Patch "io_uring: check for rollover of buffer ID when providing buffers" has been added to the 6.0-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 14 Nov 2022 11:38:37 +0100

This is a note to let you know that I've just added the patch titled

    io_uring: check for rollover of buffer ID when providing buffers

to the 6.0-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     io_uring-check-for-rollover-of-buffer-id-when-providing-buffers.patch
and it can be found in the queue-6.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 3851d25c75ed03117268a8feb34adca5a843a126 Mon Sep 17 00:00:00 2001
From: Jens Axboe <axboe@xxxxxxxxx>
Date: Thu, 10 Nov 2022 10:50:55 -0700
Subject: io_uring: check for rollover of buffer ID when providing buffers

From: Jens Axboe <axboe@xxxxxxxxx>

commit 3851d25c75ed03117268a8feb34adca5a843a126 upstream.

We already check if the chosen starting offset for the buffer IDs fit
within an unsigned short, as 65535 is the maximum value for a provided
buffer. But if the caller asks to add N buffers at offset M, and M + N
would exceed the size of the unsigned short, we simply add buffers with
wrapping around the ID.

This is not necessarily a bug and could in fact be a valid use case, but
it seems confusing and inconsistent with the initial check for starting
offset. Let's check for wrap consistently, and error the addition if we
do need to wrap.

Reported-by: Olivier Langlois <olivier@xxxxxxxxxxxxxx>
Link: https://github.com/axboe/liburing/issues/726
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 io_uring/kbuf.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -346,6 +346,8 @@ int io_provide_buffers_prep(struct io_ki
 	tmp = READ_ONCE(sqe->off);
 	if (tmp > USHRT_MAX)
 		return -E2BIG;
+	if (tmp + p->nbufs >= USHRT_MAX)
+		return -EINVAL;
 	p->bid = tmp;
 	return 0;
 }


Patches currently in stable-queue which might be from axboe@xxxxxxxxx are

queue-6.0/io_uring-check-for-rollover-of-buffer-id-when-providing-buffers.patch






