[PATCH] io_uring/cancel: validate opcode for IORING_ASYNC_CANCEL_OP

[PATCH] io_uring/cancel: validate opcode for IORING_ASYNC_CANCEL_OP

[Amir Mohammad Jahangirzad]

io_async_cancel_prep() reads the opcode selector from sqe->len and
stores it in cancel->opcode, which is an 8-bit field. Since sqe->len
is a 32-bit value, values larger than U8_MAX are implicitly truncated.

This can cause unintended opcode matches when the truncated value
corresponds to a valid io_uring opcode. For example, submitting a value
such as 0x10b will be truncated to 0x0b (IORING_OP_TIMEOUT), allowing a
cancel request to match operations it did not intend to target.
Validate the opcode value before assigning it to the 8-bit field and
reject values outside the valid io_uring opcode range.

Signed-off-by: Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
---
 io_uring/cancel.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/io_uring/cancel.c b/io_uring/cancel.c
index 65e04063e..5e5eb9cfc 100644
--- a/io_uring/cancel.c
+++ b/io_uring/cancel.c
@@ -156,9 +156,16 @@ int io_async_cancel_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
 		cancel->fd = READ_ONCE(sqe->fd);
 	}
 	if (cancel->flags & IORING_ASYNC_CANCEL_OP) {
+		u32 op;
+
 		if (cancel->flags & IORING_ASYNC_CANCEL_ANY)
 			return -EINVAL;
-		cancel->opcode = READ_ONCE(sqe->len);
+
+		op = READ_ONCE(sqe->len);
+		if (op >= IORING_OP_LAST)
+			return -EINVAL;
+
+		cancel->opcode = op;
 	}
 
 	return 0;
-- 
2.53.0

Re: [PATCH] io_uring/cancel: validate opcode for IORING_ASYNC_CANCEL_OP

[Jens Axboe]

On 3/31/26 5:21 PM, Amir Mohammad Jahangirzad wrote:
> io_async_cancel_prep() reads the opcode selector from sqe->len and
> stores it in cancel->opcode, which is an 8-bit field. Since sqe->len
> is a 32-bit value, values larger than U8_MAX are implicitly truncated.
> 
> This can cause unintended opcode matches when the truncated value
> corresponds to a valid io_uring opcode. For example, submitting a value
> such as 0x10b will be truncated to 0x0b (IORING_OP_TIMEOUT), allowing a
> cancel request to match operations it did not intend to target.
> Validate the opcode value before assigning it to the 8-bit field and
> reject values outside the valid io_uring opcode range.

Looks fine to me as a cleanup, as it's really the application being
buggy if you set ->len > IORING_OP_LAST and then match some opcode
that just happens to be == ->len & 255. I'll apply this for 7.1.

-- 
Jens Axboe

Re: [PATCH] io_uring/cancel: validate opcode for IORING_ASYNC_CANCEL_OP

[Jens Axboe]

On Wed, 01 Apr 2026 02:51:13 +0330, Amir Mohammad Jahangirzad wrote:
> io_async_cancel_prep() reads the opcode selector from sqe->len and
> stores it in cancel->opcode, which is an 8-bit field. Since sqe->len
> is a 32-bit value, values larger than U8_MAX are implicitly truncated.
> 
> This can cause unintended opcode matches when the truncated value
> corresponds to a valid io_uring opcode. For example, submitting a value
> such as 0x10b will be truncated to 0x0b (IORING_OP_TIMEOUT), allowing a
> cancel request to match operations it did not intend to target.
> Validate the opcode value before assigning it to the 8-bit field and
> reject values outside the valid io_uring opcode range.
> 
> [...]

Applied, thanks!

[1/1] io_uring/cancel: validate opcode for IORING_ASYNC_CANCEL_OP
      commit: ab274887c2443f49d3a547a58a094787cd02d1dc

Best regards,
-- 
Jens Axboe