* [PATCH] io_uring: fix size calculation when registering buf ring
@ 2023-02-18 18:41 Wojciech Lukowicz
2023-02-20 14:37 ` Gabriel Krisman Bertazi
2023-02-22 16:54 ` Jens Axboe
0 siblings, 2 replies; 3+ messages in thread
From: Wojciech Lukowicz @ 2023-02-18 18:41 UTC (permalink / raw)
To: Jens Axboe; +Cc: io-uring, Wojciech Lukowicz
Using struct_size() to calculate the size of io_uring_buf_ring will sum
the size of the struct and of the bufs array. However, the struct's fields
are overlaid with the array making the calculated size larger than it
should be.
When registering a ring with N * PAGE_SIZE / sizeof(struct io_uring_buf)
entries, i.e. with fully filled pages, the calculated size will span one
more page than it should and io_uring will try to pin the following page.
Depending on how the application allocated the ring, it might succeed
using an unrelated page or fail returning EFAULT.
The size of the ring should be the product of ring_entries and the size
of io_uring_buf, i.e. the size of the bufs array only.
Fixes: c7fb19428d67 ("io_uring: add support for ring mapped supplied buffers")
Signed-off-by: Wojciech Lukowicz <[email protected]>
---
I'll send a liburing test shortly.
io_uring/kbuf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
index 4a6401080c1f..3002dc827195 100644
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -505,7 +505,7 @@ int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg)
}
pages = io_pin_pages(reg.ring_addr,
- struct_size(br, bufs, reg.ring_entries),
+ flex_array_size(br, bufs, reg.ring_entries),
&nr_pages);
if (IS_ERR(pages)) {
kfree(free_bl);
--
2.30.2
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] io_uring: fix size calculation when registering buf ring
2023-02-18 18:41 [PATCH] io_uring: fix size calculation when registering buf ring Wojciech Lukowicz
@ 2023-02-20 14:37 ` Gabriel Krisman Bertazi
2023-02-22 16:54 ` Jens Axboe
1 sibling, 0 replies; 3+ messages in thread
From: Gabriel Krisman Bertazi @ 2023-02-20 14:37 UTC (permalink / raw)
To: Wojciech Lukowicz; +Cc: Jens Axboe, io-uring
Wojciech Lukowicz <[email protected]> writes:
> Using struct_size() to calculate the size of io_uring_buf_ring will sum
> the size of the struct and of the bufs array. However, the struct's fields
> are overlaid with the array making the calculated size larger than it
> should be.
>
> When registering a ring with N * PAGE_SIZE / sizeof(struct io_uring_buf)
> entries, i.e. with fully filled pages, the calculated size will span one
> more page than it should and io_uring will try to pin the following page.
> Depending on how the application allocated the ring, it might succeed
> using an unrelated page or fail returning EFAULT.
>
> The size of the ring should be the product of ring_entries and the size
> of io_uring_buf, i.e. the size of the bufs array only.
>
> Fixes: c7fb19428d67 ("io_uring: add support for ring mapped supplied buffers")
> Signed-off-by: Wojciech Lukowicz <[email protected]>
Makes sense to me and tested. Feel free to add
Reviewed-by: Gabriel Krisman Bertazi <[email protected]>
> ---
> I'll send a liburing test shortly.
>
> io_uring/kbuf.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
> index 4a6401080c1f..3002dc827195 100644
> --- a/io_uring/kbuf.c
> +++ b/io_uring/kbuf.c
> @@ -505,7 +505,7 @@ int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg)
> }
>
> pages = io_pin_pages(reg.ring_addr,
> - struct_size(br, bufs, reg.ring_entries),
> + flex_array_size(br, bufs, reg.ring_entries),
> &nr_pages);
> if (IS_ERR(pages)) {
> kfree(free_bl);
--
Gabriel Krisman Bertazi
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH] io_uring: fix size calculation when registering buf ring
2023-02-18 18:41 [PATCH] io_uring: fix size calculation when registering buf ring Wojciech Lukowicz
2023-02-20 14:37 ` Gabriel Krisman Bertazi
@ 2023-02-22 16:54 ` Jens Axboe
1 sibling, 0 replies; 3+ messages in thread
From: Jens Axboe @ 2023-02-22 16:54 UTC (permalink / raw)
To: Wojciech Lukowicz; +Cc: io-uring
On Sat, 18 Feb 2023 18:41:41 +0000, Wojciech Lukowicz wrote:
> Using struct_size() to calculate the size of io_uring_buf_ring will sum
> the size of the struct and of the bufs array. However, the struct's fields
> are overlaid with the array making the calculated size larger than it
> should be.
>
> When registering a ring with N * PAGE_SIZE / sizeof(struct io_uring_buf)
> entries, i.e. with fully filled pages, the calculated size will span one
> more page than it should and io_uring will try to pin the following page.
> Depending on how the application allocated the ring, it might succeed
> using an unrelated page or fail returning EFAULT.
>
> [...]
Applied, thanks!
[1/1] io_uring: fix size calculation when registering buf ring
commit: 8318ba8fbd645d269f2e9a590f72f8bad8b5c295
Best regards,
--
Jens Axboe
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-02-22 16:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-02-18 18:41 [PATCH] io_uring: fix size calculation when registering buf ring Wojciech Lukowicz
2023-02-20 14:37 ` Gabriel Krisman Bertazi
2023-02-22 16:54 ` Jens Axboe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox