On 7/11/20 9:52 AM, Hristo Venev wrote: > On Sat, 2020-07-11 at 17:31 +0200, Dmitry Vyukov wrote: >> Looking at the code more, I am not sure how it may not corrupt >> memory. >> There definitely should be some combinations where accessing >> sq_entries*sizeof(u32) more memory won't be OK. >> May be worth adding a test that allocates all possible sizes for >> sq/cq >> and fills both rings. > > The layout (after the fix) is roughly as follows: > > 1. struct io_rings - ~192 bytes, maybe 256 > 2. cqes - (32 << n) bytes > 3. sq_array - (4 << n) bytes > > The bug was that the sq_array was offset by (4 << n) bytes. I think > issues can only occur when > > PAGE_ALIGN(192 + (32 << n) + (4 << n) + (4 << n)) > != > PAGE_ALIGN(192 + (32 << n) + (4 << n)) > > It looks like this never happens. We got lucky. A bit of luck, but if that wasn't the case, then I'm sure we would have found it when the original patch was tested. But thanks for double checking! -- Jens Axboe
