From: Gabriel Krisman Bertazi <krisman@suse.de>
To: Deepanshu Kartikey <kartikey406@gmail.com>, axboe@kernel.dk
Cc: io-uring@vger.kernel.org, linux-kernel@vger.kernel.org,
Deepanshu Kartikey <kartikey406@gmail.com>,
syzbot+f99b00a963915b6b52c6@syzkaller.appspotmail.com
Subject: Re: [PATCH] io_uring/memmap: bound io_pin_pages() by page array byte size
Date: Mon, 22 Jun 2026 10:11:32 -0400 [thread overview]
Message-ID: <87bjd2psvf.fsf@mailhost.krisman.be> (raw)
In-Reply-To: <20260621012933.50571-1-kartikey406@gmail.com>
Deepanshu Kartikey <kartikey406@gmail.com> writes:
> io_pin_pages() checks that nr_pages does not exceed INT_MAX, then
> allocates a struct page * array of nr_pages entries. kvmalloc() limits
> allocations to INT_MAX bytes, but the check counts pages, not bytes.
> On 64-bit each entry is 8 bytes, so the array hits the INT_MAX byte
> limit at INT_MAX / sizeof(struct page *) pages, well before the page
> count check fires.
>
> Since commit b4e41050b212 ("io_uring/rsrc: raise registered buffer 1GB
> limit") raised the per-buffer cap to 1TB, a buffer near that cap maps
> ~2^28 pages, making the array allocation exceed INT_MAX bytes. This
> passes the page count check, reaches kvmalloc(), and triggers the
> WARN_ON_ONCE() for oversized allocations in __kvmalloc_node_noprof().
>
> Check nr_pages against INT_MAX / sizeof(struct page *) so the buffer is
> rejected with -EOVERFLOW before the allocation is attempted.
>
> Reported-by: syzbot+f99b00a963915b6b52c6@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=f99b00a963915b6b52c6
> Fixes: b4e41050b212 ("io_uring/rsrc: raise registered buffer 1GB limit")
> Tested-by: syzbot+f99b00a963915b6b52c6@syzkaller.appspotmail.com
> Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Looks good, feel free to add:
Reviewed-by: Gabriel Krisman Bertazi <krisman@suse.de>
> ---
> io_uring/memmap.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/io_uring/memmap.c b/io_uring/memmap.c
> index 4f9b439319c4..da1f6c5d07f8 100644
> --- a/io_uring/memmap.c
> +++ b/io_uring/memmap.c
> @@ -53,7 +53,7 @@ struct page **io_pin_pages(unsigned long uaddr, unsigned long len, int *npages)
> nr_pages = end - start;
> if (WARN_ON_ONCE(!nr_pages))
> return ERR_PTR(-EINVAL);
> - if (WARN_ON_ONCE(nr_pages > INT_MAX))
> + if (nr_pages > INT_MAX / sizeof(struct page *))
> return ERR_PTR(-EOVERFLOW);
>
> pages = kvmalloc_objs(struct page *, nr_pages, GFP_KERNEL_ACCOUNT);
> --
> 2.43.0
>
--
Gabriel Krisman Bertazi
prev parent reply other threads:[~2026-06-22 14:11 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-21 1:29 [PATCH] io_uring/memmap: bound io_pin_pages() by page array byte size Deepanshu Kartikey
2026-06-22 14:11 ` Gabriel Krisman Bertazi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bjd2psvf.fsf@mailhost.krisman.be \
--to=krisman@suse.de \
--cc=axboe@kernel.dk \
--cc=io-uring@vger.kernel.org \
--cc=kartikey406@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+f99b00a963915b6b52c6@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.