git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Pavel Begunkov <asml.silence@gmail.com>
	Mon, 2 Mar 2026 13:10:37 +0000 (13:10 +0000)
committer	Jens Axboe <axboe@kernel.dk>
	Mon, 9 Mar 2026 13:21:54 +0000 (07:21 -0600)
commit	d8345a21902af5d754f2c2aadf877de989e3cac3
tree	e334f79568a7906e08a665c42c5bc7acc7394243	tree \| snapshot
parent	0e78aa188cbddc6311ff24938b1c8d3850b35708	commit \| diff

io_uring/timeout: immediate timeout arg

One the things the user has always keep in mind is that any user
pointers they put into an SQE is not going to be read by the kernel
until submission happens, and the user has to ensure the pointee stays
alive until then. For example, snippet below will lead to UAF of the on
stack variable ts. Instead of passing the timeout value as a pointer
allow to store it immediately in the SQE. The user has to set a new flag
called IORING_TIMEOUT_IMMEDIATE_ARG, in which case sqe->addr for timeout
or sqe->addr2 for timeout update requests will be interpreted as a time
value in nanosecods.

void prep_timeout(struct io_uring_sqe *sqe) {
    struct __kernel_timespec ts = {...};
    prep_timeout(sqe, &ts);
}

void submit() {
    sqe = get_sqe();
    prep_timeout(sqe);
    io_uring_submit();
}

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

include/uapi/linux/io_uring.h		diff \| blob \| blame \| history
io_uring/timeout.c		diff \| blob \| blame \| history