Commit 6fb53cf8 authored by Dylan Yudaken's avatar Dylan Yudaken Committed by Jens Axboe
Browse files

io_uring: verify resv is 0 in ringfd register/unregister 



Only allow resv field to be 0 in struct io_uring_rsrc_update user
arguments.

Fixes: e7a6c00d ("io_uring: add support for registering ring file descriptors")
Signed-off-by: default avatarDylan Yudaken <dylany@fb.com>
Link: https://lore.kernel.org/r/20220412163042.2788062-4-dylany@fb.com


Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent d8a3ba9c

fs/io_uring.c

+6 −1
Original line number Diff line number Diff line
@@ -10533,6 +10533,11 @@ static int io_ringfd_register(struct io_ring_ctx *ctx, void __user *__arg, 
			break;

		}



		if (reg.resv) {

			ret = -EINVAL;

			break;

		}



		if (reg.offset == -1U) {

			start = 0;

			end = IO_RINGFD_REG_MAX;
@@ -10579,7 +10584,7 @@ static int io_ringfd_unregister(struct io_ring_ctx *ctx, void __user *__arg, 
			ret = -EFAULT;

			break;

		}

		if (reg.offset >= IO_RINGFD_REG_MAX) {

		if (reg.resv || reg.offset >= IO_RINGFD_REG_MAX) {

			ret = -EINVAL;

			break;

		}