From df0c6261345fba39b5d0cc80a82006a57f7a87bc Mon Sep 17 00:00:00 2001
From: Pavel Begunkov <asml.silence@gmail.com>
Date: Fri, 24 Sep 2021 17:14:48 +0100
Subject: [PATCH] io_uring: kill extra checks in io_write()
Git-commit: 9f3a2cb228c28606895d15f13b30d1f7402dc745
Patch-mainline: v5.15-rc3
References: bsc#1198968 CVE-2022-1508
We don't retry short writes and so we would never get to async setup in
io_write() in that case. Thus ret2 > 0 is always false and
iov_iter_advance() is never used. Apparently, the same is found by
Coverity, which complains on the code.
Fixes: cd65869512ab ("io_uring: use iov_iter state save/restore helpers")
Reported-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/5b33e61034748ef1022766efc0fb8854cfcf749c.1632500058.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Acked-by: David Disseldorp <ddiss@suse.de>
---
fs/io_uring.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 751bb92d08ca..d1e0963ae03c 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -3451,7 +3451,6 @@ static int io_write(struct io_kiocb *req, unsigned int issue_flags)
iov_iter_save_state(iter, state);
}
req->result = iov_iter_count(iter);
- ret2 = 0;
/* Ensure we clear previously set non-block flag */
if (!force_nonblock)
@@ -3516,8 +3515,6 @@ static int io_write(struct io_kiocb *req, unsigned int issue_flags)
} else {
copy_iov:
iov_iter_restore(iter, state);
- if (ret2 > 0)
- iov_iter_advance(iter, ret2);
ret = io_setup_async_rw(req, iovec, inline_vecs, iter, false);
return ret ?: -EAGAIN;
}
--
2.35.3