Re: [PATCH] io_uring: fix missing submitter_task ownership check in bpf_io_reg()

Next message: Luck, Tony: "RE: [PATCH v4 4/7] fs,x86/resctrl: Add architecture hooks for every mount/unmount"
Previous message: Vinicius Costa Gomes: "Re: [PATCH v2] dmaengine: idxd: fix double free in idxd_alloc() error path"
In reply to: Jens Axboe: "Re: [PATCH] io_uring: fix missing submitter_task ownership check in bpf_io_reg()"
Next in thread: Ali Raza: "Re: [PATCH] io_uring: fix missing submitter_task ownership check in bpf_io_reg()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pavel Begunkov

Date: Wed Apr 22 2026 - 17:58:28 EST

On 4/22/26 22:20, Gabriel Krisman Bertazi wrote:

Ali Raza <elirazamumtaz@xxxxxxxxx> writes:

bpf_io_reg() installs a BPF struct_ops loop_step on any io_uring ring
the caller holds a file descriptor for. io_uring_ctx_get_file() only
validates that the fd resolves to an io_uring file; it does not verify
the caller has authority over the ring's submitter_task.

A parallel path in io_uring_register() already enforces this:

if (ctx->submitter_task && ctx->submitter_task != current)
return -EEXIST; /* register.c:733 */

How is this a protection? I thought ctx->submitter_task is about
IORING_SETUP_SINGLE_ISSUER. there is no permission or capability over
it against other processes.

Without the equivalent check in bpf_io_reg(), a local user with
CAP_PERFMON can exploit IORING_SETUP_R_DISABLED -- which defers

I'd argue this is a non-issue.

Right, it involves receiving a ring from an untrusted source and
then using it. Any application doing that is extremely broken,
even without any bpf you can use that to do some pretty nasty things

If you have CAP_PERFMON, you are able to

mess with the process in many ways beyond this. Otherwise, how a
process would be able to get the fd in the first place?

--
Pavel Begunkov