Re: [BUG] WARNING in io_ring_exit_work (io_uring.c:2187) via IORING_REGISTER_BPF_FILTER — confirmed on 7.0-rc5 and rc6

Next message: Jaco Kroon: "Re: [PATCH net-next] pppoe: update Kconfig URLs"
Previous message: Pekka Paalanen: "Re: [PATCH v5 0/3] Add &quot;link bpc&quot; DRM property"
In reply to: Jens Axboe: "Re: [BUG] WARNING in io_ring_exit_work (io_uring.c:2187) via IORING_REGISTER_BPF_FILTER &#x2014; confirmed on 7.0-rc5 and rc6"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jens Axboe

Date: Tue Mar 31 2026 - 10:28:30 EST

On 3/31/26 7:39 AM, Jens Axboe wrote:
> On 3/31/26 7:32 AM, antonius wrote:
>> Hello,
>>
>> I am reporting a kernel WARNING discovered via Syzkaller fuzzing of Linux
>> 7.0-rc5, targeting the new IORING_REGISTER_BPF_FILTER subsystem (new in 7.0).
>>
>> The bug is confirmed on both 7.0-rc5 and 7.0-rc6. It is NOT fixed in rc6.
>> In rc6, the WARNING appears to have changed from WARN_ON to WARN_ON_ONCE
>> (fires only once per boot), which may explain why it was initially missed.
>
> Interesting, that's why I added those WARN_ON's. I'll take a look
> at this.
>
> And yes, they would only fire once, because are WARN_ON_ONCE()...

diff --git a/io_uring/register.c b/io_uring/register.c
index 5f3eb018fb32..837324bf0223 100644
--- a/io_uring/register.c
+++ b/io_uring/register.c
@@ -178,9 +178,17 @@ static __cold int io_register_restrictions(struct io_ring_ctx *ctx,
return -EBUSY;

ret = io_parse_restrictions(arg, nr_args, &ctx->restrictions);
- /* Reset all restrictions if an error happened */
+ /*
+ * Reset all restrictions if an error happened, but retain any COW'ed
+ * settings.
+ */
if (ret < 0) {
+ struct io_bpf_filters *bpf = ctx->restrictions.bpf_filters;
+ bool cowed = ctx->restrictions.bpf_filters_cow;
+
memset(&ctx->restrictions, 0, sizeof(ctx->restrictions));
+ ctx->restrictions.bpf_filters = bpf;
+ ctx->restrictions.bpf_filters_cow = cowed;
return ret;
}
if (ctx->restrictions.op_registered)

--
Jens Axboe