Patch "io_uring: fix size calculation when registering buf ring" has been added to the 6.2-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 10 Mar 2023 05:37:51 -0500

This is a note to let you know that I've just added the patch titled

    io_uring: fix size calculation when registering buf ring

to the 6.2-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     io_uring-fix-size-calculation-when-registering-buf-r.patch
and it can be found in the queue-6.2 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 23b1a6e0e36ae4dcad83d9f061ce6cfc5358e46b
Author: Wojciech Lukowicz <wlukowicz01@xxxxxxxxx>
Date:   Sat Feb 18 18:41:41 2023 +0000

    io_uring: fix size calculation when registering buf ring
    
    [ Upstream commit 48ba08374e779421ca34bd14b4834aae19fc3e6a ]
    
    Using struct_size() to calculate the size of io_uring_buf_ring will sum
    the size of the struct and of the bufs array. However, the struct's fields
    are overlaid with the array making the calculated size larger than it
    should be.
    
    When registering a ring with N * PAGE_SIZE / sizeof(struct io_uring_buf)
    entries, i.e. with fully filled pages, the calculated size will span one
    more page than it should and io_uring will try to pin the following page.
    Depending on how the application allocated the ring, it might succeed
    using an unrelated page or fail returning EFAULT.
    
    The size of the ring should be the product of ring_entries and the size
    of io_uring_buf, i.e. the size of the bufs array only.
    
    Fixes: c7fb19428d67 ("io_uring: add support for ring mapped supplied buffers")
    Signed-off-by: Wojciech Lukowicz <wlukowicz01@xxxxxxxxx>
    Reviewed-by: Gabriel Krisman Bertazi <krisman@xxxxxxx>
    Link: https://lore.kernel.org/r/20230218184141.70891-1-wlukowicz01@xxxxxxxxx
    Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
index 4a6401080c1f8..3002dc8271959 100644
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -505,7 +505,7 @@ int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg)
 	}
 
 	pages = io_pin_pages(reg.ring_addr,
-			     struct_size(br, bufs, reg.ring_entries),
+			     flex_array_size(br, bufs, reg.ring_entries),
 			     &nr_pages);
 	if (IS_ERR(pages)) {
 		kfree(free_bl);






