From patchwork Mon Jun 13 10:11:55 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dylan Yudaken X-Patchwork-Id: 12879278 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 37854CCA47B for ; Mon, 13 Jun 2022 10:12:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229926AbiFMKMR (ORCPT ); Mon, 13 Jun 2022 06:12:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53408 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230509AbiFMKMP (ORCPT ); Mon, 13 Jun 2022 06:12:15 -0400 Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8E462118 for ; Mon, 13 Jun 2022 03:12:13 -0700 (PDT) Received: from pps.filterd (m0109331.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 25CMw8Pu015303 for ; Mon, 13 Jun 2022 03:12:12 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=facebook; bh=FEJ9cV9D2JqkfKjBRINWLlNmpSiGIlxGX0X5mdkJGvM=; b=jvtWBzKS4KNB0N/SAAask6NogC3tT09v+bLqmfaz8DhRXDala4mfpK0/x9D73w6AeeeL Dyb6itZSpvnX0U6wk29DJByXl6IDLjHFn9hhvZNXjzjjECNcFBZczuL7kLEBnMNl9z1U S2zoKNany7kowepq2jJ/TM1p5JJteFAAPFA= Received: from mail.thefacebook.com ([163.114.132.120]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3gmrvuyckb-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Mon, 13 Jun 2022 03:12:12 -0700 Received: from twshared25107.07.ash9.facebook.com (2620:10d:c085:108::8) by mail.thefacebook.com (2620:10d:c085:11d::4) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.28; Mon, 13 Jun 2022 03:12:11 -0700 Received: by devbig038.lla2.facebook.com (Postfix, from userid 572232) id 1C4D21992ADF; Mon, 13 Jun 2022 03:12:04 -0700 (PDT) From: Dylan Yudaken To: , , CC: , Dylan Yudaken Subject: [PATCH 1/3] io_uring: fix index calculation Date: Mon, 13 Jun 2022 03:11:55 -0700 Message-ID: <20220613101157.3687-2-dylany@fb.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220613101157.3687-1-dylany@fb.com> References: <20220613101157.3687-1-dylany@fb.com> MIME-Version: 1.0 X-FB-Internal: Safe X-Proofpoint-ORIG-GUID: oxXYp8-UK769HmjVXmbZ9q0VhWGscUuL X-Proofpoint-GUID: oxXYp8-UK769HmjVXmbZ9q0VhWGscUuL X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.874,Hydra:6.0.517,FMLib:17.11.64.514 definitions=2022-06-13_03,2022-06-13_01,2022-02-23_01 Precedence: bulk List-ID: X-Mailing-List: io-uring@vger.kernel.org When indexing into a provided buffer ring, do not subtract 1 from the index. Fixes: c7fb19428d67 ("io_uring: add support for ring mapped supplied buffers") Signed-off-by: Dylan Yudaken --- fs/io_uring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index 3aab4182fd89..9cf9aff51b70 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -3888,7 +3888,7 @@ static void __user *io_ring_buffer_select(struct io_kiocb *req, size_t *len, buf = &br->bufs[head]; } else { int off = head & (IO_BUFFER_LIST_BUF_PER_PAGE - 1); - int index = head / IO_BUFFER_LIST_BUF_PER_PAGE - 1; + int index = head / IO_BUFFER_LIST_BUF_PER_PAGE; buf = page_address(bl->buf_pages[index]); buf += off; } From patchwork Mon Jun 13 10:11:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dylan Yudaken X-Patchwork-Id: 12879279 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5EB06C433EF for ; Mon, 13 Jun 2022 10:12:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233425AbiFMKMR (ORCPT ); Mon, 13 Jun 2022 06:12:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53420 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231939AbiFMKMQ (ORCPT ); Mon, 13 Jun 2022 06:12:16 -0400 Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9C325B64 for ; Mon, 13 Jun 2022 03:12:15 -0700 (PDT) Received: from pps.filterd (m0109334.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 25D0dbn9025898 for ; Mon, 13 Jun 2022 03:12:15 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=facebook; bh=7k49VHVzCemj5iULkw4lLhqJCt4ZT/QP9b9yqSYpM+k=; b=j/ZKijvWz3b5PKVDvjLnf+tgUkFGphm4Jc8h+2Jm/KUJDBcvqIL4A8vFzZZ7iypMor+c 95HFvRGmkculSdKwTcIH3UbRk6EpBnj2akqh5iz3qgPguHoPLRXdjkGZV5UMF5OxT1sZ EAHp9E+GZ7xaZkDUgutp0C2mNKLJEe4LbUI= Received: from mail.thefacebook.com ([163.114.132.120]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3gmtc3y5kt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Mon, 13 Jun 2022 03:12:15 -0700 Received: from twshared25107.07.ash9.facebook.com (2620:10d:c085:108::4) by mail.thefacebook.com (2620:10d:c085:21d::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.28; Mon, 13 Jun 2022 03:12:14 -0700 Received: by devbig038.lla2.facebook.com (Postfix, from userid 572232) id 28E6B1992AE1; Mon, 13 Jun 2022 03:12:04 -0700 (PDT) From: Dylan Yudaken To: , , CC: , Dylan Yudaken Subject: [PATCH 2/3] io_uring: fix types in provided buffer ring Date: Mon, 13 Jun 2022 03:11:56 -0700 Message-ID: <20220613101157.3687-3-dylany@fb.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220613101157.3687-1-dylany@fb.com> References: <20220613101157.3687-1-dylany@fb.com> MIME-Version: 1.0 X-FB-Internal: Safe X-Proofpoint-GUID: 0dCiq4U9K1_gJLEMMCXrz8h6qhl0almr X-Proofpoint-ORIG-GUID: 0dCiq4U9K1_gJLEMMCXrz8h6qhl0almr X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.874,Hydra:6.0.517,FMLib:17.11.64.514 definitions=2022-06-13_03,2022-06-13_01,2022-02-23_01 Precedence: bulk List-ID: X-Mailing-List: io-uring@vger.kernel.org The type of head needs to match that of tail in order for rollover and comparisons to work correctly. Without this change the comparison of tail to head might incorrectly allow io_uring to use a buffer that userspace had not given it. Fixes: c7fb19428d67 ("io_uring: add support for ring mapped supplied buffers") Signed-off-by: Dylan Yudaken --- fs/io_uring.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index 9cf9aff51b70..6eea18e8330c 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -298,8 +298,8 @@ struct io_buffer_list { /* below is for ring provided buffers */ __u16 buf_nr_pages; __u16 nr_entries; - __u32 head; - __u32 mask; + __u16 head; + __u16 mask; }; struct io_buffer { @@ -3876,7 +3876,7 @@ static void __user *io_ring_buffer_select(struct io_kiocb *req, size_t *len, { struct io_uring_buf_ring *br = bl->buf_ring; struct io_uring_buf *buf; - __u32 head = bl->head; + __u16 head = bl->head; if (unlikely(smp_load_acquire(&br->tail) == head)) { io_ring_submit_unlock(req->ctx, issue_flags); From patchwork Mon Jun 13 10:11:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dylan Yudaken X-Patchwork-Id: 12879276 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 79D0DC43334 for ; Mon, 13 Jun 2022 10:12:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231868AbiFMKMQ (ORCPT ); Mon, 13 Jun 2022 06:12:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53406 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229993AbiFMKMP (ORCPT ); Mon, 13 Jun 2022 06:12:15 -0400 Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EF110D4 for ; Mon, 13 Jun 2022 03:12:11 -0700 (PDT) Received: from pps.filterd (m0109333.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 25CMWFib005948 for ; Mon, 13 Jun 2022 03:12:11 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=facebook; bh=evt6BDUNCKiS5p0xMpEaS2ol5gixJRI78MJuU+RLgpU=; b=VYk+kxQc9BbmGchzBol+Rku8hhSjWMXrWk+HI9H73Yfmx+CB7s33lhE9TOxzzhdegD4p JQ2Da694uXLS56UmbEerGrW8lycJwQzr5m3X5zaH9nABUdCocSN5sEHKatDTb8XdvXSl jI3LMz6EI9ZMDf+5mGkuQTuR8HgdDbJmNaI= Received: from mail.thefacebook.com ([163.114.132.120]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3gmq3kfmyk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Mon, 13 Jun 2022 03:12:11 -0700 Received: from twshared5131.09.ash9.facebook.com (2620:10d:c085:108::8) by mail.thefacebook.com (2620:10d:c085:11d::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.28; Mon, 13 Jun 2022 03:12:10 -0700 Received: by devbig038.lla2.facebook.com (Postfix, from userid 572232) id 2F3311992AE3; Mon, 13 Jun 2022 03:12:04 -0700 (PDT) From: Dylan Yudaken To: , , CC: , Dylan Yudaken Subject: [PATCH 3/3] io_uring: limit size of provided buffer ring Date: Mon, 13 Jun 2022 03:11:57 -0700 Message-ID: <20220613101157.3687-4-dylany@fb.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220613101157.3687-1-dylany@fb.com> References: <20220613101157.3687-1-dylany@fb.com> MIME-Version: 1.0 X-FB-Internal: Safe X-Proofpoint-GUID: PeISm6RUPqARufjAzQHP9aQg4xxxn9bb X-Proofpoint-ORIG-GUID: PeISm6RUPqARufjAzQHP9aQg4xxxn9bb X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.874,Hydra:6.0.517,FMLib:17.11.64.514 definitions=2022-06-13_03,2022-06-13_01,2022-02-23_01 Precedence: bulk List-ID: X-Mailing-List: io-uring@vger.kernel.org The type of head and tail do not allow more than 2^15 entries in a provided buffer ring, so do not allow this. At 2^16 while each entry can be indexed, there is no way to disambiguate full vs empty. Signed-off-by: Dylan Yudaken --- fs/io_uring.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/io_uring.c b/fs/io_uring.c index 6eea18e8330c..85b116ddfd2a 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -13002,6 +13002,10 @@ static int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg) if (!is_power_of_2(reg.ring_entries)) return -EINVAL; + /* cannot disambiguate full vs empty due to head/tail size */ + if (reg.ring_entries >= 65536) + return -EINVAL; + if (unlikely(reg.bgid < BGID_ARRAY && !ctx->io_bl)) { int ret = io_init_bl_list(ctx); if (ret)