Commit 48ba0837 authored by Wojciech Lukowicz's avatar Wojciech Lukowicz Committed by Jens Axboe

io_uring: fix size calculation when registering buf ring

Using struct_size() to calculate the size of io_uring_buf_ring will sum
the size of the struct and of the bufs array. However, the struct's fields
are overlaid with the array making the calculated size larger than it
should be.

When registering a ring with N * PAGE_SIZE / sizeof(struct io_uring_buf)
entries, i.e. with fully filled pages, the calculated size will span one
more page than it should and io_uring will try to pin the following page.
Depending on how the application allocated the ring, it might succeed
using an unrelated page or fail returning EFAULT.

The size of the ring should be the product of ring_entries and the size
of io_uring_buf, i.e. the size of the bufs array only.

Fixes: c7fb1942 ("io_uring: add support for ring mapped supplied buffers")
Signed-off-by: default avatarWojciech Lukowicz <wlukowicz01@gmail.com>
Reviewed-by: default avatarGabriel Krisman Bertazi <krisman@suse.de>
Link: https://lore.kernel.org/r/20230218184141.70891-1-wlukowicz01@gmail.comSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent 6bf65a1b
...@@ -505,7 +505,7 @@ int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg) ...@@ -505,7 +505,7 @@ int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg)
} }
pages = io_pin_pages(reg.ring_addr, pages = io_pin_pages(reg.ring_addr,
struct_size(br, bufs, reg.ring_entries), flex_array_size(br, bufs, reg.ring_entries),
&nr_pages); &nr_pages);
if (IS_ERR(pages)) { if (IS_ERR(pages)) {
kfree(free_bl); kfree(free_bl);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment