Skip to content

Commit

Permalink
io_uring: check for rollover of buffer ID when providing buffers
Browse files Browse the repository at this point in the history
commit 3851d25 upstream.

We already check if the chosen starting offset for the buffer IDs fit
within an unsigned short, as 65535 is the maximum value for a provided
buffer. But if the caller asks to add N buffers at offset M, and M + N
would exceed the size of the unsigned short, we simply add buffers with
wrapping around the ID.

This is not necessarily a bug and could in fact be a valid use case, but
it seems confusing and inconsistent with the initial check for starting
offset. Let's check for wrap consistently, and error the addition if we
do need to wrap.

Reported-by: Olivier Langlois <olivier@trillion01.com>
Link: axboe/liburing#726
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  • Loading branch information
axboe authored and Sasha Levin committed Nov 14, 2022
1 parent d204a71 commit b48b099
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions io_uring/kbuf.c
Original file line number Diff line number Diff line change
Expand Up @@ -346,6 +346,8 @@ int io_provide_buffers_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe
tmp = READ_ONCE(sqe->off);
if (tmp > USHRT_MAX)
return -E2BIG;
if (tmp + p->nbufs >= USHRT_MAX)
return -EINVAL;
p->bid = tmp;
return 0;
}
Expand Down

0 comments on commit b48b099

Please sign in to comment.