Commit 88027663 authored by Pavel Begunkov's avatar Pavel Begunkov Committed by Jens Axboe
Browse files

io_uring/kbuf: reallocate buf lists on upgrade 



IORING_REGISTER_PBUF_RING can reuse an old struct io_buffer_list if it
was created for legacy selected buffer and has been emptied. It violates
the requirement that most of the field should stay stable after publish.
Always reallocate it instead.

Cc: stable@vger.kernel.org
Reported-by: default avatarPumpkin Chang <pumpkin@devco.re>
Fixes: 2fcabce2 ("io_uring: disallow mixed provided buffer group registrations")
Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent 06521ac0

io_uring/kbuf.c

+12 −4
Original line number Diff line number Diff line
@@ -415,6 +415,13 @@ void io_destroy_buffers(struct io_ring_ctx *ctx) 
	}

}



static void io_destroy_bl(struct io_ring_ctx *ctx, struct io_buffer_list *bl)

{

	scoped_guard(mutex, &ctx->mmap_lock)

		WARN_ON_ONCE(xa_erase(&ctx->io_bl_xa, bl->bgid) != bl);

	io_put_bl(ctx, bl);

}



int io_remove_buffers_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)

{

	struct io_provide_buf *p = io_kiocb_to_cmd(req, struct io_provide_buf);
@@ -636,11 +643,12 @@ int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg) 
		/* if mapped buffer ring OR classic exists, don't allow */

		if (bl->flags & IOBL_BUF_RING || !list_empty(&bl->buf_list))

			return -EEXIST;

	} else {

		io_destroy_bl(ctx, bl);

	}



	free_bl = bl = kzalloc(sizeof(*bl), GFP_KERNEL);

	if (!bl)

		return -ENOMEM;

	}



	mmap_offset = (unsigned long)reg.bgid << IORING_OFF_PBUF_SHIFT;

	ring_size = flex_array_size(br, bufs, reg.ring_entries);