Patch "io_uring: don't allow IORING_SETUP_NO_MMAP rings on highmem pages" has been added to the 6.5-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Sat, 07 Oct 2023 14:44:06 +0200

This is a note to let you know that I've just added the patch titled

    io_uring: don't allow IORING_SETUP_NO_MMAP rings on highmem pages

to the 6.5-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     io_uring-don-t-allow-ioring_setup_no_mmap-rings-on-highmem-pages.patch
and it can be found in the queue-6.5 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 223ef474316466e9f61f6e0064f3a6fe4923a2c5 Mon Sep 17 00:00:00 2001
From: Jens Axboe <axboe@xxxxxxxxx>
Date: Tue, 3 Oct 2023 09:59:58 -0600
Subject: io_uring: don't allow IORING_SETUP_NO_MMAP rings on highmem pages

From: Jens Axboe <axboe@xxxxxxxxx>

commit 223ef474316466e9f61f6e0064f3a6fe4923a2c5 upstream.

On at least arm32, but presumably any arch with highmem, if the
application passes in memory that resides in highmem for the rings,
then we should fail that ring creation. We fail it with -EINVAL, which
is what kernels that don't support IORING_SETUP_NO_MMAP will do as well.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 03d89a2de25b ("io_uring: support for user allocated memory for rings/sqes")
Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 io_uring/io_uring.c |   16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -2678,7 +2678,7 @@ static void *__io_uaddr_map(struct page
 {
 	struct page **page_array;
 	unsigned int nr_pages;
-	int ret;
+	int ret, i;
 
 	*npages = 0;
 
@@ -2708,6 +2708,20 @@ err:
 	 */
 	if (page_array[0] != page_array[ret - 1])
 		goto err;
+
+	/*
+	 * Can't support mapping user allocated ring memory on 32-bit archs
+	 * where it could potentially reside in highmem. Just fail those with
+	 * -EINVAL, just like we did on kernels that didn't support this
+	 * feature.
+	 */
+	for (i = 0; i < nr_pages; i++) {
+		if (PageHighMem(page_array[i])) {
+			ret = -EINVAL;
+			goto err;
+		}
+	}
+
 	*pages = page_array;
 	*npages = nr_pages;
 	return page_to_virt(page_array[0]);


Patches currently in stable-queue which might be from axboe@xxxxxxxxx are

queue-6.5/io_uring-don-t-allow-ioring_setup_no_mmap-rings-on-highmem-pages.patch
queue-6.5/io_uring-ensure-io_lockdep_assert_cq_locked-handles-disabled-rings.patch
queue-6.5/io_uring-kbuf-don-t-allow-registered-buffer-rings-on-highmem-pages.patch






