From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7353D4963C7; Sat, 28 Feb 2026 17:45:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772300751; cv=none; b=l4AbKKFzmEFIKFveF0EZUjT60yovCDi2gYvyOwVhIEtTCXUKGjhgl0LFh4dymssPESEs/uN225OWs+jUXDQcWxA8xqoaviCXKF41wszUryaBeoBXdpg9p45UUYaK5XerCYcReCvEzYdj4tGdVaRkRbYr3TAN85Jgw83F+FL7AUo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772300751; c=relaxed/simple; bh=LNzFhU9XfZhjf8xxOub6ucNaRuUyk/B2S4O+7kveyFs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=p4qFJTJkjP2GvE5njuA72UJU5zY1Tj3j6yOL0DnS1ihSsS4CudFqhaeOVRDNFp8ri2cFbvAWuwAkHoN2wubFzRzm9HaATPh9+LPrmpPIHrIPy0cvG67hTbBoNg/gQt/p7rQ34zsKqj3BbRCJNnG+96/eMhuKQxQFjyalNTNtaeQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Qyv7oFsi; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Qyv7oFsi" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8BAE8C19424; Sat, 28 Feb 2026 17:45:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1772300751; bh=LNzFhU9XfZhjf8xxOub6ucNaRuUyk/B2S4O+7kveyFs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Qyv7oFsiZaoDhAbEBuEzf1ifhVT6UrptbGQT9O0KwqBD8eQUbJE1Ra4Sut1C7HuJz X3r5CqORQZoT+gghZe3JeET9akDQVKttxUoaxwAczJPIVqZgV0HvXKF7DcKypp1ML/ IMuoJEY38JSxHOdqXIYlct+Z8hGuYhMMj63lwlaL2TSdE0AaTJNypoD7YaxW7xdDeZ dm9Ya4peutWZoRHq+MCWIhwfxwWq9lZbxHcRn8n/wJWcOisEz5r5WdPhWMFd9CcmlQ aYzzKdlsIYj3xsm1nZ3BDATb6Kk4tqfObzhsEn82AUWn0b6JOTZBcx0PT35YIUfSOQ 3VhD0NoJdadAA== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Jens Axboe , Sasha Levin Subject: [PATCH 6.19 787/844] io_uring/filetable: clamp alloc_hint to the configured alloc range Date: Sat, 28 Feb 2026 12:31:40 -0500 Message-ID: <20260228173244.1509663-788-sashal@kernel.org> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260228173244.1509663-1-sashal@kernel.org> References: <20260228173244.1509663-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit From: Jens Axboe [ Upstream commit a6bded921ed35f21b3f6bd8e629bf488499ca442 ] Explicit fixed file install/remove operations on slots outside the configured alloc range can corrupt alloc_hint via io_file_bitmap_set() and io_file_bitmap_clear(), which unconditionally update alloc_hint to the bit position. This causes subsequent auto-allocations to fall outside the configured range. For example, if the alloc range is [10, 20) and a file is removed at slot 2, alloc_hint gets set to 2. The next auto-alloc then starts searching from slot 2, potentially returning a slot below the range. Fix this by clamping alloc_hint to [file_alloc_start, file_alloc_end) at the top of io_file_bitmap_get() before starting the search. Cc: stable@vger.kernel.org Fixes: 6e73dffbb93c ("io_uring: let to set a range for file slot allocation") Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin --- io_uring/filetable.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/io_uring/filetable.c b/io_uring/filetable.c index 794ef95df293c..cb1838c9fc377 100644 --- a/io_uring/filetable.c +++ b/io_uring/filetable.c @@ -22,6 +22,10 @@ static int io_file_bitmap_get(struct io_ring_ctx *ctx) if (!table->bitmap) return -ENFILE; + if (table->alloc_hint < ctx->file_alloc_start || + table->alloc_hint >= ctx->file_alloc_end) + table->alloc_hint = ctx->file_alloc_start; + do { ret = find_next_zero_bit(table->bitmap, nr, table->alloc_hint); if (ret != nr) -- 2.51.0