Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
io_uring/openclose: fix io_pipe_fixed() slot tracking for specific slots
__io_fixed_fd_install() returns 0 on success for non-alloc mode
(specific slot), not the slot index. io_pipe_fixed() used this return
value directly as the slot index in fds[], which can cause the reported
values returned via copy_to_user() to be incorrect, or the error path
operating on the incorrect direct descriptor.
Fix by computing the actual 0-based slot index (slot - 1) for specific
slot mode, while preserving the existing behavior for auto-alloc mode
where __io_fixed_fd_install() already returns the allocated index.
Cc: stable@vger.kernel.org
Fixes: 53db8a71ecb4 ("io_uring: add support for IORING_OP_PIPE")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
+6
-3
+6
-3
io_uring/openclose.c
+6
-3
io_uring/openclose.c
···
345
345
{
346
346
struct io_pipe *p = io_kiocb_to_cmd(req, struct io_pipe);
347
347
struct io_ring_ctx *ctx = req->ctx;
348
+
bool alloc_slot;
348
349
int ret, fds[2] = { -1, -1 };
349
350
int slot = p->file_slot;
350
351
351
352
if (p->flags & O_CLOEXEC)
352
353
return -EINVAL;
353
354
355
+
alloc_slot = slot == IORING_FILE_INDEX_ALLOC;
356
+
354
357
io_ring_submit_lock(ctx, issue_flags);
355
358
356
359
ret = __io_fixed_fd_install(ctx, files[0], slot);
357
360
if (ret < 0)
358
361
goto err;
359
-
fds[0] = ret;
362
+
fds[0] = alloc_slot ? ret : slot - 1;
360
363
files[0] = NULL;
361
364
362
365
/*
363
366
* If a specific slot is given, next one will be used for
364
367
* the write side.
365
368
*/
366
-
if (slot != IORING_FILE_INDEX_ALLOC)
369
+
if (!alloc_slot)
367
370
slot++;
368
371
369
372
ret = __io_fixed_fd_install(ctx, files[1], slot);
370
373
if (ret < 0)
371
374
goto err;
372
-
fds[1] = ret;
375
+
fds[1] = alloc_slot ? ret : slot - 1;
373
376
files[1] = NULL;
374
377
375
378
io_ring_submit_unlock(ctx, issue_flags);