[bug report] io_uring: add support for fixed wait regions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Jens Axboe,

Commit 4b926ab18279 ("io_uring: add support for fixed wait regions")
from Oct 22, 2024 (linux-next), leads to the following Smatch static
checker warning:

	io_uring/register.c:616 io_register_cqwait_reg()
	warn: was expecting a 64 bit value instead of '~(~(((1) << 12) - 1))'

io_uring/register.c
    594 static int io_register_cqwait_reg(struct io_ring_ctx *ctx, void __user *uarg)
    595 {
    596         struct io_uring_cqwait_reg_arg arg;
    597         struct io_uring_reg_wait *reg;
    598         struct page **pages;
    599         unsigned long len;
    600         int nr_pages, poff;
    601         int ret;
    602 
    603         if (ctx->cq_wait_page || ctx->cq_wait_arg)
    604                 return -EBUSY;
    605         if (copy_from_user(&arg, uarg, sizeof(arg)))
    606                 return -EFAULT;
    607         if (!arg.nr_entries || arg.flags)
    608                 return -EINVAL;
    609         if (arg.struct_size != sizeof(*reg))
    610                 return -EINVAL;
    611         if (check_mul_overflow(arg.struct_size, arg.nr_entries, &len))
    612                 return -EOVERFLOW;
    613         if (len > PAGE_SIZE)
    614                 return -EINVAL;
    615         /* offset + len must fit within a page, and must be reg_wait aligned */
--> 616         poff = arg.user_addr & ~PAGE_MASK;

This is a harmless thing, but on 32 bit systems you can put whatever you want in
the high 32 bits of arg.user_addr and it won't affect anything.

    617         if (len + poff > PAGE_SIZE)
    618                 return -EINVAL;
    619         if (poff % arg.struct_size)
    620                 return -EINVAL;
    621 
    622         pages = io_pin_pages(arg.user_addr, len, &nr_pages);

There ought to be a Smatch warning about that sort of thing here really but
there isn't yet.

    623         if (IS_ERR(pages))
    624                 return PTR_ERR(pages);
    625         ret = -EINVAL;
    626         if (nr_pages != 1)
    627                 goto out_free;
    628         if (ctx->user) {
    629                 ret = __io_account_mem(ctx->user, 1);
    630                 if (ret)
    631                         goto out_free;
    632         }
    633 
    634         reg = vmap(pages, 1, VM_MAP, PAGE_KERNEL);
    635         if (reg) {
    636                 ctx->cq_wait_index = arg.nr_entries - 1;
    637                 WRITE_ONCE(ctx->cq_wait_page, pages);
    638                 WRITE_ONCE(ctx->cq_wait_arg, (void *) reg + poff);
    639                 return 0;
    640         }
    641         ret = -ENOMEM;
    642         if (ctx->user)
    643                 __io_unaccount_mem(ctx->user, 1);
    644 out_free:
    645         io_pages_free(&pages, nr_pages);
    646         return ret;
    647 }

regards,
dan carpenter
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux