* [PATCH] io_uring/rsrc: remove registered buffer 1GB limit @ 2026-05-05 7:39 Jens Axboe 2026-05-05 10:09 ` Jens Axboe 2026-05-05 13:08 ` [syzbot ci] " syzbot ci 0 siblings, 2 replies; 6+ messages in thread From: Jens Axboe @ 2026-05-05 7:39 UTC (permalink / raw) To: io-uring; +Cc: Andres Freund There's no real reason to have a limit, as the memory is accounted by the lockmem limits anyway, if any exist. io_pin_pages() will still restrict the maximum allowed limit per buffer, which is INT_MAX number of pages. For a 4kb page size system, the limit is 8TB. Reported-by: Andres Freund <andres@anarazel.de> Signed-off-by: Jens Axboe <axboe@kernel.dk> --- diff --git a/io_uring/memmap.c b/io_uring/memmap.c index 4f9b439319c4..74149b1cae5c 100644 --- a/io_uring/memmap.c +++ b/io_uring/memmap.c @@ -53,7 +53,7 @@ struct page **io_pin_pages(unsigned long uaddr, unsigned long len, int *npages) nr_pages = end - start; if (WARN_ON_ONCE(!nr_pages)) return ERR_PTR(-EINVAL); - if (WARN_ON_ONCE(nr_pages > INT_MAX)) + if (nr_pages > INT_MAX) return ERR_PTR(-EOVERFLOW); pages = kvmalloc_objs(struct page *, nr_pages, GFP_KERNEL_ACCOUNT); diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c index 650303626be6..0b85b35bfe08 100644 --- a/io_uring/rsrc.c +++ b/io_uring/rsrc.c @@ -88,8 +88,14 @@ int io_validate_user_buf_range(u64 uaddr, u64 ulen) unsigned long tmp, base = (unsigned long)uaddr; unsigned long acct_len = (unsigned long)PAGE_ALIGN(ulen); - /* arbitrary limit, but we need something */ - if (ulen > SZ_1G || !ulen) + /* + * No specific buffer length limit outside of what io_pin_pages() + * limits us to. + */ + if (!ulen) + return -EFAULT; + /* 32-bit sanity checking */ + if (ulen > ULONG_MAX || uaddr > ULONG_MAX) return -EFAULT; if (check_add_overflow(base, acct_len, &tmp)) return -EOVERFLOW; -- Jens Axboe ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] io_uring/rsrc: remove registered buffer 1GB limit 2026-05-05 7:39 [PATCH] io_uring/rsrc: remove registered buffer 1GB limit Jens Axboe @ 2026-05-05 10:09 ` Jens Axboe 2026-05-05 13:23 ` Clément Léger 2026-05-05 13:08 ` [syzbot ci] " syzbot ci 1 sibling, 1 reply; 6+ messages in thread From: Jens Axboe @ 2026-05-05 10:09 UTC (permalink / raw) To: io-uring; +Cc: Andres Freund On 5/5/26 1:39 AM, Jens Axboe wrote: > There's no real reason to have a limit, as the memory is accounted by > the lockmem limits anyway, if any exist. io_pin_pages() will still > restrict the maximum allowed limit per buffer, which is INT_MAX > number of pages. For a 4kb page size system, the limit is 8TB. > > Reported-by: Andres Freund <andres@anarazel.de> > Signed-off-by: Jens Axboe <axboe@kernel.dk> Forgot that I had a prep patch for this one... The branch is here: https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git/log/?h=io_uring-reg-buffers and notably the patch before this one is below, which bumps the ->len size of the io_mapped_ubuf. I'll send this out as a proper series later this week, this is 7.2 material obviously. commit 381e736515173a1fb78d2a86983d3ebfcf263597 Author: Jens Axboe <axboe@kernel.dk> Date: Mon May 4 05:40:16 2026 -0600 io_uring/rsrc: bump struct io_mapped_ubuf length field to size_t In preparation for supporting bigger individual buffers, bump the length field to a full 8-bytes with size_t rather than an unsigned int. Signed-off-by: Jens Axboe <axboe@kernel.dk> diff --git a/io_uring/fdinfo.c b/io_uring/fdinfo.c index c2d3e45544bb..f0ff4bd01b6d 100644 --- a/io_uring/fdinfo.c +++ b/io_uring/fdinfo.c @@ -223,7 +223,7 @@ static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m) if (ctx->buf_table.nodes[i]) buf = ctx->buf_table.nodes[i]->buf; if (buf) - seq_printf(m, "%5u: 0x%llx/%u\n", i, buf->ubuf, buf->len); + seq_printf(m, "%5u: 0x%llx/%zu\n", i, buf->ubuf, buf->len); else seq_printf(m, "%5u: <none>\n", i); } diff --git a/io_uring/rsrc.h b/io_uring/rsrc.h index 44e3386f7c1c..03521b50926c 100644 --- a/io_uring/rsrc.h +++ b/io_uring/rsrc.h @@ -34,15 +34,15 @@ enum { struct io_mapped_ubuf { u64 ubuf; - unsigned int len; + size_t len; unsigned int nr_bvecs; unsigned int folio_shift; refcount_t refs; + u8 flags; + u8 dir; unsigned long acct_pages; void (*release)(void *); void *priv; - u8 flags; - u8 dir; struct bio_vec bvec[] __counted_by(nr_bvecs); }; -- Jens Axboe ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] io_uring/rsrc: remove registered buffer 1GB limit 2026-05-05 10:09 ` Jens Axboe @ 2026-05-05 13:23 ` Clément Léger 2026-05-05 13:26 ` Jens Axboe 0 siblings, 1 reply; 6+ messages in thread From: Clément Léger @ 2026-05-05 13:23 UTC (permalink / raw) To: Jens Axboe, io-uring; +Cc: Andres Freund On 5/5/26 12:09, Jens Axboe wrote: > > > On 5/5/26 1:39 AM, Jens Axboe wrote: >> There's no real reason to have a limit, as the memory is accounted by >> the lockmem limits anyway, if any exist. io_pin_pages() will still >> restrict the maximum allowed limit per buffer, which is INT_MAX >> number of pages. For a 4kb page size system, the limit is 8TB. >> >> Reported-by: Andres Freund <andres@anarazel.de> >> Signed-off-by: Jens Axboe <axboe@kernel.dk> > > Forgot that I had a prep patch for this one... The branch is here: > > https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git/log/?h=io_uring-reg-buffers > > and notably the patch before this one is below, which bumps the ->len > size of the io_mapped_ubuf. I'll send this out as a proper series later > this week, this is 7.2 material obviously. > > commit 381e736515173a1fb78d2a86983d3ebfcf263597 > Author: Jens Axboe <axboe@kernel.dk> > Date: Mon May 4 05:40:16 2026 -0600 > > io_uring/rsrc: bump struct io_mapped_ubuf length field to size_t > > In preparation for supporting bigger individual buffers, bump the length > field to a full 8-bytes with size_t rather than an unsigned int. > > Signed-off-by: Jens Axboe <axboe@kernel.dk> > > diff --git a/io_uring/fdinfo.c b/io_uring/fdinfo.c > index c2d3e45544bb..f0ff4bd01b6d 100644 > --- a/io_uring/fdinfo.c > +++ b/io_uring/fdinfo.c > @@ -223,7 +223,7 @@ static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m) > if (ctx->buf_table.nodes[i]) > buf = ctx->buf_table.nodes[i]->buf; > if (buf) > - seq_printf(m, "%5u: 0x%llx/%u\n", i, buf->ubuf, buf->len); > + seq_printf(m, "%5u: 0x%llx/%zu\n", i, buf->ubuf, buf->len); > else > seq_printf(m, "%5u: <none>\n", i); > } > diff --git a/io_uring/rsrc.h b/io_uring/rsrc.h > index 44e3386f7c1c..03521b50926c 100644 > --- a/io_uring/rsrc.h > +++ b/io_uring/rsrc.h > @@ -34,15 +34,15 @@ enum { > > struct io_mapped_ubuf { > u64 ubuf; > - unsigned int len; > + size_t len; > unsigned int nr_bvecs; > unsigned int folio_shift; > refcount_t refs; > + u8 flags; > + u8 dir; > unsigned long acct_pages; > void (*release)(void *); > void *priv; > - u8 flags; > - u8 dir; Hi Jens, This seems like an unrelated change. Thanks, Clément > struct bio_vec bvec[] __counted_by(nr_bvecs); > }; > > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] io_uring/rsrc: remove registered buffer 1GB limit 2026-05-05 13:23 ` Clément Léger @ 2026-05-05 13:26 ` Jens Axboe 2026-05-05 13:35 ` Clément Léger 0 siblings, 1 reply; 6+ messages in thread From: Jens Axboe @ 2026-05-05 13:26 UTC (permalink / raw) To: Clément Léger, io-uring; +Cc: Andres Freund On 5/5/26 7:23 AM, Cl?ment L?ger wrote: > On 5/5/26 12:09, Jens Axboe wrote: >> > On 5/5/26 1:39 AM, Jens Axboe wrote: >>> There's no real reason to have a limit, as the memory is accounted by >>> the lockmem limits anyway, if any exist. io_pin_pages() will still >>> restrict the maximum allowed limit per buffer, which is INT_MAX >>> number of pages. For a 4kb page size system, the limit is 8TB. >>> >>> Reported-by: Andres Freund <andres@anarazel.de> >>> Signed-off-by: Jens Axboe <axboe@kernel.dk> >> >> Forgot that I had a prep patch for this one... The branch is here: >> >> https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git/log/?h=io_uring-reg-buffers >> >> and notably the patch before this one is below, which bumps the ->len >> size of the io_mapped_ubuf. I'll send this out as a proper series later >> this week, this is 7.2 material obviously. >> >> commit 381e736515173a1fb78d2a86983d3ebfcf263597 >> Author: Jens Axboe <axboe@kernel.dk> >> Date: Mon May 4 05:40:16 2026 -0600 >> >> io_uring/rsrc: bump struct io_mapped_ubuf length field to size_t >> In preparation for supporting bigger individual buffers, bump the length >> field to a full 8-bytes with size_t rather than an unsigned int. >> Signed-off-by: Jens Axboe <axboe@kernel.dk> >> >> diff --git a/io_uring/fdinfo.c b/io_uring/fdinfo.c >> index c2d3e45544bb..f0ff4bd01b6d 100644 >> --- a/io_uring/fdinfo.c >> +++ b/io_uring/fdinfo.c >> @@ -223,7 +223,7 @@ static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m) >> if (ctx->buf_table.nodes[i]) >> buf = ctx->buf_table.nodes[i]->buf; >> if (buf) >> - seq_printf(m, "%5u: 0x%llx/%u\n", i, buf->ubuf, buf->len); >> + seq_printf(m, "%5u: 0x%llx/%zu\n", i, buf->ubuf, buf->len); >> else >> seq_printf(m, "%5u: <none>\n", i); >> } >> diff --git a/io_uring/rsrc.h b/io_uring/rsrc.h >> index 44e3386f7c1c..03521b50926c 100644 >> --- a/io_uring/rsrc.h >> +++ b/io_uring/rsrc.h >> @@ -34,15 +34,15 @@ enum { >> struct io_mapped_ubuf { >> u64 ubuf; >> - unsigned int len; >> + size_t len; >> unsigned int nr_bvecs; >> unsigned int folio_shift; >> refcount_t refs; >> + u8 flags; >> + u8 dir; >> unsigned long acct_pages; >> void (*release)(void *); >> void *priv; >> - u8 flags; >> - u8 dir; > > Hi Jens, > > This seems like an unrelated change. Hmm, how so? It's required for removing the 1GB restriction, as it bumps buf->len from a 32-bit unsigned to a 64-bit size_t. Oh you mean moving flags and dir? That's just so it packs better, changing int would leave a 4-byte gap. Might as well move flags and dir near the 4b refcount_t to avoid bloating the struct. -- Jens Axboe ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] io_uring/rsrc: remove registered buffer 1GB limit 2026-05-05 13:26 ` Jens Axboe @ 2026-05-05 13:35 ` Clément Léger 0 siblings, 0 replies; 6+ messages in thread From: Clément Léger @ 2026-05-05 13:35 UTC (permalink / raw) To: Jens Axboe, io-uring; +Cc: Andres Freund On 5/5/26 15:26, Jens Axboe wrote: > > > On 5/5/26 7:23 AM, Cl?ment L?ger wrote: >> On 5/5/26 12:09, Jens Axboe wrote: >>>> On 5/5/26 1:39 AM, Jens Axboe wrote: >>>> There's no real reason to have a limit, as the memory is accounted by >>>> the lockmem limits anyway, if any exist. io_pin_pages() will still >>>> restrict the maximum allowed limit per buffer, which is INT_MAX >>>> number of pages. For a 4kb page size system, the limit is 8TB. >>>> >>>> Reported-by: Andres Freund <andres@anarazel.de> >>>> Signed-off-by: Jens Axboe <axboe@kernel.dk> >>> >>> Forgot that I had a prep patch for this one... The branch is here: >>> >>> https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git/log/?h=io_uring-reg-buffers >>> >>> and notably the patch before this one is below, which bumps the ->len >>> size of the io_mapped_ubuf. I'll send this out as a proper series later >>> this week, this is 7.2 material obviously. >>> >>> commit 381e736515173a1fb78d2a86983d3ebfcf263597 >>> Author: Jens Axboe <axboe@kernel.dk> >>> Date: Mon May 4 05:40:16 2026 -0600 >>> >>> io_uring/rsrc: bump struct io_mapped_ubuf length field to size_t >>> In preparation for supporting bigger individual buffers, bump the length >>> field to a full 8-bytes with size_t rather than an unsigned int. >>> Signed-off-by: Jens Axboe <axboe@kernel.dk> >>> >>> diff --git a/io_uring/fdinfo.c b/io_uring/fdinfo.c >>> index c2d3e45544bb..f0ff4bd01b6d 100644 >>> --- a/io_uring/fdinfo.c >>> +++ b/io_uring/fdinfo.c >>> @@ -223,7 +223,7 @@ static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m) >>> if (ctx->buf_table.nodes[i]) >>> buf = ctx->buf_table.nodes[i]->buf; >>> if (buf) >>> - seq_printf(m, "%5u: 0x%llx/%u\n", i, buf->ubuf, buf->len); >>> + seq_printf(m, "%5u: 0x%llx/%zu\n", i, buf->ubuf, buf->len); >>> else >>> seq_printf(m, "%5u: <none>\n", i); >>> } >>> diff --git a/io_uring/rsrc.h b/io_uring/rsrc.h >>> index 44e3386f7c1c..03521b50926c 100644 >>> --- a/io_uring/rsrc.h >>> +++ b/io_uring/rsrc.h >>> @@ -34,15 +34,15 @@ enum { >>> struct io_mapped_ubuf { >>> u64 ubuf; >>> - unsigned int len; >>> + size_t len; >>> unsigned int nr_bvecs; >>> unsigned int folio_shift; >>> refcount_t refs; >>> + u8 flags; >>> + u8 dir; >>> unsigned long acct_pages; >>> void (*release)(void *); >>> void *priv; >>> - u8 flags; >>> - u8 dir; >> >> Hi Jens, >> >> This seems like an unrelated change. > > Hmm, how so? It's required for removing the 1GB restriction, as it bumps > buf->len from a 32-bit unsigned to a 64-bit size_t. > > Oh you mean moving flags and dir? That's just so it packs better, > changing int would leave a 4-byte gap. Might as well move flags and dir > near the 4b refcount_t to avoid bloating the struct. Yes, I meant dir/flags but indeed, that makes sense ! Thanks, Clément > ^ permalink raw reply [flat|nested] 6+ messages in thread
* [syzbot ci] Re: io_uring/rsrc: remove registered buffer 1GB limit 2026-05-05 7:39 [PATCH] io_uring/rsrc: remove registered buffer 1GB limit Jens Axboe 2026-05-05 10:09 ` Jens Axboe @ 2026-05-05 13:08 ` syzbot ci 1 sibling, 0 replies; 6+ messages in thread From: syzbot ci @ 2026-05-05 13:08 UTC (permalink / raw) To: andres, axboe, io-uring; +Cc: syzbot, syzkaller-bugs syzbot ci has tested the following series [v1] io_uring/rsrc: remove registered buffer 1GB limit https://lore.kernel.org/all/6de5d329-9162-4992-85cb-f946f2d5c0b1@kernel.dk * [PATCH] io_uring/rsrc: remove registered buffer 1GB limit and found the following issue: WARNING in io_pin_pages Full report is available here: https://ci.syzbot.org/series/576c7f20-d7fb-471a-a534-f8f67489e049 *** WARNING in io_pin_pages tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: c7e4e4d5f7dc2daa439303d1b5bf6bdfaa249f49 arch: amd64 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 config: https://ci.syzbot.org/builds/287c9ce7-c085-4a41-9f94-756762f8dacf/config syz repro: https://ci.syzbot.org/findings/63ff94b0-aced-41c6-83fc-a917c57ad624/syz_repro ------------[ cut here ]------------ !(flags & __GFP_NOWARN) WARNING: mm/slub.c:6840 at __kvmalloc_node_noprof+0x7be/0x8a0 mm/slub.c:6840, CPU#1: syz.1.18/5830 Modules linked in: CPU: 1 UID: 0 PID: 5830 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:__kvmalloc_node_noprof+0x7be/0x8a0 mm/slub.c:6840 Code: ff 48 c7 c7 d0 bd a8 8e 48 89 de e8 dc 48 c9 02 e9 49 fc ff ff 48 c7 c7 10 be a8 8e 48 89 de e8 c8 48 c9 02 e9 7e fc ff ff 90 <0f> 0b 90 45 31 e4 e9 f8 fd ff ff 90 0f 0b 90 e9 52 ff ff ff 49 83 RSP: 0018:ffffc90003a37928 EFLAGS: 00010246 RAX: 0000000000000004 RBX: 0000000201000008 RCX: 0000000080000001 RDX: 0000000201000008 RSI: ffffffff8c28ac40 RDI: ffffffff8c28ac00 RBP: ffffc90003a37b70 R08: 00000000004028c0 R09: 00000000ffffffff R10: 0000000000000006 R11: 0000000000000000 R12: 0000000000000000 R13: 00000000004028c0 R14: 0000000000000016 R15: 00000000ffffffff FS: 00007fb3823ec6c0(0000) GS:ffff8882a9290000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffcca0efe68 CR3: 000000017064e000 CR4: 00000000000006f0 Call Trace: <TASK> io_pin_pages+0xac/0x1a0 io_uring/memmap.c:59 io_sqe_buffer_register+0x228/0x1860 io_uring/rsrc.c:801 io_sqe_buffers_register+0x2f9/0x7e0 io_uring/rsrc.c:913 io_register_rsrc+0x24d/0x280 io_uring/rsrc.c:414 __io_uring_register io_uring/register.c:843 [inline] __do_sys_io_uring_register io_uring/register.c:1029 [inline] __se_sys_io_uring_register+0xc5d/0x1ac0 io_uring/register.c:1006 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb38159cdd9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fb3823ec028 EFLAGS: 00000246 ORIG_RAX: 00000000000001ab RAX: ffffffffffffffda RBX: 00007fb381815fa0 RCX: 00007fb38159cdd9 RDX: 0000200000002700 RSI: 000000000000000f RDI: 0000000000000003 RBP: 00007fb381632d69 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000020 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fb381816038 R14: 00007fb381815fa0 R15: 00007fffdb4e7d78 </TASK> *** If these findings have caused you to resend the series or submit a separate fix, please add the following tag to your commit message: Tested-by: syzbot@syzkaller.appspotmail.com --- This report is generated by a bot. It may contain errors. syzbot ci engineers can be reached at syzkaller@googlegroups.com. To test a patch for this bug, please reply with `#syz test` (should be on a separate line). The patch should be attached to the email. Note: arguments like custom git repos and branches are not supported. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-05-05 13:35 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-05-05 7:39 [PATCH] io_uring/rsrc: remove registered buffer 1GB limit Jens Axboe 2026-05-05 10:09 ` Jens Axboe 2026-05-05 13:23 ` Clément Léger 2026-05-05 13:26 ` Jens Axboe 2026-05-05 13:35 ` Clément Léger 2026-05-05 13:08 ` [syzbot ci] " syzbot ci
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox