From: Gabriel Krisman Bertazi <krisman@suse.de>
To: Wojciech Lukowicz <wlukowicz01@gmail.com>
Cc: Jens Axboe <axboe@kernel.dk>, io-uring@vger.kernel.org
Subject: Re: [PATCH] io_uring: fix size calculation when registering buf ring
Date: Mon, 20 Feb 2023 11:37:22 -0300 [thread overview]
Message-ID: <87edqke731.fsf@suse.de> (raw)
In-Reply-To: <20230218184141.70891-1-wlukowicz01@gmail.com> (Wojciech Lukowicz's message of "Sat, 18 Feb 2023 18:41:41 +0000")
Wojciech Lukowicz <wlukowicz01@gmail.com> writes:
> Using struct_size() to calculate the size of io_uring_buf_ring will sum
> the size of the struct and of the bufs array. However, the struct's fields
> are overlaid with the array making the calculated size larger than it
> should be.
>
> When registering a ring with N * PAGE_SIZE / sizeof(struct io_uring_buf)
> entries, i.e. with fully filled pages, the calculated size will span one
> more page than it should and io_uring will try to pin the following page.
> Depending on how the application allocated the ring, it might succeed
> using an unrelated page or fail returning EFAULT.
>
> The size of the ring should be the product of ring_entries and the size
> of io_uring_buf, i.e. the size of the bufs array only.
>
> Fixes: c7fb19428d67 ("io_uring: add support for ring mapped supplied buffers")
> Signed-off-by: Wojciech Lukowicz <wlukowicz01@gmail.com>
Makes sense to me and tested. Feel free to add
Reviewed-by: Gabriel Krisman Bertazi <krisman@suse.de>
> ---
> I'll send a liburing test shortly.
>
> io_uring/kbuf.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
> index 4a6401080c1f..3002dc827195 100644
> --- a/io_uring/kbuf.c
> +++ b/io_uring/kbuf.c
> @@ -505,7 +505,7 @@ int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg)
> }
>
> pages = io_pin_pages(reg.ring_addr,
> - struct_size(br, bufs, reg.ring_entries),
> + flex_array_size(br, bufs, reg.ring_entries),
> &nr_pages);
> if (IS_ERR(pages)) {
> kfree(free_bl);
--
Gabriel Krisman Bertazi
next prev parent reply other threads:[~2023-02-20 14:37 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-18 18:41 [PATCH] io_uring: fix size calculation when registering buf ring Wojciech Lukowicz
2023-02-20 14:37 ` Gabriel Krisman Bertazi [this message]
2023-02-22 16:54 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87edqke731.fsf@suse.de \
--to=krisman@suse.de \
--cc=axboe@kernel.dk \
--cc=io-uring@vger.kernel.org \
--cc=wlukowicz01@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.