1. Patchew
  2. linux
  3. View series

[PATCH] io_uring: cast id to u64 before shifting in io_allocate_rbuf_ring()

Anas Iqbal posted 1 patch 3 weeks ago 
io_uring/zcrx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] io_uring: cast id to u64 before shifting in io_allocate_rbuf_ring()
Posted by Anas Iqbal 3 weeks ago 
Smatch warns:
io_uring/zcrx.c:393 io_allocate_rbuf_ring() warn: should 'id << 16' be a 64 bit type?

The expression 'id << IORING_OFF_PBUF_SHIFT' is evaluated using 32-bit
arithmetic because id is a u32. This may overflow before being promoted
to the 64-bit mmap_offset.

Cast id to u64 before shifting to ensure the shift is performed in
64-bit arithmetic.

Signed-off-by: Anas Iqbal <mohd.abd.6602@gmail.com>
---
 io_uring/zcrx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
index 62d693287457..d96d2802f3da 100644
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -390,7 +390,7 @@ static int io_allocate_rbuf_ring(struct io_ring_ctx *ctx,
 		return -EINVAL;
 
 	mmap_offset = IORING_MAP_OFF_ZCRX_REGION;
-	mmap_offset += id << IORING_OFF_PBUF_SHIFT;
+	mmap_offset += (u64)id << IORING_OFF_PBUF_SHIFT;
 
 	ret = io_create_region(ctx, &ifq->region, rd, mmap_offset);
 	if (ret < 0)
-- 
2.43.0
Re: [PATCH] io_uring: cast id to u64 before shifting in io_allocate_rbuf_ring()
Posted by Jens Axboe 3 weeks ago 
On 3/16/26 9:06 AM, Anas Iqbal wrote:
> Smatch warns:
> io_uring/zcrx.c:393 io_allocate_rbuf_ring() warn: should 'id << 16' be a 64 bit type?
> 
> The expression 'id << IORING_OFF_PBUF_SHIFT' is evaluated using 32-bit
> arithmetic because id is a u32. This may overflow before being promoted
> to the 64-bit mmap_offset.
> 
> Cast id to u64 before shifting to ensure the shift is performed in
> 64-bit arithmetic.

I'd be impressed if 'id' could be large enough to cause this to
overflow. AFAICT, you'd need more than 64K interface queues registered
to hit this. So I think this should be reframed as a cleanup, to appease
smatch.

I'll defer to Pavel on that one.

-- 
Jens Axboe
Re: [PATCH] io_uring: cast id to u64 before shifting in io_allocate_rbuf_ring()
Posted by Pavel Begunkov 3 weeks ago 
On 3/16/26 19:37, Jens Axboe wrote:
> On 3/16/26 9:06 AM, Anas Iqbal wrote:
>> Smatch warns:
>> io_uring/zcrx.c:393 io_allocate_rbuf_ring() warn: should 'id << 16' be a 64 bit type?
>>
>> The expression 'id << IORING_OFF_PBUF_SHIFT' is evaluated using 32-bit
>> arithmetic because id is a u32. This may overflow before being promoted
>> to the 64-bit mmap_offset.
>>
>> Cast id to u64 before shifting to ensure the shift is performed in
>> 64-bit arithmetic.
> 
> I'd be impressed if 'id' could be large enough to cause this to
> overflow. AFAICT, you'd need more than 64K interface queues registered
> to hit this. So I think this should be reframed as a cleanup, to appease
> smatch.

Pretty much so. I'll queue up the patch targeting 7.1, thanks

-- 
Pavel Begunkov

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.