io_uring: don't re-read sqe->off in timeout_prep()

SQEs are user writable, don't read sqe->off twice in io_timeout_prep()

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 4be8f9e..f888b20 100644 (file)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4803,18 +4803,19 @@ static int io_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
 {
        struct io_timeout_data *data;
        unsigned flags;
+       u32 off = READ_ONCE(sqe->off);
 
        if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
                return -EINVAL;
        if (sqe->ioprio || sqe->buf_index || sqe->len != 1)
                return -EINVAL;
-       if (sqe->off && is_timeout_link)
+       if (off && is_timeout_link)
                return -EINVAL;
        flags = READ_ONCE(sqe->timeout_flags);
        if (flags & ~IORING_TIMEOUT_ABS)
                return -EINVAL;
 
-       req->timeout.count = READ_ONCE(sqe->off);
+       req->timeout.count = off;
 
        if (!req->io && io_alloc_async_ctx(req))
                return -ENOMEM;