From: Pavel Begunkov <asml.silence@gmail.com>
Date: Tue, 26 May 2020 17:34:04 +0000 (+0300)
Subject: io_uring: don't re-read sqe->off in timeout_prep()
X-Git-Tag: v5.15~3748^2~9
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=56080b02ed6e71fbc0add2d05a32ed7361dd736a;p=platform%2Fkernel%2Flinux-starfive.git

io_uring: don't re-read sqe->off in timeout_prep()

SQEs are user writable, don't read sqe->off twice in io_timeout_prep()

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 4be8f9e..f888b20 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4803,18 +4803,19 @@ static int io_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
 {
 	struct io_timeout_data *data;
 	unsigned flags;
+	u32 off = READ_ONCE(sqe->off);
 
 	if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
 		return -EINVAL;
 	if (sqe->ioprio || sqe->buf_index || sqe->len != 1)
 		return -EINVAL;
-	if (sqe->off && is_timeout_link)
+	if (off && is_timeout_link)
 		return -EINVAL;
 	flags = READ_ONCE(sqe->timeout_flags);
 	if (flags & ~IORING_TIMEOUT_ABS)
 		return -EINVAL;
 
-	req->timeout.count = READ_ONCE(sqe->off);
+	req->timeout.count = off;
 
 	if (!req->io && io_alloc_async_ctx(req))
 		return -ENOMEM;