tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

io_uring/kbuf: always use READ_ONCE() to read ring provided buffer lengths

Since the buffers are mapped from userspace, it is prudent to use
READ_ONCE() to read the value into a local variable, and use that for
any other actions taken. Having a stable read of the buffer length
avoids worrying about it changing after checking, or being read multiple
times.

Similarly, the buffer may well change in between it being picked and
being committed. Ensure the looping for incremental ring buffer commit
stops if it hits a zero sized buffer, as no further progress can be made
at that point.

Fixes: ae98dbf43d75 ("io_uring/kbuf: add support for incremental buffer consumption")
Link: https://lore.kernel.org/io-uring/tencent_000C02641F6250C856D0C26228DE29A3D30A@qq.com/
Reported-by: Qingyue Zhang <chunzhennn@qq.com>
Reported-by: Suoxing Zhang <aftern00n@qq.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

Jens Axboe 98b6fa62 c64eff36

+13 -7
+13 -7
io_uring/kbuf.c
··· 36 36 { 37 37 while (len) { 38 38 struct io_uring_buf *buf; 39 - u32 this_len; 39 + u32 buf_len, this_len; 40 40 41 41 buf = io_ring_head_to_buf(bl->buf_ring, bl->head, bl->mask); 42 - this_len = min_t(u32, len, buf->len); 43 - buf->len -= this_len; 44 - if (buf->len) { 42 + buf_len = READ_ONCE(buf->len); 43 + this_len = min_t(u32, len, buf_len); 44 + buf_len -= this_len; 45 + /* Stop looping for invalid buffer length of 0 */ 46 + if (buf_len || !this_len) { 45 47 buf->addr += this_len; 48 + buf->len = buf_len; 46 49 return false; 47 50 } 51 + buf->len = 0; 48 52 bl->head++; 49 53 len -= this_len; 50 54 } ··· 163 159 __u16 tail, head = bl->head; 164 160 struct io_uring_buf *buf; 165 161 void __user *ret; 162 + u32 buf_len; 166 163 167 164 tail = smp_load_acquire(&br->tail); 168 165 if (unlikely(tail == head)) ··· 173 168 req->flags |= REQ_F_BL_EMPTY; 174 169 175 170 buf = io_ring_head_to_buf(br, head, bl->mask); 176 - if (*len == 0 || *len > buf->len) 177 - *len = buf->len; 171 + buf_len = READ_ONCE(buf->len); 172 + if (*len == 0 || *len > buf_len) 173 + *len = buf_len; 178 174 req->flags |= REQ_F_BUFFER_RING | REQ_F_BUFFERS_COMMIT; 179 175 req->buf_list = bl; 180 176 req->buf_index = buf->bid; ··· 271 265 272 266 req->buf_index = buf->bid; 273 267 do { 274 - u32 len = buf->len; 268 + u32 len = READ_ONCE(buf->len); 275 269 276 270 /* truncate end piece, if needed, for non partial buffers */ 277 271 if (len > arg->max_len) {