From: Pavel Begunkov <asml.silence@gmail.com>
Date: Tue, 11 Oct 2022 00:59:57 +0000 (+0100)
Subject: io_uring: fix fdinfo sqe offsets calculation
X-Git-Tag: v6.0.3~6
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5ecafa5a5889e25bb0be840ee71eba2677cdd05e;p=thirdparty%2Fkernel%2Fstable.git

io_uring: fix fdinfo sqe offsets calculation

commit 00927931cb630bbf8edb6d7f4dadb25139fc5e16 upstream.

Only with the big sqe feature they take 128 bytes per entry, but we
unconditionally advance by 128B. Fix it by using sq_shift.

Fixes: 3b8fdd1dc35e3 ("io_uring/fdinfo: fix sqe dumping for IORING_SETUP_SQE128")
Reported-and-tested-by: syzbot+e5198737e8a2d23d958c@syzkaller.appspotmail.com
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/8b41287cb75d5efb8fcb5cccde845ddbbadd8372.1665449983.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/io_uring/fdinfo.c b/io_uring/fdinfo.c
index 6d4cc7a92724f..2ddf321c94893 100644
--- a/io_uring/fdinfo.c
+++ b/io_uring/fdinfo.c
@@ -95,7 +95,7 @@ static __cold void __io_uring_show_fdinfo(struct io_ring_ctx *ctx,
 		sq_idx = READ_ONCE(ctx->sq_array[entry & sq_mask]);
 		if (sq_idx > sq_mask)
 			continue;
-		sqe = &ctx->sq_sqes[sq_idx << 1];
+		sqe = &ctx->sq_sqes[sq_idx << sq_shift];
 		seq_printf(m, "%5u: opcode:%s, fd:%d, flags:%x, off:%llu, "
 			      "addr:0x%llx, rw_flags:0x%x, buf_index:%d "
 			      "user_data:%llu",