Re: [PATCH] io_uring/cancel: validate opcode for IORING_ASYNC_CANCEL_OP

Next message: Heyne, Maximilian: "[PATCH 6.1.y 3/8] scsi: remove an extra queue reference"
Previous message: Anthony Krowiak: "Re: [PATCH v1 00/23] s390/vfio-ap: Implement live guest migration of guests using AP devices"
In reply to: Jens Axboe: "Re: [PATCH] io_uring/cancel: validate opcode for IORING_ASYNC_CANCEL_OP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jens Axboe

Date: Wed Apr 01 2026 - 09:45:01 EST

On Wed, 01 Apr 2026 02:51:13 +0330, Amir Mohammad Jahangirzad wrote:
> io_async_cancel_prep() reads the opcode selector from sqe->len and
> stores it in cancel->opcode, which is an 8-bit field. Since sqe->len
> is a 32-bit value, values larger than U8_MAX are implicitly truncated.
>
> This can cause unintended opcode matches when the truncated value
> corresponds to a valid io_uring opcode. For example, submitting a value
> such as 0x10b will be truncated to 0x0b (IORING_OP_TIMEOUT), allowing a
> cancel request to match operations it did not intend to target.
> Validate the opcode value before assigning it to the 8-bit field and
> reject values outside the valid io_uring opcode range.
>
> [...]

Applied, thanks!

[1/1] io_uring/cancel: validate opcode for IORING_ASYNC_CANCEL_OP
commit: ab274887c2443f49d3a547a58a094787cd02d1dc

Best regards,
--
Jens Axboe