From: Keith Busch <kbusch@kernel.org>
To: Caleb Sander Mateos <csander@purestorage.com>
Cc: Tom Ryan <ryan36005@gmail.com>,
io-uring@vger.kernel.org, Jens Axboe <axboe@kernel.dk>,
Greg KH <gregkh@linuxfoundation.org>
Subject: Re: io_uring: OOB read in SQE_MIXED mode via sq_array physical index bypass
Date: Mon, 9 Mar 2026 15:54:21 -0600 [thread overview]
Message-ID: <aa9Bjbplx3b_Uvmj@kbusch-mbp> (raw)
In-Reply-To: <CADUfDZpQ9=ZMR0kWzX_o3CT4G=9vGp2zsL_KKdPs6tUpG00c5A@mail.gmail.com>
On Mon, Mar 09, 2026 at 02:45:59PM -0700, Caleb Sander Mateos wrote:
> On Mon, Mar 9, 2026 at 2:34 PM Keith Busch <kbusch@kernel.org> wrote:
> >
> > On Mon, Mar 09, 2026 at 02:20:38PM -0700, Tom Ryan wrote:
> > > Patch attached.
> >
> > You can just submit the patch as text in the mail message.
> >
> > > @@ -1747,6 +1747,9 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req,
> > > if (!(ctx->flags & IORING_SETUP_SQE_MIXED) || *left < 2 ||
> > > !(ctx->cached_sq_head & (ctx->sq_entries - 1)))
> > > return io_init_fail_req(req, -EINVAL);
> > > + /* Validate physical SQE index has room for 128-byte read */
> > > + if ((unsigned)(sqe - ctx->sq_sqes) >= ctx->sq_entries - 1)
> > > + return io_init_fail_req(req, -EINVAL);
> >
> > Isn't this new check redundant with the "left < 2" check preceding it?
>
> I think it's orthogonal with *left < 2. How many SQEs are remaining to
> submit is unrelated to the index of each SQE. It is, however,
> redundant with !(ctx->cached_sq_head & (ctx->sq_entries - 1)), but
> only in the IORING_SETUP_NO_SQARRAY case. For
> non-IORING_SETUP_NO_SQARRAY rings, the SQ indirection array entry can
> point to the last entry of the SQE array, causing the big SQE to
> extend past the end. Probably, this added condition can replace
> !(ctx->cached_sq_head & (ctx->sq_entries - 1)). That checks whether
> this is the last entry *in the SQ indirection array*, but it should be
> checking the SQE array.
Oh, right. The left < 2 was to confirm we have contiguous entries for a
big sqe, but you could index to an unaligned end with the sqarray.
Folding this into the previous 'if' sounds good. And please consider an
addition to liburing tests.
prev parent reply other threads:[~2026-03-09 21:54 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-09 21:20 io_uring: OOB read in SQE_MIXED mode via sq_array physical index bypass Tom Ryan
2026-03-09 21:29 ` Keith Busch
2026-03-09 21:45 ` Caleb Sander Mateos
2026-03-09 21:54 ` Keith Busch [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aa9Bjbplx3b_Uvmj@kbusch-mbp \
--to=kbusch@kernel.org \
--cc=axboe@kernel.dk \
--cc=csander@purestorage.com \
--cc=gregkh@linuxfoundation.org \
--cc=io-uring@vger.kernel.org \
--cc=ryan36005@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox