrx.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
index 517b8ddb2cc2..4eb08c832f0b 100644
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -587,6 +587,8 @@ static void io_zcrx_return_niov_freelist(struct net_iov *niov)
 	struct io_zcrx_area *area = io_zcrx_iov_to_area(niov);
 
 	guard(spinlock_bh)(&area->freelist_lock);
+	if (WARN_ON_ONCE(area->free_count >= area->nia.num_niovs))
+		return;
 	area->freelist[area->free_count++] = net_iov_idx(niov);
 }
 
-- 
2.50.1

Re: [PATCH 7.0.y,6.18.y 0/2] Backport io_uring commit to affected

[Jens Axboe]

On 5/7/26 6:42 AM, Harshit Mogalapalli wrote:
> Hi Jens and stable maintainers,
> 
> The intent of this series is to backport commit: 770594e78c39
> ("io_uring/zcrx: warn on freelist violations") to 6.18.y and 7.0.y.
> 
> This above commit likely is fixing commit: 34a3e60821ab ("io_uring/zcrx:
> implement zerocopy receive pp memory provider") in 6.18.y and 7.0.y.
> 
> Pulled in a prerequisite to cleanly apply the fix. Only build tested.

I don't think these are actually required, but at the same time it does
not hurt to add them. I'll leave that to Pavel to decide.

In any case, thanks for doing the backports!

-- 
Jens Axboe

Re: [PATCH 7.0.y,6.18.y 0/2] Backport io_uring commit to affected

[Jens Axboe]

On 5/7/26 4:41 PM, Jens Axboe wrote:
> On 5/7/26 6:42 AM, Harshit Mogalapalli wrote:
>> Hi Jens and stable maintainers,
>>
>> The intent of this series is to backport commit: 770594e78c39
>> ("io_uring/zcrx: warn on freelist violations") to 6.18.y and 7.0.y.
>>
>> This above commit likely is fixing commit: 34a3e60821ab ("io_uring/zcrx:
>> implement zerocopy receive pp memory provider") in 6.18.y and 7.0.y.
>>
>> Pulled in a prerequisite to cleanly apply the fix. Only build tested.
> 
> I don't think these are actually required, but at the same time it does
> not hurt to add them. I'll leave that to Pavel to decide.
> 
> In any case, thanks for doing the backports!

Adding Pavel, I had assumed he was already on the email, as he's the
maintainer for that file.

-- 
Jens Axboe

Re: [PATCH 7.0.y,6.18.y 0/2] Backport io_uring commit to affected

[Pavel Begunkov]

On 5/7/26 23:46, Jens Axboe wrote:
> On 5/7/26 4:41 PM, Jens Axboe wrote:
>> On 5/7/26 6:42 AM, Harshit Mogalapalli wrote:
>>> Hi Jens and stable maintainers,
>>>
>>> The intent of this series is to backport commit: 770594e78c39
>>> ("io_uring/zcrx: warn on freelist violations") to 6.18.y and 7.0.y.
>>>
>>> This above commit likely is fixing commit: 34a3e60821ab ("io_uring/zcrx:
>>> implement zerocopy receive pp memory provider") in 6.18.y and 7.0.y.
>>>
>>> Pulled in a prerequisite to cleanly apply the fix. Only build tested.
>>
>> I don't think these are actually required, but at the same time it does
>> not hurt to add them. I'll leave that to Pavel to decide.
>>
>> In any case, thanks for doing the backports!
> 
> Adding Pavel, I had assumed he was already on the email, as he's the
> maintainer for that file.

What's motivation for this? I don't mind to have it (after review),
but it's not a fix, and I know people want it in stable to claim a
hallucinated CVE, and the CVE part is not going to happen.

-- 
Pavel Begunkov

Re: [PATCH 7.0.y,6.18.y 0/2] Backport io_uring commit to affected

[Harshit Mogalapalli]

Hi Jens and Pavel,

On 08/05/26 07:37, Pavel Begunkov wrote:
> On 5/7/26 23:46, Jens Axboe wrote:
>> On 5/7/26 4:41 PM, Jens Axboe wrote:
>>> On 5/7/26 6:42 AM, Harshit Mogalapalli wrote:
>>>> Hi Jens and stable maintainers,
>>>>
>>>> The intent of this series is to backport commit: 770594e78c39
>>>> ("io_uring/zcrx: warn on freelist violations") to 6.18.y and 7.0.y.
>>>>
>>>> This above commit likely is fixing commit: 34a3e60821ab ("io_uring/ 
>>>> zcrx:
>>>> implement zerocopy receive pp memory provider") in 6.18.y and 7.0.y.
>>>>
>>>> Pulled in a prerequisite to cleanly apply the fix. Only build tested.
>>>
>>> I don't think these are actually required, but at the same time it does
>>> not hurt to add them. I'll leave that to Pavel to decide.
>>>
>>> In any case, thanks for doing the backports!
>>
>> Adding Pavel, I had assumed he was already on the email, as he's the
>> maintainer for that file.
> 
> What's motivation for this? I don't mind to have it (after review),
> but it's not a fix, and I know people want it in stable to claim a
> hallucinated CVE, and the CVE part is not going to happen.
> 

Sure, thanks for sharing this. I was reading this: 
https://ze3tar.github.io/post-zcrx.html and thought of sending backports 
to affected-stated stable branches. I looked up at the fix and checked 
probable broken commit and sent these backports. If the report is bogus, 
I think we should leave these but if its safe to backport these I think 
we should ?

Thanks,
Harshit

Re: [PATCH 7.0.y,6.18.y 0/2] Backport io_uring commit to affected

[Jens Axboe]

On 5/8/26 1:52 AM, Harshit Mogalapalli wrote:
> Hi Jens and Pavel,
> 
> On 08/05/26 07:37, Pavel Begunkov wrote:
>> On 5/7/26 23:46, Jens Axboe wrote:
>>> On 5/7/26 4:41 PM, Jens Axboe wrote:
>>>> On 5/7/26 6:42 AM, Harshit Mogalapalli wrote:
>>>>> Hi Jens and stable maintainers,
>>>>>
>>>>> The intent of this series is to backport commit: 770594e78c39
>>>>> ("io_uring/zcrx: warn on freelist violations") to 6.18.y and 7.0.y.
>>>>>
>>>>> This above commit likely is fixing commit: 34a3e60821ab ("io_uring/ zcrx:
>>>>> implement zerocopy receive pp memory provider") in 6.18.y and 7.0.y.
>>>>>
>>>>> Pulled in a prerequisite to cleanly apply the fix. Only build tested.
>>>>
>>>> I don't think these are actually required, but at the same time it does
>>>> not hurt to add them. I'll leave that to Pavel to decide.
>>>>
>>>> In any case, thanks for doing the backports!
>>>
>>> Adding Pavel, I had assumed he was already on the email, as he's the
>>> maintainer for that file.
>>
>> What's motivation for this? I don't mind to have it (after review),
>> but it's not a fix, and I know people want it in stable to claim a
>> hallucinated CVE, and the CVE part is not going to happen.
>>
> 
> Sure, thanks for sharing this. I was reading this:
> https://ze3tar.github.io/post-zcrx.html and thought of sending
> backports to affected-stated stable branches. I looked up at the fix
> and checked probable broken commit and sent these backports. If the
> report is bogus, I think we should leave these but if its safe to
> backport these I think we should ?

I already told that guy that his hallucinated garbage is just plain
wrong. Did you notice in that post how part of the procedure is writing
to /proc/sys/kernel/modprobe? Which you need to be CAP_SYS_ADMIN/root to
do? And if you are root already, then wtf is the point of it. It's also
flagging the wrong commit, the related one fixing an actual bug is:

003049b1c4fb ("io_uring/zcrx: fix user_ref race between scrub and refill paths")

which is why I said this series is fine to do a consistency backport, as
it may make further backports easier, but in no way is it actually
fixing anything.

tldr - blog post is mostly hallucinated garbage made to look like some
novel or new thing, when it very much is not. Author said he'd update
it.

-- 
Jens Axboe

Re: [PATCH 7.0.y,6.18.y 0/2] Backport io_uring commit to affected

[Pavel Begunkov]

On 5/8/26 08:52, Harshit Mogalapalli wrote:
> Hi Jens and Pavel,
> 
> On 08/05/26 07:37, Pavel Begunkov wrote:
>> On 5/7/26 23:46, Jens Axboe wrote:
>>> On 5/7/26 4:41 PM, Jens Axboe wrote:
>>>> On 5/7/26 6:42 AM, Harshit Mogalapalli wrote:
>>>>> Hi Jens and stable maintainers,
>>>>>
>>>>> The intent of this series is to backport commit: 770594e78c39
>>>>> ("io_uring/zcrx: warn on freelist violations") to 6.18.y and 7.0.y.
>>>>>
>>>>> This above commit likely is fixing commit: 34a3e60821ab ("io_uring/ zcrx:
>>>>> implement zerocopy receive pp memory provider") in 6.18.y and 7.0.y.
>>>>>
>>>>> Pulled in a prerequisite to cleanly apply the fix. Only build tested.
>>>>
>>>> I don't think these are actually required, but at the same time it does
>>>> not hurt to add them. I'll leave that to Pavel to decide.
>>>>
>>>> In any case, thanks for doing the backports!
>>>
>>> Adding Pavel, I had assumed he was already on the email, as he's the
>>> maintainer for that file.
>>
>> What's motivation for this? I don't mind to have it (after review),
>> but it's not a fix, and I know people want it in stable to claim a
>> hallucinated CVE, and the CVE part is not going to happen.
>>
> 
> Sure, thanks for sharing this. I was reading this: https://ze3tar.github.io/post-zcrx.html and thought of sending backports to affected-stated stable branches. I looked up at the fix and checked probable broken commit and sent these backports. If the report is bogus, I think we should leave these but if its safe to backport these I think we should ?

Got it, thanks for sending the patches, it's better than potentially
overlooking a problem. I'll take a look at as hardening, but the
article refers to non-existent code, the reproducer doesn't reproduce,
it doesn't even do what it says it does, there are one mistake after
another. I took a closer look a week+ ago, and I believe it's all
hallucinations that has never been actually run / validated.

-- 
Pavel Begunkov

Re: [PATCH 7.0.y,6.18.y 0/2] Backport io_uring commit to affected

[Pavel Begunkov]

On 5/7/26 23:46, Jens Axboe wrote:
> On 5/7/26 4:41 PM, Jens Axboe wrote:
>> On 5/7/26 6:42 AM, Harshit Mogalapalli wrote:
>>> Hi Jens and stable maintainers,
>>>
>>> The intent of this series is to backport commit: 770594e78c39
>>> ("io_uring/zcrx: warn on freelist violations") to 6.18.y and 7.0.y.
>>>
>>> This above commit likely is fixing commit: 34a3e60821ab ("io_uring/zcrx:
>>> implement zerocopy receive pp memory provider") in 6.18.y and 7.0.y.
>>>
>>> Pulled in a prerequisite to cleanly apply the fix. Only build tested.
>>
>> I don't think these are actually required, but at the same time it does
>> not hurt to add them. I'll leave that to Pavel to decide.
>>
>> In any case, thanks for doing the backports!
> 
> Adding Pavel, I had assumed he was already on the email, as he's the
> maintainer for that file.

Looks good to apply to stable as a hardening measure, thanks

-- 
Pavel Begunkov