github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-14 09:22:17 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
f144dbac4b
linux/include/uapi
History
Pavel Begunkov d8345a2190 io_uring/timeout: immediate timeout arg 
One the things the user has always keep in mind is that any user
pointers they put into an SQE is not going to be read by the kernel
until submission happens, and the user has to ensure the pointee stays
alive until then. For example, snippet below will lead to UAF of the on
stack variable ts. Instead of passing the timeout value as a pointer
allow to store it immediately in the SQE. The user has to set a new flag
called IORING_TIMEOUT_IMMEDIATE_ARG, in which case sqe->addr for timeout
or sqe->addr2 for timeout update requests will be interpreted as a time
value in nanosecods.

void prep_timeout(struct io_uring_sqe *sqe) {
    struct __kernel_timespec ts = {...};
    prep_timeout(sqe, &ts);
}

void submit() {
    sqe = get_sqe();
    prep_timeout(sqe);
    io_uring_submit();
}

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2026-03-09 07:21:54 -06:00
..
asm-generic Scheduler changes for v7.0: 2026-02-10 12:50:10 -08:00
cxl
drm Merge drm/drm-fixes into drm-misc-fixes 2026-02-23 10:09:45 +01:00
fwctl
linux io_uring/timeout: immediate timeout arg 2026-03-09 07:21:54 -06:00
misc Char/Misc/IIO/Binder changes for 6.18-rc1 2025-10-04 16:26:32 -07:00
mtd
rdma RDMA v7.0 merge window 2026-02-12 17:05:20 -08:00
regulator regulator: uapi: Use UAPI integer type 2025-12-22 09:00:42 +00:00
scsi scsi: ufs: core: Improve the documentation of UFS data frames 2026-01-11 22:04:10 -05:00
sound ASoC: SOF: ipc4-topology: Add new tokens for pipeline direction 2026-02-04 13:26:05 +00:00
video
xen
Kbuild