Tree - kernel/kernel-source - Pagure for openSUSE

kernel / kernel-source

Source
Stats

Files

Commit: 678063aa1425c5fee2dc993e6cd635f549601f8b

Blob Blame History Raw

From df0c6261345fba39b5d0cc80a82006a57f7a87bc Mon Sep 17 00:00:00 2001
From: Pavel Begunkov <asml.silence@gmail.com>
Date: Fri, 24 Sep 2021 17:14:48 +0100
Subject: [PATCH] io_uring: kill extra checks in io_write()
Git-commit: 9f3a2cb228c28606895d15f13b30d1f7402dc745
Patch-mainline: v5.15-rc3
References: bsc#1198968 CVE-2022-1508

We don't retry short writes and so we would never get to async setup in
io_write() in that case. Thus ret2 > 0 is always false and
iov_iter_advance() is never used. Apparently, the same is found by
Coverity, which complains on the code.

Fixes: cd65869512ab ("io_uring: use iov_iter state save/restore helpers")
Reported-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/5b33e61034748ef1022766efc0fb8854cfcf749c.1632500058.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Acked-by: David Disseldorp <ddiss@suse.de>

---
 fs/io_uring.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 751bb92d08ca..d1e0963ae03c 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -3451,7 +3451,6 @@ static int io_write(struct io_kiocb *req, unsigned int issue_flags)
 		iov_iter_save_state(iter, state);
 	}
 	req->result = iov_iter_count(iter);
-	ret2 = 0;
 
 	/* Ensure we clear previously set non-block flag */
 	if (!force_nonblock)
@@ -3516,8 +3515,6 @@ static int io_write(struct io_kiocb *req, unsigned int issue_flags)
 	} else {
 copy_iov:
 		iov_iter_restore(iter, state);
-		if (ret2 > 0)
-			iov_iter_advance(iter, ret2);
 		ret = io_setup_async_rw(req, iovec, inline_vecs, iter, false);
 		return ret ?: -EAGAIN;
 	}
-- 
2.35.3

kernel / kernel-source

Source Code

Files