Commit ab69838e authored by Gabriel Krisman Bertazi's avatar Gabriel Krisman Bertazi Committed by Jens Axboe

io_uring/kbuf: Fix check of BID wrapping in provided buffers

Commit 3851d25c ("io_uring: check for rollover of buffer ID when
providing buffers") introduced a check to prevent wrapping the BID
counter when sqe->off is provided, but it's off-by-one too
restrictive, rejecting the last possible BID (65534).

i.e., the following fails with -EINVAL.

     io_uring_prep_provide_buffers(sqe, addr, size, 0xFFFF, 0, 0);

Fixes: 3851d25c ("io_uring: check for rollover of buffer ID when providing buffers")
Signed-off-by: default avatarGabriel Krisman Bertazi <krisman@suse.de>
Link: https://lore.kernel.org/r/20231005000531.30800-2-krisman@suse.deSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent 922a2c78
...@@ -352,7 +352,7 @@ int io_provide_buffers_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe ...@@ -352,7 +352,7 @@ int io_provide_buffers_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe
tmp = READ_ONCE(sqe->off); tmp = READ_ONCE(sqe->off);
if (tmp > USHRT_MAX) if (tmp > USHRT_MAX)
return -E2BIG; return -E2BIG;
if (tmp + p->nbufs >= USHRT_MAX) if (tmp + p->nbufs > USHRT_MAX)
return -EINVAL; return -EINVAL;
p->bid = tmp; p->bid = tmp;
return 0; return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment