On Sat, Jul 11, 2020 at 5:52 PM Hristo Venev <hristo@xxxxxxxxxx> wrote: > > On Sat, 2020-07-11 at 17:31 +0200, Dmitry Vyukov wrote: > > Looking at the code more, I am not sure how it may not corrupt > > memory. > > There definitely should be some combinations where accessing > > sq_entries*sizeof(u32) more memory won't be OK. > > May be worth adding a test that allocates all possible sizes for > > sq/cq > > and fills both rings. > > The layout (after the fix) is roughly as follows: > > 1. struct io_rings - ~192 bytes, maybe 256 > 2. cqes - (32 << n) bytes > 3. sq_array - (4 << n) bytes > > The bug was that the sq_array was offset by (4 << n) bytes. I think > issues can only occur when > > PAGE_ALIGN(192 + (32 << n) + (4 << n) + (4 << n)) > != > PAGE_ALIGN(192 + (32 << n) + (4 << n)) > > It looks like this never happens. We got lucky. Interesting. CQ entries are larger and we have at least that many of them as SQ entries. I guess this + power-of-2-pages can make it never overflow.
