[SRU focal/linux-oem-5.6 0/1] io_uring async sendmsg copy to kernel address 0

Thadeu Lima de Souza Cascardo cascardo at canonical.com
Fri May 14 12:14:37 UTC 2021

When using async io_uring OP_SENDMSG, a copy to kernel address 0 might be
attempted, leading to a kernel WARN/BUG and an uninterruptible process.

Partial backport of dd821e0c95a64b5923a0c57f07d3f7563553e756 ("io_uring: fix
missing msg_name assignment"). The recvmsg side does not seed to set msg_name,
as it copies from a local/stack kernel address (at ____sys_recvmsg) to a uaddr
parameter, which is given when doing the copy_msghdr operation.

[Test case]
LTP io_uring02 was run, and an equivalent recvmsg test was done too. A
successfull sendmsg test (without the chroot at io_uring02 test) was also

[Potential regressions]
io_uring sendmsg/recvmsg paths could fail, potentially leading to a system
crash or even a security vulnerability.

Pavel Begunkov (1):
  io_uring: fix missing msg_name assignment

 fs/io_uring.c | 1 +
 1 file changed, 1 insertion(+)


More information about the kernel-team mailing list