io_uring/rsrc: check size when importing reg buffer

We're relying on callers to verify the IO size, do it inside of
io_import_fixed() instead. It's safer, easier to deal with, and more
consistent as now it's done close to the iter init site.

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/f9c2c75ec4d356a0c61289073f68d98e8a9db190.1743446271.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c
index 3f195e24777e18158efb4eca205d4e6f279e2e88..59b4317b04a7aa79f88c108024d33e7d8662b93c 100644 (file)
--- a/io_uring/rsrc.c
+++ b/io_uring/rsrc.c
@@ -1016,6 +1016,8 @@ static int io_import_fixed(int ddir, struct iov_iter *iter,
        /* not inside the mapped region */
        if (unlikely(buf_addr < imu->ubuf || buf_end > (imu->ubuf + imu->len)))
                return -EFAULT;
+       if (unlikely(len > MAX_RW_COUNT))
+               return -EFAULT;
        if (!(imu->dir & (1 << ddir)))
                return -EFAULT;