Commit febfbf76 authored Dec 04, 2024 by Colin Ian King Committed by Jens Axboe Dec 23, 2024

io_uring/kbuf: fix unintentional sign extension on shift of reg.bgid



Shifting reg.bgid << IORING_OFF_PBUF_SHIFT results in a promotion
from __u16 to a 32 bit signed integer, this is then sign extended
to a 64 bit unsigned long on 64 bit architectures. If reg.bgid is
greater than 0x7fff then this leads to a sign extended result where
all the upper 32 bits of mmap_offset are set to 1. Fix this by
casting reg.bgid to the same type as mmap_offset before performing
the shift.

Fixes: ef62de3c ("io_uring/kbuf: use region api for pbuf rings")
Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
Link: https://lore.kernel.org/r/20241204153923.401674-1-colin.i.king@gmail.com


Signed-off-by: Jens Axboe <axboe@kernel.dk>

parent 546d1914

io_uring/kbuf.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -640,7 +640,7 @@ int io_register_pbuf_ring(struct io_ring_ctx ctx, void __user arg)
		return -ENOMEM;
		}

		mmap_offset = reg.bgid << IORING_OFF_PBUF_SHIFT;
		mmap_offset = (unsigned long)reg.bgid << IORING_OFF_PBUF_SHIFT;
		ring_size = flex_array_size(br, bufs, reg.ring_entries);

		memset(&rd, 0, sizeof(rd));