| Message ID | 70a236ff44cc9361ed03ebcd9c361864efdf8dc3.1606674793.git.asml.silence@gmail.com |
|---|---|
| State | Accepted |
| Commit | 2d280bc8930ba9ed1705cfd548c6c8924949eaf1 |
| Headers | show |
| Series | [5.10] io_uring: fix recvmsg setup with compat buf-select | expand |
On 11/29/20 11:33 AM, Pavel Begunkov wrote: > __io_compat_recvmsg_copy_hdr() with REQ_F_BUFFER_SELECT reads out iov > len but never assigns it to iov/fast_iov, leaving sr->len with garbage. > Hopefully, following io_buffer_select() truncates it to the selected > buffer size, but the value is still may be under what was specified. Applied, thanks. -- Jens Axboe
On 30/11/2020 18:12, Jens Axboe wrote: > On 11/29/20 11:33 AM, Pavel Begunkov wrote: >> __io_compat_recvmsg_copy_hdr() with REQ_F_BUFFER_SELECT reads out iov >> len but never assigns it to iov/fast_iov, leaving sr->len with garbage. >> Hopefully, following io_buffer_select() truncates it to the selected >> buffer size, but the value is still may be under what was specified. > > Applied, thanks. Jens, apologies but where did it go? Can't find at git.kernel.dk -- Pavel Begunkov
On 12/2/20 3:04 PM, Pavel Begunkov wrote: > On 30/11/2020 18:12, Jens Axboe wrote: >> On 11/29/20 11:33 AM, Pavel Begunkov wrote: >>> __io_compat_recvmsg_copy_hdr() with REQ_F_BUFFER_SELECT reads out iov >>> len but never assigns it to iov/fast_iov, leaving sr->len with garbage. >>> Hopefully, following io_buffer_select() truncates it to the selected >>> buffer size, but the value is still may be under what was specified. >> >> Applied, thanks. > > Jens, apologies but where did it go? Can't find at git.kernel.dk Looks like I forgot to push it out, but it did get applied to io_uring-5.10. My git box is having an issue right now, so can't even push it out... Will do so tomorrow morning. -- Jens Axboe
On 02/12/2020 23:24, Jens Axboe wrote: > On 12/2/20 3:04 PM, Pavel Begunkov wrote: >> On 30/11/2020 18:12, Jens Axboe wrote: >>> On 11/29/20 11:33 AM, Pavel Begunkov wrote: >>>> __io_compat_recvmsg_copy_hdr() with REQ_F_BUFFER_SELECT reads out iov >>>> len but never assigns it to iov/fast_iov, leaving sr->len with garbage. >>>> Hopefully, following io_buffer_select() truncates it to the selected >>>> buffer size, but the value is still may be under what was specified. >>> >>> Applied, thanks. >> >> Jens, apologies but where did it go? Can't find at git.kernel.dk > > Looks like I forgot to push it out, but it did get applied to > io_uring-5.10. My git box is having an issue right now, so can't even > push it out... Will do so tomorrow morning. That's ok, just trying to keep track. Sorry for bothering -- Pavel Begunkov
diff --git a/fs/io_uring.c b/fs/io_uring.c index 1023f7b44cea..a2a7c65a77aa 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -4499,7 +4499,8 @@ static int __io_compat_recvmsg_copy_hdr(struct io_kiocb *req, return -EFAULT; if (clen < 0) return -EINVAL; - sr->len = iomsg->iov[0].iov_len; + sr->len = clen; + iomsg->iov[0].iov_len = clen; iomsg->iov = NULL; } else { ret = __import_iovec(READ, (struct iovec __user *)uiov, len,
__io_compat_recvmsg_copy_hdr() with REQ_F_BUFFER_SELECT reads out iov len but never assigns it to iov/fast_iov, leaving sr->len with garbage. Hopefully, following io_buffer_select() truncates it to the selected buffer size, but the value is still may be under what was specified. Cc: <stable@vger.kernel.org> # 5.7 Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> --- fs/io_uring.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)