io_uring/fdinfo: fix OOB read in SQE_MIXED wrap check

carlini · axboe · commit 5170efd9c344 · 2026-03-26T20:28:28.000-06:00
__io_uring_show_fdinfo() iterates over pending SQEs and, for 128-byte SQEs on an IORING_SETUP_SQE_MIXED ring, needs to detect when the second half of the SQE would be past the end of the sq_sqes array. The current check tests (++sq_head & sq_mask) == 0, but sq_head is only incremented when a 128-byte SQE is encountered, not on every iteration. The actual array index is sq_idx = (i + sq_head) & sq_mask, which can be sq_mask (the last slot) while the wrap check passes. Fix by checking sq_idx directly. Keep the sq_head increment so the loop still skips the second half of the 128-byte SQE on the next iteration. Fixes: 1cba30b ("io_uring: add support for IORING_SETUP_SQE_MIXED") Signed-off-by: Nicholas Carlini <nicholas@carlini.com> Link: https://patch.msgid.link/20260327021823.3138396-1-nicholas@carlini.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
diff --git a/io_uring/fdinfo.c b/io_uring/fdinfo.c
@@ -119,12 +119,13 @@ static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m)
 					sq_idx);
 				break;
 			}
-			if ((++sq_head & sq_mask) == 0) {
+			if (sq_idx == sq_mask) {
 				seq_printf(m,
 					"%5u: corrupted sqe, wrapping 128B entry\n",
 					sq_idx);
 				break;
 			}
+			sq_head++;
 			i++;
 			sqe128 = true;
 		}

Original file line number	Diff line number	Diff line change
`@@ -119,12 +119,13 @@ static void __io_uring_show_fdinfo(struct io_ring_ctx ctx, struct seq_file m)`
`119`	`119`	`sq_idx);`
`120`	`120`	`break;`
`121`	`121`	`}`
`122`		`- if ((++sq_head & sq_mask) == 0) {`
	`122`	`+ if (sq_idx == sq_mask) {`
`123`	`123`	`seq_printf(m,`
`124`	`124`	`"%5u: corrupted sqe, wrapping 128B entry\n",`
`125`	`125`	`sq_idx);`
`126`	`126`	`break;`
`127`	`127`	`}`
	`128`	`+ sq_head++;`
`128`	`129`	`i++;`
`129`	`130`	`sqe128 = true;`
`130`	`131`	`}`