rings_size() sets sq_offset to the total size of the rings
(the returned value which is used for memory allocation).
This is wrong: sq array should be located within the rings,
not after them. Set sq_offset to where it should be.
Signed-off-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
Cc: io-uring@xxxxxxxxxxxxxxx
Cc: Hristo Venev <hristo@xxxxxxxxxx>
Fixes: 75b28affdd6a ("io_uring: allocate the two rings together")
---
This looks so wrong and yet io_uring works.
So I am either missing something very obvious here,
or io_uring worked only due to lucky side-effects
of rounding size to power-of-2 number of pages
(which gave it enough slack at the end),
maybe reading/writing some unrelated memory
with some sizes.
If I am wrong, please poke my nose into what I am not seeing.
Otherwise, we probably need to CC stable as well.
---
fs/io_uring.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index ca8abde48b6c7..c4c3731ed41e9 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -7063,6 +7063,9 @@ static unsigned long rings_size(unsigned sq_entries, unsigned cq_entries,
return SIZE_MAX;
#endif
+ if (sq_offset)
+ *sq_offset = off;
+
sq_array_size = array_size(sizeof(u32), sq_entries);
if (sq_array_size == SIZE_MAX)
return SIZE_MAX;
@@ -7070,9 +7073,6 @@ static unsigned long rings_size(unsigned sq_entries, unsigned cq_entries,
if (check_add_overflow(off, sq_array_size, &off))
return SIZE_MAX;
- if (sq_offset)
- *sq_offset = off;
-
return off;
}
--
2.27.0.383.g050319c2ae-goog
