From nobody Mon May 11 06:17:37 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6CE03C433EF for ; Tue, 12 Apr 2022 16:31:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351478AbiDLQdm (ORCPT ); Tue, 12 Apr 2022 12:33:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37308 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1357679AbiDLQd2 (ORCPT ); Tue, 12 Apr 2022 12:33:28 -0400 Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2E5105DE7F for ; Tue, 12 Apr 2022 09:31:00 -0700 (PDT) Received: from pps.filterd (m0044012.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 23C0jrtJ032695 for ; Tue, 12 Apr 2022 09:31:00 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=facebook; bh=/xid/OpYx6XCeq/M4GKH/83yAYcqpeMppbcM1h1pC9A=; b=dXr07BQTNyBfiETeamRqkqnDYW/klgyTd7oLea0vjuEwKXNTTSMFlnPE2vP7dDwTqPJq WDE4a3R4OiM/fHOx3iHGWemGNKTQYnCEM9cr8oCRif4PCzsJT5Tej0qTUXQz01iJJrjm YgVIjnOd5rYrSzJaCopGwBuVuEtHQajhbZI= Received: from maileast.thefacebook.com ([163.114.130.16]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3fcy5qv47u-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 12 Apr 2022 09:31:00 -0700 Received: from twshared41237.03.ash8.facebook.com (2620:10d:c0a8:1b::d) by mail.thefacebook.com (2620:10d:c0a8:82::d) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Tue, 12 Apr 2022 09:30:58 -0700 Received: by devbig039.lla1.facebook.com (Postfix, from userid 572232) id 97FA07456064; Tue, 12 Apr 2022 09:30:47 -0700 (PDT) From: Dylan Yudaken To: CC: , , , , Dylan Yudaken Subject: [PATCH 1/4] io_uring: move io_uring_rsrc_update2 validation Date: Tue, 12 Apr 2022 09:30:39 -0700 Message-ID: <20220412163042.2788062-2-dylany@fb.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220412163042.2788062-1-dylany@fb.com> References: <20220412163042.2788062-1-dylany@fb.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-FB-Internal: Safe X-Proofpoint-ORIG-GUID: _UgUXIRDRhPiN_Z7ASiWaaonoD04hPtH X-Proofpoint-GUID: _UgUXIRDRhPiN_Z7ASiWaaonoD04hPtH X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-12_06,2022-04-12_02,2022-02-23_01 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Move validation to be more consistently straight after copy_from_user. This is already done in io_register_rsrc_update and so this removes that redundant check. Signed-off-by: Dylan Yudaken --- fs/io_uring.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index 8a931eb8a3a6..58bfa71fe3b6 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -11398,8 +11398,6 @@ static int __io_register_rsrc_update(struct io_ring= _ctx *ctx, unsigned type, __u32 tmp; int err; =20 - if (up->resv) - return -EINVAL; if (check_add_overflow(up->offset, nr_args, &tmp)) return -EOVERFLOW; err =3D io_rsrc_node_switch_start(ctx); @@ -11425,6 +11423,8 @@ static int io_register_files_update(struct io_ring_= ctx *ctx, void __user *arg, memset(&up, 0, sizeof(up)); if (copy_from_user(&up, arg, sizeof(struct io_uring_rsrc_update))) return -EFAULT; + if (up.resv) + return -EINVAL; return __io_register_rsrc_update(ctx, IORING_RSRC_FILE, &up, nr_args); } =20 --=20 2.30.2 From nobody Mon May 11 06:17:37 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7881FC433EF for ; Tue, 12 Apr 2022 16:31:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1357661AbiDLQdw (ORCPT ); Tue, 12 Apr 2022 12:33:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37350 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239010AbiDLQd3 (ORCPT ); Tue, 12 Apr 2022 12:33:29 -0400 Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 879D95E16A for ; Tue, 12 Apr 2022 09:31:02 -0700 (PDT) Received: from pps.filterd (m0148461.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 23CF0kP2030058 for ; Tue, 12 Apr 2022 09:31:02 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=facebook; bh=jpJLwlCd/Lo6d9EOp1tU7k+L8lqn56Qe1VGs4ldSBt0=; b=lhDW+wS1PWX7Dd5U0d5//NRgork1OIGL5UlZ3DkxJHOrEGqG+gCYCAv/SvVcEgTgQX14 S5vwRH08+ID1Yp+Qpjf9pPxN2VXUgVs+ZNZFVvbXUwIJ+abYyVPApBmOqK8GqetsPPco 9vESh4MnV7ZgKMqu2zzMsr+1yv428IFNEyk= Received: from maileast.thefacebook.com ([163.114.130.16]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3fdbpj8pek-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 12 Apr 2022 09:31:02 -0700 Received: from twshared14141.02.ash7.facebook.com (2620:10d:c0a8:1b::d) by mail.thefacebook.com (2620:10d:c0a8:82::c) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Tue, 12 Apr 2022 09:31:01 -0700 Received: by devbig039.lla1.facebook.com (Postfix, from userid 572232) id 398667456066; Tue, 12 Apr 2022 09:30:48 -0700 (PDT) From: Dylan Yudaken To: CC: , , , , Dylan Yudaken Subject: [PATCH 2/4] io_uring: verify that resv2 is 0 in io_uring_rsrc_update2 Date: Tue, 12 Apr 2022 09:30:40 -0700 Message-ID: <20220412163042.2788062-3-dylany@fb.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220412163042.2788062-1-dylany@fb.com> References: <20220412163042.2788062-1-dylany@fb.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-FB-Internal: Safe X-Proofpoint-ORIG-GUID: eRMg5F3rRGAyajd58Tpyi9hUQZNAk48j X-Proofpoint-GUID: eRMg5F3rRGAyajd58Tpyi9hUQZNAk48j X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-12_06,2022-04-12_02,2022-02-23_01 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Verify that the user does not pass in anything but 0 for this field. Fixes: 992da01aa932 ("io_uring: change registration/upd/rsrc tagging ABI") Signed-off-by: Dylan Yudaken --- fs/io_uring.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index 58bfa71fe3b6..e899192ffb77 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -6839,6 +6839,7 @@ static int io_files_update(struct io_kiocb *req, unsi= gned int issue_flags) up.nr =3D 0; up.tags =3D 0; up.resv =3D 0; + up.resv2 =3D 0; =20 io_ring_submit_lock(ctx, needs_lock); ret =3D __io_register_rsrc_update(ctx, IORING_RSRC_FILE, @@ -11423,7 +11424,7 @@ static int io_register_files_update(struct io_ring_= ctx *ctx, void __user *arg, memset(&up, 0, sizeof(up)); if (copy_from_user(&up, arg, sizeof(struct io_uring_rsrc_update))) return -EFAULT; - if (up.resv) + if (up.resv || up.resv2) return -EINVAL; return __io_register_rsrc_update(ctx, IORING_RSRC_FILE, &up, nr_args); } @@ -11437,7 +11438,7 @@ static int io_register_rsrc_update(struct io_ring_c= tx *ctx, void __user *arg, return -EINVAL; if (copy_from_user(&up, arg, sizeof(up))) return -EFAULT; - if (!up.nr || up.resv) + if (!up.nr || up.resv || up.resv2) return -EINVAL; return __io_register_rsrc_update(ctx, type, &up, up.nr); } --=20 2.30.2 From nobody Mon May 11 06:17:37 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97374C433EF for ; Tue, 12 Apr 2022 16:31:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231253AbiDLQd5 (ORCPT ); Tue, 12 Apr 2022 12:33:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37376 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1357689AbiDLQd2 (ORCPT ); Tue, 12 Apr 2022 12:33:28 -0400 Received: from mx0a-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 812B25E168 for ; Tue, 12 Apr 2022 09:31:05 -0700 (PDT) Received: from pps.filterd (m0089730.ppops.net [127.0.0.1]) by m0089730.ppops.net (8.16.1.2/8.16.1.2) with ESMTP id 23CF1qip006055 for ; Tue, 12 Apr 2022 09:31:04 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=facebook; bh=baEaCrnLBHjc8dj+cmCnEDyggTYvxeftZ9u5tqzYlTQ=; b=WL6IG/v+96ZbexC5BmYEsm9xxAiTaY3eamthvpYVTqKiZsXSI5a2Gi3l8YHyzrhE6DBq BjvDqx39p/bCZpr5BpSh6iIL/oEjxT2ZlP/uvFK7ciIMe1eNV4Ay1EinpGHGjNrDd2Gq C8g47Au16XQ3NEUuOs4fmDGmn/SHnC7GRJw= Received: from mail.thefacebook.com ([163.114.132.120]) by m0089730.ppops.net (PPS) with ESMTPS id 3fckykgq36-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 12 Apr 2022 09:31:04 -0700 Received: from twshared6486.05.ash9.facebook.com (2620:10d:c085:208::11) by mail.thefacebook.com (2620:10d:c085:11d::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Tue, 12 Apr 2022 09:31:02 -0700 Received: by devbig039.lla1.facebook.com (Postfix, from userid 572232) id A736C745606C; Tue, 12 Apr 2022 09:30:48 -0700 (PDT) From: Dylan Yudaken To: CC: , , , , Dylan Yudaken Subject: [PATCH 3/4] io_uring: verify resv is 0 in ringfd register/unregister Date: Tue, 12 Apr 2022 09:30:41 -0700 Message-ID: <20220412163042.2788062-4-dylany@fb.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220412163042.2788062-1-dylany@fb.com> References: <20220412163042.2788062-1-dylany@fb.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-FB-Internal: Safe X-Proofpoint-ORIG-GUID: NiXb3jjnq2cYYFqBsXHH-4CYl2GkYc-C X-Proofpoint-GUID: NiXb3jjnq2cYYFqBsXHH-4CYl2GkYc-C X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-12_06,2022-04-12_02,2022-02-23_01 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Only allow resv field to be 0 in struct io_uring_rsrc_update user arguments. Fixes: e7a6c00dc77a ("io_uring: add support for registering ring file descr= iptors") Signed-off-by: Dylan Yudaken --- fs/io_uring.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index e899192ffb77..a84bfec97d0d 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -10533,6 +10533,11 @@ static int io_ringfd_register(struct io_ring_ctx *= ctx, void __user *__arg, break; } =20 + if (reg.resv) { + ret =3D -EINVAL; + break; + } + if (reg.offset =3D=3D -1U) { start =3D 0; end =3D IO_RINGFD_REG_MAX; @@ -10579,7 +10584,7 @@ static int io_ringfd_unregister(struct io_ring_ctx = *ctx, void __user *__arg, ret =3D -EFAULT; break; } - if (reg.offset >=3D IO_RINGFD_REG_MAX) { + if (reg.resv || reg.offset >=3D IO_RINGFD_REG_MAX) { ret =3D -EINVAL; break; } --=20 2.30.2 From nobody Mon May 11 06:17:37 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EA45EC433FE for ; Tue, 12 Apr 2022 16:31:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1357698AbiDLQdd (ORCPT ); Tue, 12 Apr 2022 12:33:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37286 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1357670AbiDLQd0 (ORCPT ); Tue, 12 Apr 2022 12:33:26 -0400 Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2E0E75DE72 for ; Tue, 12 Apr 2022 09:31:00 -0700 (PDT) Received: from pps.filterd (m0109332.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 23C9IF61029511 for ; Tue, 12 Apr 2022 09:30:59 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=facebook; bh=RuVFmwVdExl/MSNgXRVfM40+Dn5quq+Xx3wa/wo0YZg=; b=YU4IXVG54QSv/U92CSB4orcEqCT+laHyTbGiLeOWy58ZTe2lEuzHgkshiyvvM2EOUK5n Apnz09nGKH5IiqPd8k3Kwac2AuPQPfPesiJY3+dWDjaB6n49LzdAbD7rfjC7i/RI3QLm agdm5/Ty+WrHTymRQjetoPqUEohL5w5XCKk= Received: from maileast.thefacebook.com ([163.114.130.16]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3fd6p3t9x3-4 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 12 Apr 2022 09:30:59 -0700 Received: from twshared41237.03.ash8.facebook.com (2620:10d:c0a8:1b::d) by mail.thefacebook.com (2620:10d:c0a8:82::c) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Tue, 12 Apr 2022 09:30:57 -0700 Received: by devbig039.lla1.facebook.com (Postfix, from userid 572232) id 5042D745606E; Tue, 12 Apr 2022 09:30:49 -0700 (PDT) From: Dylan Yudaken To: CC: , , , , Dylan Yudaken Subject: [PATCH 4/4] io_uring: verify pad field is 0 in io_get_ext_arg Date: Tue, 12 Apr 2022 09:30:42 -0700 Message-ID: <20220412163042.2788062-5-dylany@fb.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220412163042.2788062-1-dylany@fb.com> References: <20220412163042.2788062-1-dylany@fb.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-FB-Internal: Safe X-Proofpoint-ORIG-GUID: 3yc-rusqUW7s1ofzsnnjpcJeRllUTpFE X-Proofpoint-GUID: 3yc-rusqUW7s1ofzsnnjpcJeRllUTpFE X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-12_06,2022-04-12_02,2022-02-23_01 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Ensure that only 0 is passed for pad here. Fixes: c73ebb685fb6 ("io_uring: add timeout support for io_uring_enter()") Signed-off-by: Dylan Yudaken --- fs/io_uring.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/io_uring.c b/fs/io_uring.c index a84bfec97d0d..6b1a98697dcf 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -10711,6 +10711,8 @@ static int io_get_ext_arg(unsigned flags, const voi= d __user *argp, size_t *argsz return -EINVAL; if (copy_from_user(&arg, argp, sizeof(arg))) return -EFAULT; + if (arg.pad) + return -EINVAL; *sig =3D u64_to_user_ptr(arg.sigmask); *argsz =3D arg.sigmask_sz; *ts =3D u64_to_user_ptr(arg.ts); --=20 2.30.2