On Sat, Jul 11, 2020 at 6:16 PM Dmitry Vyukov <dvyukov@xxxxxxxxxx> wrote: > > On Sat, Jul 11, 2020 at 5:52 PM Hristo Venev <hristo@xxxxxxxxxx> wrote: > > > > On Sat, 2020-07-11 at 17:31 +0200, Dmitry Vyukov wrote: > > > Looking at the code more, I am not sure how it may not corrupt > > > memory. > > > There definitely should be some combinations where accessing > > > sq_entries*sizeof(u32) more memory won't be OK. > > > May be worth adding a test that allocates all possible sizes for > > > sq/cq > > > and fills both rings. > > > > The layout (after the fix) is roughly as follows: > > > > 1. struct io_rings - ~192 bytes, maybe 256 > > 2. cqes - (32 << n) bytes > > 3. sq_array - (4 << n) bytes > > > > The bug was that the sq_array was offset by (4 << n) bytes. I think > > issues can only occur when > > > > PAGE_ALIGN(192 + (32 << n) + (4 << n) + (4 << n)) > > != > > PAGE_ALIGN(192 + (32 << n) + (4 << n)) > > > > It looks like this never happens. We got lucky. > > Interesting. CQ entries are larger and we have at least that many of > them as SQ entries. I guess this + power-of-2-pages can make it never > overflow. Hi Jens, I see this patch is in block/for-5.9/io_uring Is this tree merged into linux-next? I don't see it in linux-next yet. Or is it possible to get it into 5.8? The reason I am asking is that we have an intern (Necip in CC) working on significantly extending io_uring coverage in syzkaller: https://github.com/google/syzkaller/pull/1926 Unfortunately we had to hardcode offset computation logic b/c the intended way of using io_uring for normal programs represents an additional obstacle for the fuzzer and the relations between syscalls and writes to shared memory are even hard to express for the fuzzer. We want to hardcode this new updated way of computing offsets, but this means we probably won't get good coverage until the intern term ends (+ may be good to discover some io_uring bugs before the release). If it won't get into linux-next/mainline until 5.9, it's not a big deal, but I wanted to ask.
