On Sat, 2020-07-11 at 11:31 +0200, Dmitry Vyukov wrote: > rings_size() sets sq_offset to the total size of the rings > (the returned value which is used for memory allocation). > This is wrong: sq array should be located within the rings, > not after them. Set sq_offset to where it should be. > > Signed-off-by: Dmitry Vyukov > Cc: io-uring@vger.kernel.org > Cc: Hristo Venev > Fixes: 75b28affdd6a ("io_uring: allocate the two rings together") Oops. Acked-by: Hristo Venev > > --- > This looks so wrong and yet io_uring works. > So I am either missing something very obvious here, > or io_uring worked only due to lucky side-effects > of rounding size to power-of-2 number of pages > (which gave it enough slack at the end), > maybe reading/writing some unrelated memory > with some sizes. > If I am wrong, please poke my nose into what I am not seeing. > Otherwise, we probably need to CC stable as well. > --- > fs/io_uring.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/fs/io_uring.c b/fs/io_uring.c > index ca8abde48b6c7..c4c3731ed41e9 100644 > --- a/fs/io_uring.c > +++ b/fs/io_uring.c > @@ -7063,6 +7063,9 @@ static unsigned long rings_size(unsigned > sq_entries, unsigned cq_entries, > return SIZE_MAX; > #endif > > + if (sq_offset) > + *sq_offset = off; > + > sq_array_size = array_size(sizeof(u32), sq_entries); > if (sq_array_size == SIZE_MAX) > return SIZE_MAX; > @@ -7070,9 +7073,6 @@ static unsigned long rings_size(unsigned > sq_entries, unsigned cq_entries, > if (check_add_overflow(off, sq_array_size, &off)) > return SIZE_MAX; > > - if (sq_offset) > - *sq_offset = off; > - > return off; > } >