Re: [PATCH] io_uring/net: improve the usercopy for sendmsg/recvmsg

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2/26/24 4:54 PM, Jens Axboe wrote:
> @@ -305,11 +310,13 @@ static int __io_msg_copy_hdr(struct io_kiocb *req, struct io_async_msghdr *iomsg
>  			iomsg->fast_iov[0].iov_base = NULL;
>  			iomsg->free_iov = NULL;
>  		} else if (msg.msg_iovlen > 1) {
> -			return -EINVAL;
> +			ret = -EINVAL;
> +			goto uaccess_end;
>  		} else {
> -			if (copy_from_user(iomsg->fast_iov, msg.msg_iov,
> -					   sizeof(*msg.msg_iov)))
> -				return -EFAULT;
> +			unsafe_get_user(iomsg->fast_iov[0].iov_base,
> +					&msg.msg_iov[0].iov_base, uaccess_end);
> +			unsafe_get_user(iomsg->fast_iov[0].iov_len,
> +					&msg.msg_iov[0].iov_len, uaccess_end);
>  			sr->len = iomsg->fast_iov[0].iov_len;
>  			iomsg->free_iov = NULL;

Missed an access_ok() in this section, the committed patch has it:

https://git.kernel.dk/cgit/linux/commit/?h=io_uring-send-queue&id=1a5c271af083bccfed400bad7105d9d06290bbf6

-- 
Jens Axboe
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux