io_uring/rsrc: check size when importing reg buffer

We're relying on callers to verify the IO size, do it inside of io_import_fixed() instead. It's safer, easier to deal with, and more consistent as now it's done close to the iter init site. Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Link: https://lore.kernel.org/r/f9c2c75ec4d356a0c61289073f68d98e8a9db190.1743446271.git.asml.silence@gmail.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
author: Pavel Begunkov <asml.silence@gmail.com> 2025-03-31 19:40:21 +0100
committer: Jens Axboe <axboe@kernel.dk> 2025-03-31 12:41:49 -0600
commit: a1fbe0a12178a006b04a7fa528457f9901d6c6d0 (patch)
tree: 2108cd46eda139ee07154c1076ac328562826b05 /io_uring
parent: ed344511c584479ce2130d7e01a9a1e638850b0c (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c
index 3f195e24777e..59b4317b04a7 100644
--- a/io_uring/rsrc.c
+++ b/io_uring/rsrc.c
@@ -1016,6 +1016,8 @@ static int io_import_fixed(int ddir, struct iov_iter *iter,
 	/* not inside the mapped region */
 	if (unlikely(buf_addr < imu->ubuf || buf_end > (imu->ubuf + imu->len)))
 		return -EFAULT;
+	if (unlikely(len > MAX_RW_COUNT))
+		return -EFAULT;
 	if (!(imu->dir & (1 << ddir)))
 		return -EFAULT;
author	Pavel Begunkov <asml.silence@gmail.com>	2025-03-31 19:40:21 +0100
committer	Jens Axboe <axboe@kernel.dk>	2025-03-31 12:41:49 -0600
commit	a1fbe0a12178a006b04a7fa528457f9901d6c6d0 (patch)
tree	2108cd46eda139ee07154c1076ac328562826b05 /io_uring
parent	ed344511c584479ce2130d7e01a9a1e638850b0c (diff)