io_uring/kbuf: sanitize peek buffer setup
Harden the buffer peeking a bit, by adding a sanity check for it having
a valid size. Outside of that, arg->max_len is a size_t, though it's
only ever set to a 32-bit value (as it's governed by MAX_RW_COUNT).
Bump our needed check to a size_t so we know it fits. Finally, cap the
calculated needed iov value to the PEEK_MAX_IMPORT, which is the
maximum number of segments that should be peeked.
Fixes: 35c8711c8f
("io_uring/kbuf: add helpers for getting/peeking multiple buffers")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
This commit is contained in:
parent
1fc2ac428e
commit
e0ee967630
@ -218,10 +218,13 @@ static int io_ring_buffers_peek(struct io_kiocb *req, struct buf_sel_arg *arg,
|
||||
|
||||
buf = io_ring_head_to_buf(br, head, bl->mask);
|
||||
if (arg->max_len) {
|
||||
int needed;
|
||||
u32 len = READ_ONCE(buf->len);
|
||||
size_t needed;
|
||||
|
||||
needed = (arg->max_len + buf->len - 1) / buf->len;
|
||||
needed = min(needed, PEEK_MAX_IMPORT);
|
||||
if (unlikely(!len))
|
||||
return -ENOBUFS;
|
||||
needed = (arg->max_len + len - 1) / len;
|
||||
needed = min_not_zero(needed, (size_t) PEEK_MAX_IMPORT);
|
||||
if (nr_avail > needed)
|
||||
nr_avail = needed;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user