From: Pavel Begunkov <asml.silence@gmail.com>
Date: Wed, 15 Oct 2025 12:07:23 +0000 (+0100)
Subject: io_uring: protect mem region deregistration
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=be7cab44ed099566c605a8dac686c3254db01b35;p=users%2Fhch%2Fmisc.git

io_uring: protect mem region deregistration

io_create_region_mmap_safe() protects publishing of a region against
concurrent mmap calls, however we should also protect against it when
removing a region. There is a gap io_register_mem_region() where it
safely publishes a region, but then copy_to_user goes wrong and it
unsafely frees the region.

Cc: stable@vger.kernel.org
Fixes: 087f997870a94 ("io_uring/memmap: implement mmap for regions")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---

diff --git a/io_uring/register.c b/io_uring/register.c
index 43f04c47522c..58d43d624856 100644
--- a/io_uring/register.c
+++ b/io_uring/register.c
@@ -613,6 +613,7 @@ static int io_register_mem_region(struct io_ring_ctx *ctx, void __user *uarg)
 	if (ret)
 		return ret;
 	if (copy_to_user(rd_uptr, &rd, sizeof(rd))) {
+		guard(mutex)(&ctx->mmap_lock);
 		io_free_region(ctx, &ctx->param_region);
 		return -EFAULT;
 	}