[PATCH 5.10] io_uring: fix recvmsg setup with compat buf-select

[PATCH 5.10] io_uring: fix recvmsg setup with compat buf-select

[Pavel Begunkov]

__io_compat_recvmsg_copy_hdr() with REQ_F_BUFFER_SELECT reads out iov
len but never assigns it to iov/fast_iov, leaving sr->len with garbage.
Hopefully, following io_buffer_select() truncates it to the selected
buffer size, but the value is still may be under what was specified.

Cc: <stable@vger.kernel.org> # 5.7
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
---
 fs/io_uring.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 1023f7b44cea..a2a7c65a77aa 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4499,7 +4499,8 @@ static int __io_compat_recvmsg_copy_hdr(struct io_kiocb *req,
 			return -EFAULT;
 		if (clen < 0)
 			return -EINVAL;
-		sr->len = iomsg->iov[0].iov_len;
+		sr->len = clen;
+		iomsg->iov[0].iov_len = clen;
 		iomsg->iov = NULL;
 	} else {
 		ret = __import_iovec(READ, (struct iovec __user *)uiov, len,
-- 
2.24.0

Re: [PATCH 5.10] io_uring: fix recvmsg setup with compat buf-select

[Jens Axboe]

On 11/29/20 11:33 AM, Pavel Begunkov wrote:
> __io_compat_recvmsg_copy_hdr() with REQ_F_BUFFER_SELECT reads out iov
> len but never assigns it to iov/fast_iov, leaving sr->len with garbage.
> Hopefully, following io_buffer_select() truncates it to the selected
> buffer size, but the value is still may be under what was specified.

Applied, thanks.

-- 
Jens Axboe

Re: [PATCH 5.10] io_uring: fix recvmsg setup with compat buf-select

[Pavel Begunkov]

On 30/11/2020 18:12, Jens Axboe wrote:
> On 11/29/20 11:33 AM, Pavel Begunkov wrote:
>> __io_compat_recvmsg_copy_hdr() with REQ_F_BUFFER_SELECT reads out iov
>> len but never assigns it to iov/fast_iov, leaving sr->len with garbage.
>> Hopefully, following io_buffer_select() truncates it to the selected
>> buffer size, but the value is still may be under what was specified.
> 
> Applied, thanks.

Jens, apologies but where did it go? Can't find at git.kernel.dk

-- 
Pavel Begunkov

Re: [PATCH 5.10] io_uring: fix recvmsg setup with compat buf-select

[Jens Axboe]

On 12/2/20 3:04 PM, Pavel Begunkov wrote:
> On 30/11/2020 18:12, Jens Axboe wrote:
>> On 11/29/20 11:33 AM, Pavel Begunkov wrote:
>>> __io_compat_recvmsg_copy_hdr() with REQ_F_BUFFER_SELECT reads out iov
>>> len but never assigns it to iov/fast_iov, leaving sr->len with garbage.
>>> Hopefully, following io_buffer_select() truncates it to the selected
>>> buffer size, but the value is still may be under what was specified.
>>
>> Applied, thanks.
> 
> Jens, apologies but where did it go? Can't find at git.kernel.dk

Looks like I forgot to push it out, but it did get applied to
io_uring-5.10. My git box is having an issue right now, so can't even
push it out... Will do so tomorrow morning.

-- 
Jens Axboe

Re: [PATCH 5.10] io_uring: fix recvmsg setup with compat buf-select

[Pavel Begunkov]

On 02/12/2020 23:24, Jens Axboe wrote:
> On 12/2/20 3:04 PM, Pavel Begunkov wrote:
>> On 30/11/2020 18:12, Jens Axboe wrote:
>>> On 11/29/20 11:33 AM, Pavel Begunkov wrote:
>>>> __io_compat_recvmsg_copy_hdr() with REQ_F_BUFFER_SELECT reads out iov
>>>> len but never assigns it to iov/fast_iov, leaving sr->len with garbage.
>>>> Hopefully, following io_buffer_select() truncates it to the selected
>>>> buffer size, but the value is still may be under what was specified.
>>>
>>> Applied, thanks.
>>
>> Jens, apologies but where did it go? Can't find at git.kernel.dk
> 
> Looks like I forgot to push it out, but it did get applied to
> io_uring-5.10. My git box is having an issue right now, so can't even
> push it out... Will do so tomorrow morning.

That's ok, just trying to keep track. Sorry for bothering

-- 
Pavel Begunkov