Commit 6bc9199d authored by Gabriel Krisman Bertazi's avatar Gabriel Krisman Bertazi Committed by Jens Axboe
Browse files

io_uring: Allocate only necessary memory in io_probe 



We write at most IORING_OP_LAST entries in the probe buffer, so we don't
need to allocate temporary space for more than that.  As a side effect,
we no longer can overflow "size".

Signed-off-by: default avatarGabriel Krisman Bertazi <krisman@suse.de>
Link: https://lore.kernel.org/r/20240619020620.5301-3-krisman@suse.de


Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent 3e05b222

io_uring/register.c

+3 −4
Original line number Diff line number Diff line
@@ -39,9 +39,10 @@ static __cold int io_probe(struct io_ring_ctx *ctx, void __user *arg, 
	size_t size;

	int i, ret;



	if (nr_args > IORING_OP_LAST)

		nr_args = IORING_OP_LAST;



	size = struct_size(p, ops, nr_args);

	if (size == SIZE_MAX)

		return -EOVERFLOW;

	p = kzalloc(size, GFP_KERNEL);

	if (!p)

		return -ENOMEM;
@@ -54,8 +55,6 @@ static __cold int io_probe(struct io_ring_ctx *ctx, void __user *arg, 
		goto out;



	p->last_op = IORING_OP_LAST - 1;

	if (nr_args > IORING_OP_LAST)

		nr_args = IORING_OP_LAST;



	for (i = 0; i < nr_args; i++) {

		p->ops[i].op = i;