tjh.dev
+6
-21
io_uring/rsrc.c
+6
-21
io_uring/rsrc.c
···
1186
1186
return -EBUSY;
1187
1187
1188
1188
nbufs = src_ctx->buf_table.nr;
1189
+
if (!nbufs)
1190
+
return -ENXIO;
1189
1191
if (!arg->nr)
1190
1192
arg->nr = nbufs;
1191
1193
else if (arg->nr > nbufs)
1192
1194
return -EINVAL;
1193
1195
else if (arg->nr > IORING_MAX_REG_BUFFERS)
1194
1196
return -EINVAL;
1197
+
if (check_add_overflow(arg->nr, arg->src_off, &off) || off > nbufs)
1198
+
return -EOVERFLOW;
1195
1199
if (check_add_overflow(arg->nr, arg->dst_off, &nbufs))
1196
1200
return -EOVERFLOW;
1197
1201
if (nbufs > IORING_MAX_REG_BUFFERS)
···
1215
1211
}
1216
1212
}
1217
1213
1218
-
ret = -ENXIO;
1219
-
nbufs = src_ctx->buf_table.nr;
1220
-
if (!nbufs)
1221
-
goto out_free;
1222
-
ret = -EINVAL;
1223
-
if (!arg->nr)
1224
-
arg->nr = nbufs;
1225
-
else if (arg->nr > nbufs)
1226
-
goto out_free;
1227
-
ret = -EOVERFLOW;
1228
-
if (check_add_overflow(arg->nr, arg->src_off, &off))
1229
-
goto out_free;
1230
-
if (off > nbufs)
1231
-
goto out_free;
1232
-
1233
1214
off = arg->dst_off;
1234
1215
i = arg->src_off;
1235
1216
nr = arg->nr;
···
1227
1238
} else {
1228
1239
dst_node = io_rsrc_node_alloc(ctx, IORING_RSRC_BUFFER);
1229
1240
if (!dst_node) {
1230
-
ret = -ENOMEM;
1231
-
goto out_free;
1241
+
io_rsrc_data_free(ctx, &data);
1242
+
return -ENOMEM;
1232
1243
}
1233
1244
1234
1245
refcount_inc(&src_node->buf->refs);
···
1254
1265
WARN_ON_ONCE(ctx->buf_table.nr);
1255
1266
ctx->buf_table = data;
1256
1267
return 0;
1257
-
1258
-
out_free:
1259
-
io_rsrc_data_free(ctx, &data);
1260
-
return ret;
1261
1268
}
1262
1269
1263
1270
/*