From nobody Wed Apr 1 09:47:06 2026 Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 82BA5199D8 for ; Tue, 31 Mar 2026 23:24:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774999453; cv=none; b=sEKklO9AScVE8792zzLs2clHo9r/fCdKHpVT5YCIC3DGgU7riF8NCZmPDAuvrbETsuqD8kRfrWfHXv99bfCwX7gOy+Gw2NZUeMzhAazjwqYVn5xsf9eiyKCq0avqTk0fZtwUXg+C5hkSRLa/Y56veLzGYAqwyQd1lMSJ48s8xRI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774999453; c=relaxed/simple; bh=A9WKWCPMZ4yP8kEIwbgc1DxVchY2jrnn+UyR0ClVPiw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=qP3XsW50EdfpKVjOmlydxE9Qh5F5jd4I1N9Qs8RHe88/QM/UnIAM8cEq0RFAlIE1HTFEAdJHEQd5GQzzPPq2TGCV+58JxMleh6P6W5ez/Mb+PIDnIB0YmpNvzIv7Cs4Kjzx3ugmE2qwmfCSkT9dXKUxV4WpH+trSdWm4gGCmOtA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gEyQ/yqX; arc=none smtp.client-ip=209.85.128.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gEyQ/yqX" Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-486fd3a577eso57114295e9.1 for ; Tue, 31 Mar 2026 16:24:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1774999451; x=1775604251; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=jhmDSgWcC+Wz4bmkvwPB4KxSbIJjzE9xZ7OXZsX6sT4=; b=gEyQ/yqXAxBTvdBoB4QUQcIOuCcWAKUELNJKGkqkNnzNVOgSqHkCGU3gf5r0uUnOCX gSzm5+62nUEXb4fjsJFQUznSOvMRSTZpVpzrPuTiP7Zljf4uFub+PlRYVa1bxtzreWgv /9uGE+AscGMXxh31bXMYjKM3J6B8KOntt7hXBvQUbEiA91/OtVe7SfV8vUgTD8ez/Ae4 mHrXMRkMi81lFAOFhTzvz+ZUiSGPgNRInKm9blOzVjBRrmBQP2vVeyUBWpaK4FhdR0Lr BUHvjjvDWGXPG9Jvl5GwP5Q4MLf6NhaZxzjT0fpdtN3v/gS0OU02YnZgf854bd2ilJQK ZRDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774999451; x=1775604251; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=jhmDSgWcC+Wz4bmkvwPB4KxSbIJjzE9xZ7OXZsX6sT4=; b=CP6Yjx6362znS13dUcPX2p3VZxckcaUyF83EXWRxCo/7R4N/lzpBv5pQ/7l1zhOBlJ 9rCi7NqPwXaW1QATOxWbBG2Drzn+yJv/E6Y11pTHao3AD92wCLM4kHekrF1ZvA+LaRzb tzqoAdJrihxjtxfwR6pwCTIhnuwhe3emB7SIvtg9Hd1MdD8C35Uj0UeLvsAF9oU48tCr shoqUaiZwnqAxjXDbRxK1xnP8H3UMioXIdXsp7TLsnLMs3R84bKmu9zVE07AiU1qyR/W G1yQs3sDH7nLMfFrrJJmTjRsAJVQIhRnkx9WLKLLkY/lHIstG4wdb0aG6lq9c+oaZia+ 8eTw== X-Forwarded-Encrypted: i=1; AJvYcCXPQthQsJ4tdfsx2p6zli+yd9b/BWs4Ja9qQczP/Y5QMXlxnxlUSFd1V6ke/ayvd2mlblpL8j2HoCkf38k=@vger.kernel.org X-Gm-Message-State: AOJu0YyfmGd6oGS7ZfgtnQltN5u1afiQ7Zl2sMJGpVNXfTDJuHEif9Od Ln3QfQFxeTIaFNEmPN99wZoKgrf56w8Z0L+zryOfek0TrwZ2F//gfy3T X-Gm-Gg: ATEYQzx3zGdUrN0aCPq0LN2s1e2nb+fNNmLILbKxbbZbiNcvCIgyVAPbd7Pa2cEbh2v CIeAfbi6dCG81rqDc+BlE9eG+ZLIypcRMpPkF/kh+5Mw5HSyGdk0sNaPHIYJPiQ/EAve6T17dtc kdAcJQU+RagWRDuUpvKzZBmzW+FO0rd7d0B9C9IhHKL8ngVVPPH4P/1QVZ5MgzDDtkO5DoyGIk0 a7exEL7Nvh/HMWUMJ+bBy7pdxQ/a+fie3jdIAv6aXsfG6iqeugZUPLUS8QSEDt5mGpXuC3BxpL0 /pS2YCZ0u8kVV8oNcbYqDxGqpTmOli66T6pD4GRsXUP/BkrcMmxJFishYQPnyFCantNJ7ZErAzq KWAgOVH5+AiMejDyYl1kF5MYntU/XkenLUh3nU7/dpewug18+V3sCo2TFwZUb3cQ5MtSE0uo7Fc RztFTgjM+FKdwvOHE= X-Received: by 2002:a05:600c:a088:b0:486:fdca:ea8d with SMTP id 5b1f17b1804b1-488835cd366mr18131285e9.25.1774999450630; Tue, 31 Mar 2026 16:24:10 -0700 (PDT) Received: from reolab.localdomain ([2a01:4f8:c17:7e89::1]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43cf330872asm28456862f8f.17.2026.03.31.16.24.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Mar 2026 16:24:10 -0700 (PDT) From: Amir Mohammad Jahangirzad To: axboe@kernel.dk Cc: io-uring@vger.kernel.org, linux-kernel@vger.kernel.org, Amir Mohammad Jahangirzad Subject: [PATCH] io_uring/cancel: validate opcode for IORING_ASYNC_CANCEL_OP Date: Wed, 1 Apr 2026 02:51:13 +0330 Message-ID: <20260331232113.615972-1-a.jahangirzad@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" io_async_cancel_prep() reads the opcode selector from sqe->len and stores it in cancel->opcode, which is an 8-bit field. Since sqe->len is a 32-bit value, values larger than U8_MAX are implicitly truncated. This can cause unintended opcode matches when the truncated value corresponds to a valid io_uring opcode. For example, submitting a value such as 0x10b will be truncated to 0x0b (IORING_OP_TIMEOUT), allowing a cancel request to match operations it did not intend to target. Validate the opcode value before assigning it to the 8-bit field and reject values outside the valid io_uring opcode range. Signed-off-by: Amir Mohammad Jahangirzad --- io_uring/cancel.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/io_uring/cancel.c b/io_uring/cancel.c index 65e04063e..5e5eb9cfc 100644 --- a/io_uring/cancel.c +++ b/io_uring/cancel.c @@ -156,9 +156,16 @@ int io_async_cancel_prep(struct io_kiocb *req, const s= truct io_uring_sqe *sqe) cancel->fd =3D READ_ONCE(sqe->fd); } if (cancel->flags & IORING_ASYNC_CANCEL_OP) { + u32 op; + if (cancel->flags & IORING_ASYNC_CANCEL_ANY) return -EINVAL; - cancel->opcode =3D READ_ONCE(sqe->len); + + op =3D READ_ONCE(sqe->len); + if (op >=3D IORING_OP_LAST) + return -EINVAL; + + cancel->opcode =3D op; } =20 return 0; --=20 2.53.0