* [PATCH] io_uring: fix off-by-one in sync cancelation file check
@ 2022-08-23 13:29 Jens Axboe
0 siblings, 0 replies; only message in thread
From: Jens Axboe @ 2022-08-23 13:29 UTC (permalink / raw)
To: io-uring; +Cc: Luo Likang
The passed in index should be validated against the number of registered
files we have, it needs to be smaller than the index value to avoid going
one beyond the end.
Fixes: 78a861b94959 ("io_uring: add sync cancelation API through io_uring_register()")
Reported-by: Luo Likang <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>
---
diff --git a/io_uring/cancel.c b/io_uring/cancel.c
index e4e1dc0325f0..5fc5d3e80fcb 100644
--- a/io_uring/cancel.c
+++ b/io_uring/cancel.c
@@ -218,7 +218,7 @@ static int __io_sync_cancel(struct io_uring_task *tctx,
(cd->flags & IORING_ASYNC_CANCEL_FD_FIXED)) {
unsigned long file_ptr;
- if (unlikely(fd > ctx->nr_user_files))
+ if (unlikely(fd >= ctx->nr_user_files))
return -EBADF;
fd = array_index_nospec(fd, ctx->nr_user_files);
file_ptr = io_fixed_file_slot(&ctx->file_table, fd)->file_ptr;
--
Jens Axboe
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2022-08-23 16:59 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-08-23 13:29 [PATCH] io_uring: fix off-by-one in sync cancelation file check Jens Axboe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox