io_uring: fix off-by one bvec index

Commit Message

Keith Busch Nov. 20, 2023, 10:18 p.m. UTC

From: Keith Busch <kbusch@kernel.org>

If the offset equals the bv_len of the first registered bvec, then the
request does not include any of that first bvec. Skip it so that drivers
don't have to deal with a zero length bvec, which was observed to break
NVMe's PRP list creation.

Signed-off-by: Keith Busch <kbusch@kernel.org>
---
 io_uring/rsrc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Jens Axboe Nov. 20, 2023, 10:22 p.m. UTC | #1

On 11/20/23 3:18 PM, Keith Busch wrote:
> From: Keith Busch <kbusch@kernel.org>
> 
> If the offset equals the bv_len of the first registered bvec, then the
> request does not include any of that first bvec. Skip it so that drivers
> don't have to deal with a zero length bvec, which was observed to break
> NVMe's PRP list creation.

Thanks Keith, that was fast (I sent in the report...). I applied this with
a fixes and stable tag.

Jens Axboe Nov. 21, 2023, 2:42 p.m. UTC | #2

On Mon, 20 Nov 2023 14:18:31 -0800, Keith Busch wrote:
> If the offset equals the bv_len of the first registered bvec, then the
> request does not include any of that first bvec. Skip it so that drivers
> don't have to deal with a zero length bvec, which was observed to break
> NVMe's PRP list creation.
> 
> 

Applied, thanks!

[1/1] io_uring: fix off-by one bvec index
      commit: d6fef34ee4d102be448146f24caf96d7b4a05401

Best regards,

Patch

diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c
index 7034be555334d..f521c5965a933 100644
--- a/io_uring/rsrc.c
+++ b/io_uring/rsrc.c
@@ -1258,7 +1258,7 @@  int io_import_fixed(int ddir, struct iov_iter *iter,
 		 */
 		const struct bio_vec *bvec = imu->bvec;
 
-		if (offset <= bvec->bv_len) {
+		if (offset < bvec->bv_len) {
 			/*
 			 * Note, huge pages buffers consists of one large
 			 * bvec entry and should always go this way. The other