io_uring/zcrx: warn on freelist violations

commit 770594e78c3964cf23cf5287f849437cdde9b7d0 upstream.

The freelist is appropriately sized to always be able to take a free
niov, but let's be more defensive and check the invariant with a
warning. That should help to catch any double-free issues.

Suggested-by: Kai Aizen <kai@snailsploit.com>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://patch.msgid.link/2f3cea363b04649755e3b6bb9ab66485a95936d5.1776760901.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
index 517b8ddb2cc211b9de2f98d201dc0d4b4dc58a7c..4eb08c832f0b15c2695bf24a7d279a8f6578d988 100644 (file)
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -587,6 +587,8 @@ static void io_zcrx_return_niov_freelist(struct net_iov *niov)
        struct io_zcrx_area *area = io_zcrx_iov_to_area(niov);
 
        guard(spinlock_bh)(&area->freelist_lock);
+       if (WARN_ON_ONCE(area->free_count >= area->nia.num_niovs))
+               return;
        area->freelist[area->free_count++] = net_iov_idx(niov);
 }