[PATCH 3/7] io_uring/net: isolate msghdr copying code

public inbox for [email protected]
 help / color / mirror / Atom feed

From: Pavel Begunkov <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: [PATCH 3/7] io_uring/net: isolate msghdr copying code
Date: Wed, 26 Feb 2025 11:41:17 +0000	[thread overview]
Message-ID: <d3eb1f81c8cfbea9f1aa57dab90c472d2aa6e371.1740569495.git.asml.silence@gmail.com> (raw)
In-Reply-To: <[email protected]>

The user access section in io_msg_copy_hdr() is overextended by covering
selected buffers. It's hard to work with and prone to errors. Limit the
section to msghdr import only, selected buffers will do a separate
copy_from_user() call, and then move it into its own function. This
should be fine, selected buffer single shots are not important, for
multishots the overhead should be non-existent, and it's not that
expensive overall.

Signed-off-by: Pavel Begunkov <[email protected]>
---
 io_uring/net.c | 45 +++++++++++++++++++++++++--------------------
 1 file changed, 25 insertions(+), 20 deletions(-)

diff --git a/io_uring/net.c b/io_uring/net.c
index 0013a7169d10..67d768e6ecdd 100644
--- a/io_uring/net.c
+++ b/io_uring/net.c
@@ -243,6 +243,24 @@ static int io_compat_msg_copy_hdr(struct io_kiocb *req,
 }
 #endif
 
+static int io_copy_msghdr_from_user(struct user_msghdr *msg,
+				    struct user_msghdr __user *umsg)
+{
+	if (!user_access_begin(umsg, sizeof(*umsg)))
+		return -EFAULT;
+	unsafe_get_user(msg->msg_name, &umsg->msg_name, ua_end);
+	unsafe_get_user(msg->msg_namelen, &umsg->msg_namelen, ua_end);
+	unsafe_get_user(msg->msg_iov, &umsg->msg_iov, ua_end);
+	unsafe_get_user(msg->msg_iovlen, &umsg->msg_iovlen, ua_end);
+	unsafe_get_user(msg->msg_control, &umsg->msg_control, ua_end);
+	unsafe_get_user(msg->msg_controllen, &umsg->msg_controllen, ua_end);
+	user_access_end();
+	return 0;
+ua_end:
+	user_access_end();
+	return -EFAULT;
+}
+
 static int io_msg_copy_hdr(struct io_kiocb *req, struct io_async_msghdr *iomsg,
 			   struct user_msghdr *msg, int ddir)
 {
@@ -259,16 +277,10 @@ static int io_msg_copy_hdr(struct io_kiocb *req, struct io_async_msghdr *iomsg,
 		nr_segs = 1;
 	}
 
-	if (!user_access_begin(umsg, sizeof(*umsg)))
-		return -EFAULT;
+	ret = io_copy_msghdr_from_user(msg, umsg);
+	if (unlikely(ret))
+		return ret;
 
-	ret = -EFAULT;
-	unsafe_get_user(msg->msg_name, &umsg->msg_name, ua_end);
-	unsafe_get_user(msg->msg_namelen, &umsg->msg_namelen, ua_end);
-	unsafe_get_user(msg->msg_iov, &umsg->msg_iov, ua_end);
-	unsafe_get_user(msg->msg_iovlen, &umsg->msg_iovlen, ua_end);
-	unsafe_get_user(msg->msg_control, &umsg->msg_control, ua_end);
-	unsafe_get_user(msg->msg_controllen, &umsg->msg_controllen, ua_end);
 	msg->msg_flags = 0;
 
 	if (req->flags & REQ_F_BUFFER_SELECT) {
@@ -276,24 +288,17 @@ static int io_msg_copy_hdr(struct io_kiocb *req, struct io_async_msghdr *iomsg,
 			sr->len = iov->iov_len = 0;
 			iov->iov_base = NULL;
 		} else if (msg->msg_iovlen > 1) {
-			ret = -EINVAL;
-			goto ua_end;
+			return -EINVAL;
 		} else {
 			struct iovec __user *uiov = msg->msg_iov;
 
-			/* we only need the length for provided buffers */
-			if (!access_ok(&uiov->iov_len, sizeof(uiov->iov_len)))
-				goto ua_end;
-			unsafe_get_user(iov->iov_len, &uiov->iov_len, ua_end);
+			if (copy_from_user(iov, uiov, sizeof(*iov)))
+				return -EFAULT;
 			sr->len = iov->iov_len;
 		}
-		ret = 0;
-ua_end:
-		user_access_end();
-		return ret;
+		return 0;
 	}
 
-	user_access_end();
 	ret = __import_iovec(ddir, msg->msg_iov, msg->msg_iovlen, nr_segs,
 				&iov, &iomsg->msg.msg_iter, false);
 	if (unlikely(ret < 0))
-- 
2.48.1

next prev parent reply	other threads:[~2025-02-26 11:40 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-26 11:41 [PATCH 0/7] improve net msghdr / iovec handlng Pavel Begunkov
2025-02-26 11:41 ` [PATCH 1/7] io_uring/net: remove unnecessary REQ_F_NEED_CLEANUP Pavel Begunkov
2025-02-26 11:41 ` [PATCH 2/7] io_uring/net: simplify compat selbuf iov parsing Pavel Begunkov
2025-02-26 11:41 ` Pavel Begunkov [this message]
2025-02-26 11:41 ` [PATCH 4/7] io_uring/net: verify msghdr before copying iovec Pavel Begunkov
2025-02-26 11:41 ` [PATCH 5/7] io_uring/net: derive iovec storage later Pavel Begunkov
2025-02-26 11:41 ` [PATCH 6/7] io_uring/net: unify *mshot_prep calls with compat Pavel Begunkov
2025-02-26 11:41 ` [PATCH 7/7] io_uring/net: extract iovec import into a helper Pavel Begunkov
2025-02-26 17:41 ` [PATCH 0/7] improve net msghdr / iovec handlng Jens Axboe

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:0013a7169d1 dfblob:67d768e6ecd )
 OR (
bs:"[PATCH 3/7] io_uring/net: isolate msghdr copying code" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d3eb1f81c8cfbea9f1aa57dab90c472d2aa6e371.1740569495.git.asml.silence@gmail.com \
    [email protected] \
    [email protected] \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox