| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_87B68C160DC3F4AE06BD6DF0349B1B235E05@qq.com>
Date: Thu, 28 Aug 2025 10:49:00 +0800
From: Qingyue Zhang <chunzhennn@...com>
To: axboe@...nel.dk
Cc: aftern00n@...com,
chunzhennn@...com,
io-uring@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/2] io_uring/kbuf: fix infinite loop in io_kbuf_inc_commit()
On Wed, 27 Aug 2025 20:08:05 -0600, Jens Axboe wrote:
> I don't think there's anything wrong with the looping and stopping at
> the other end is of course a safe guard, but couldn't we just abort the
> loop if we see a 0 sized buffer? At that point we know the buffer is
> invalid, or the kernel is buggy, and it'd be saner to stop at that
> point. Something ala:
>
>
> diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
> index 394037d3f2f6..19a8bde5e1e1 100644
> --- a/io_uring/kbuf.c
> +++ b/io_uring/kbuf.c
> @@ -42,7 +42,8 @@ static bool io_kbuf_inc_commit(struct io_buffer_list *bl, int len)
> buf_len = READ_ONCE(buf->len);
> this_len = min_t(u32, len, buf_len);
> buf_len -= this_len;
> - if (buf_len) {
> + /* Stop looping for invalid buffer length of 0 */
> + if (buf_len || !this_len) {
> buf->addr += this_len;
> buf->len = buf_len;
> return false;
Good idea, it looks nice to me.
Powered by blists - more mailing lists