diff options
| author | Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com> | 2026-04-01 02:51:13 +0330 |
|---|---|---|
| committer | Jens Axboe <axboe@kernel.dk> | 2026-04-01 10:21:13 -0600 |
| commit | 85a58309c0d5b5f5a4b65658312ceaf2c34c9bbf (patch) | |
| tree | 782192e9c90a102c434daa76ffe5db6d34b8f7d1 /drivers/char/drm/git@git.tavy.me:linux.git | |
| parent | 19a8cc6cda580a3726ab8f117e7c6de507376d9b (diff) | |
io_uring/cancel: validate opcode for IORING_ASYNC_CANCEL_OP
io_async_cancel_prep() reads the opcode selector from sqe->len and
stores it in cancel->opcode, which is an 8-bit field. Since sqe->len
is a 32-bit value, values larger than U8_MAX are implicitly truncated.
This can cause unintended opcode matches when the truncated value
corresponds to a valid io_uring opcode. For example, submitting a value
such as 0x10b will be truncated to 0x0b (IORING_OP_TIMEOUT), allowing a
cancel request to match operations it did not intend to target.
Validate the opcode value before assigning it to the 8-bit field and
reject values outside the valid io_uring opcode range.
Signed-off-by: Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
Link: https://patch.msgid.link/20260331232113.615972-1-a.jahangirzad@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'drivers/char/drm/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions