io_uring: fix leaving invalid req->flags

sqe->flags are subset of req flags, so incorrectly copied may span into in-kernel flags and wreck havoc, e.g. by setting REQ_F_INFLIGHT. Fixes: 5be9ad1e ("io_uring: optimise io_init_req() flags setting") Signed-off-by: N Pavel Begunkov <asml.silence@gmail.com> Signed-off-by: N Jens Axboe <axboe@kernel.dk>

io_uring: fix leaving invalid req->flags
sqe->flags are subset of req flags, so incorrectly copied may span into in-kernel flags and wreck havoc, e.g. by setting REQ_F_INFLIGHT. Fixes: 5be9ad1e ("io_uring: optimise io_init_req() flags setting") Signed-off-by: N Pavel Begunkov <asml.silence@gmail.com> Signed-off-by: N Jens Axboe <axboe@kernel.dk>
ebf4a5db · Pavel Begunkov · Jens Axboe · 88f171ab · ebf4a5db
隐藏空白更改
内联并排

Showing with 3 addition and 1 deletion

fs/io_uring.c fs/io_uring.c +3 -1

未找到文件。
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -6679,8 +6679,10 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req,
 	req->result = 0;

 	/* enforce forwards compatibility on users */
-	if (unlikely(sqe_flags & ~SQE_VALID_FLAGS))
+	if (unlikely(sqe_flags & ~SQE_VALID_FLAGS)) {
+		req->flags = 0;
 		return -EINVAL;
+	}

 	if (unlikely(req->opcode >= IORING_OP_LAST))
 		return -EINVAL;