Re: [PATCH] io_uring/rsrc: reject zero-length fixed buffer import

Next message: Nicolas Schier: "Re: [PATCH v2] kbuild: add GCC stability warning"
Previous message: kernel test robot: "Warning: drivers/android/binder/rust_binderfs.c:229 function parameter 'arg' not described in 'binder_ctl_ioctl'"
In reply to: Qi Tang: "[PATCH] io_uring/rsrc: reject zero-length fixed buffer import"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jens Axboe

Date: Sun Mar 29 2026 - 16:05:19 EST

On Mon, 30 Mar 2026 00:49:36 +0800, Qi Tang wrote:
> validate_fixed_range() admits buf_addr at the exact end of the
> registered region when len is zero, because the check uses strict
> greater-than (buf_end > imu->ubuf + imu->len). io_import_fixed()
> then computes offset == imu->len, which causes the bvec skip logic
> to advance past the last bio_vec entry and read bv_offset from
> out-of-bounds slab memory.
>
> [...]

Applied, thanks!

[1/1] io_uring/rsrc: reject zero-length fixed buffer import
commit: 111a12b422a8cfa93deabaef26fec48237163214

Best regards,
--
Jens Axboe