Patch "io_uring/kbuf: Fix check of BID wrapping in provided buffers" has been added to the 6.6-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    io_uring/kbuf: Fix check of BID wrapping in provided buffers

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     io_uring-kbuf-fix-check-of-bid-wrapping-in-provided-.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 7312e55b720aeb10da92bbb3b377212ca6090a6b
Author: Gabriel Krisman Bertazi <krisman@xxxxxxx>
Date:   Wed Oct 4 20:05:29 2023 -0400

    io_uring/kbuf: Fix check of BID wrapping in provided buffers
    
    [ Upstream commit ab69838e7c75b0edb699c1a8f42752b30333c46f ]
    
    Commit 3851d25c75ed0 ("io_uring: check for rollover of buffer ID when
    providing buffers") introduced a check to prevent wrapping the BID
    counter when sqe->off is provided, but it's off-by-one too
    restrictive, rejecting the last possible BID (65534).
    
    i.e., the following fails with -EINVAL.
    
         io_uring_prep_provide_buffers(sqe, addr, size, 0xFFFF, 0, 0);
    
    Fixes: 3851d25c75ed ("io_uring: check for rollover of buffer ID when providing buffers")
    Signed-off-by: Gabriel Krisman Bertazi <krisman@xxxxxxx>
    Link: https://lore.kernel.org/r/20231005000531.30800-2-krisman@xxxxxxx
    Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
index 9123138aa9f48..74a4f9600642f 100644
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -352,7 +352,7 @@ int io_provide_buffers_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe
 	tmp = READ_ONCE(sqe->off);
 	if (tmp > USHRT_MAX)
 		return -E2BIG;
-	if (tmp + p->nbufs >= USHRT_MAX)
+	if (tmp + p->nbufs > USHRT_MAX)
 		return -EINVAL;
 	p->bid = tmp;
 	return 0;



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux