From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-oi1-f179.google.com (mail-oi1-f179.google.com [209.85.167.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EAC0E19539F for ; Fri, 19 Dec 2025 03:28:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.179 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766114915; cv=none; b=jUPFsyIUuq74POKZN/aengwyow+GUfx1JOK0nMrQmJIdLxbE2u48kXyBirecuH0Y+W6UD9oxgvUcCu1ubO4kNv2xFioCSuIw03liKVP1AH/P6i2rk2wqNYDGGXbGQm19iwF4T1cezl84ouj28ztxVcGaeVx1Gpe1ATiZGHHuGpU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766114915; c=relaxed/simple; bh=MGw+Fcp3V5ofr0lrVYs9ECOucGUmiMDhXAOjLKJiuY8=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=hO4SRzWeVSAiIco2UlGLJECJEYaAz0flM0+63lFSG0/fbCbqL1Yf3xUYbKINy4/TiPua6XtN7GReSPA72SvwPL/nPIxbzRXOUBWQmhFv/wIQAY5iaeKT9SyIblJylcBzifp0LHdrkbzikfuE7R+BiGlj5Zh76o4kj1vSRDPiUQ0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.dk; spf=pass smtp.mailfrom=kernel.dk; dkim=pass (2048-bit key) header.d=kernel-dk.20230601.gappssmtp.com header.i=@kernel-dk.20230601.gappssmtp.com header.b=twE8Q6wa; arc=none smtp.client-ip=209.85.167.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.dk Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=kernel.dk Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel-dk.20230601.gappssmtp.com header.i=@kernel-dk.20230601.gappssmtp.com header.b="twE8Q6wa" Received: by mail-oi1-f179.google.com with SMTP id 5614622812f47-4558f9682efso808300b6e.3 for ; Thu, 18 Dec 2025 19:28:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20230601.gappssmtp.com; s=20230601; t=1766114912; x=1766719712; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=DuEgUbURtVEABwJN+Di1NCf7fpdPuASWA2UG0m5bbnc=; b=twE8Q6wazPJ7j1PhfZShzIOHDW7ex39Rd9n4lWTnV8dZPvTFqQxvMCTV+zgxcDOtSA wjTwOUlovvLA1Y5eJDFtOyOCPCkWeZW7AuBBbbU5urx9uzaQUhsbZn6+KZxzv6P3gFr6 w9CcMO2+L8s19A8x9Np9xmNYNeUFzXBZLM4VARzNVEnk3t0qjSFW7avRLEv3xUkDs4E2 1yrKBfbxR6KZUeYIN0iMKior21OgtEbjqlCAC+iHjYm1Y0bsDBHcsvMKkQ7LGZLfLzoq HcmPuICxL21rt9we+/or1/YHjmTkbjW4mSBrmVIC1IM2gAYoAwF99WTyLd+UF+wvT+9w +T/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766114912; x=1766719712; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=DuEgUbURtVEABwJN+Di1NCf7fpdPuASWA2UG0m5bbnc=; b=AMWwwx73kcXBBj8cSJ+shbj//QfD5AjZeTg9ijN8mkED5cup7yg4O33tz4zKOq8Zuh WA1jerwbHmnfJNb9IRPVJ5UFtUxBvQBJjMnz2QxDTVLHrQOqCuBwaETUYxTuRBS3wsty uEKxte959SeZFJKRk9xlN/q6iGflh83vOeeLW4XmZ24pzfQVIYeo/DRvAr4TMvNes777 Nks82uN4DD6YDvwCSmVcVGliDxZfK6TDftaZVJijBqm1ofSJJAhSHrsuPiNHP/it+pGt c2SogsYMPdcF1CSfoJLC9uxFhallLL22At1LSold08OM16OBSfviugh7evwrcgfhnyRm E9tg== X-Forwarded-Encrypted: i=1; AJvYcCVLjZnwJz1U4yDLVKSWYJsUPvMVDWQONslokkkd8vSXuK4XM+YDxGBSHfciF43w8i/sAtyTFZSP3RbyA+g=@vger.kernel.org X-Gm-Message-State: AOJu0YyNK4J8ErKFZoFrbCUq2I+iip4ip6JPaNRV9511MTn6EX7pdqzj 7wcwUN7+pCotB7rVwuqzrrbYoejaD+Mgdaw/qgr73idYJPrXMExtLh1R+ICGUUnAEkY= X-Gm-Gg: AY/fxX57ZKaNJFXmoNjRPB8pksiOeemKUxHONtFVVhbhKGKMP/SfrRXtUCpQw4s0FOu eo905ieA3UyxzUvAFcD4Gty0i6iavNaCz/5DD2uENducWmwJ/XOhoJptn7NdN5acf6mEjkwC+fj YHJCxnTOzTtUQx39lnf0o5wBXYgMf7A51CxTLj9+EGJel+v2s46rLqrm+4s7t7+RhXnq0gNKlBU Xg0MkXtONH8uEW39+HUOpeUasCvUSSb4sQOoO54F7b5cOLHQDfbtvjzFstRd7TeMObFfPjOuQLC +nNcZQ7dWsa2IUv60yTEEAC4yLfDMFG6BIGxunE+67ZjMXHjYgyAdgQ6PrhG/OhhQ3jGsN8hKEB CfdkpUsG1zbxTckH2Ey3UflkMeiArDhe+lh+rkg4KntS7iRiL7mIQMZ+VcNX9X+eV8muSadBOZV aRGfA33b4= X-Google-Smtp-Source: AGHT+IHbIasLvbTop2riLdnzEUuy8PQEauwy8HWBLwz+cwrSp47O7Ha6xe5ytfp+xjbVNXSqRNXktg== X-Received: by 2002:a05:6808:2384:b0:450:b64e:9c14 with SMTP id 5614622812f47-457b1fc2a1amr935332b6e.5.1766114911800; Thu, 18 Dec 2025 19:28:31 -0800 (PST) Received: from [192.168.1.102] ([96.43.243.2]) by smtp.gmail.com with ESMTPSA id 586e51a60fabf-3fdaac129c7sm683302fac.21.2025.12.18.19.28.30 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 18 Dec 2025 19:28:31 -0800 (PST) Message-ID: <2805e3cf-becb-4bcf-bf5e-96d3820f437b@kernel.dk> Date: Thu, 18 Dec 2025 20:28:30 -0700 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] io_uring/rsrc: fix slab-out-of-bounds in io_buffer_register_bvec To: Keith Busch , veygax Cc: Ming Lei , "io-uring@vger.kernel.org" , Caleb Sander Mateos , "linux-kernel@vger.kernel.org" References: <20251217210316.188157-3-veyga@veygax.dev> <80a3a680-e42c-4d4e-b613-72385d3f46d5@veygax.dev> Content-Language: en-US From: Jens Axboe In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 12/18/25 4:00 PM, Keith Busch wrote: > On Thu, Dec 18, 2025 at 01:13:11AM +0000, veygax wrote: >> On 18/12/2025 00:56, Keith Busch wrote: >>> I believe you're supposed to use the bio_add_page() API rather than open >>> code the bvec setup. >> >> True, but I wanted fine control to prove my theory > > But doesn't that just prove misusing the interface breaks things? Is > there currently a legit way to get this error without the misuse? Or is > there existing mis-use in the kernel that should be fixed instead? This is the big question, and also why I originally rejected the posted poc as it's not a valid use case. veygax, please make a real reproducer or detail how this can actually happen with the exposed APIs. -- Jens Axboe