io_uring/zctx: check chained notif contexts

Send zc only links ubuf_info for requests coming from the same context. There are some ambiguous syz reports, so let's check the assumption on notification completion. Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Link: https://lore.kernel.org/r/fd527d8638203fe0f1c5ff06ff2e1d8fd68f831b.1755179962.git.asml.silence@gmail.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
author: Pavel Begunkov <asml.silence@gmail.com> 2025-08-14 15:40:57 +0100
committer: Jens Axboe <axboe@kernel.dk> 2025-08-24 11:41:11 -0600
commit: ab3ea6eac5f45669b091309f592c4ea324003053 (patch)
tree: ebcfaa8e1ce80252831c4518da27a5c705acdd08 /io_uring/notif.c
parent: 92a96b0a227e91dc42475265a1ce766b6cd044fa (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/io_uring/notif.c b/io_uring/notif.c
index 9a6f6e92d742..8c92e9cde2c6 100644
--- a/io_uring/notif.c
+++ b/io_uring/notif.c
@@ -14,10 +14,15 @@ static const struct ubuf_info_ops io_ubuf_ops;
 static void io_notif_tw_complete(struct io_kiocb *notif, io_tw_token_t tw)
 {
 	struct io_notif_data *nd = io_notif_to_data(notif);
+	struct io_ring_ctx *ctx = notif->ctx;
+
+	lockdep_assert_held(&ctx->uring_lock);
 
 	do {
 		notif = cmd_to_io_kiocb(nd);
 
+		if (WARN_ON_ONCE(ctx != notif->ctx))
+			return;
 		lockdep_assert(refcount_read(&nd->uarg.refcnt) == 0);
 
 		if (unlikely(nd->zc_report) && (nd->zc_copied || !nd->zc_used))
author	Pavel Begunkov <asml.silence@gmail.com>	2025-08-14 15:40:57 +0100
committer	Jens Axboe <axboe@kernel.dk>	2025-08-24 11:41:11 -0600
commit	ab3ea6eac5f45669b091309f592c4ea324003053 (patch)
tree	ebcfaa8e1ce80252831c4518da27a5c705acdd08 /io_uring/notif.c
parent	92a96b0a227e91dc42475265a1ce766b6cd044fa (diff)