On Sat, 2020-07-11 at 17:31 +0200, Dmitry Vyukov wrote:
> Looking at the code more, I am not sure how it may not corrupt
> memory.
> There definitely should be some combinations where accessing
> sq_entries*sizeof(u32) more memory won't be OK.
> May be worth adding a test that allocates all possible sizes for
> sq/cq
> and fills both rings.

The layout (after the fix) is roughly as follows:

1. struct io_rings - ~192 bytes, maybe 256
2. cqes - (32 << n) bytes
3. sq_array - (4 << n) bytes

The bug was that the sq_array was offset by (4 << n) bytes. I think
issues can only occur when

    PAGE_ALIGN(192 + (32 << n) + (4 << n) + (4 << n))
    !=
    PAGE_ALIGN(192 + (32 << n) + (4 << n))

It looks like this never happens. We got lucky.