| Message ID | 20191031105547.GC26612@mwanda (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | io_uring: signedness bug in io_async_cancel() | expand |
On 10/31/19 4:55 AM, Dan Carpenter wrote: > The problem is that this enum is unsigned, and we do use "ret" for the > enum values, but we also use it for negative error codes. If it's not > signed then it causes a problem in the error handling. I noticed this one the other day, merged in a fix for it then. Not an issue in the current tree, though linux-next may still have the older one.
diff --git a/fs/io_uring.c b/fs/io_uring.c index c4cdfe16cba7..9dcbde233657 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -2144,8 +2144,8 @@ static int io_async_cancel(struct io_kiocb *req, const struct io_uring_sqe *sqe, struct io_kiocb **nxt) { struct io_ring_ctx *ctx = req->ctx; - enum io_wq_cancel ret; void *sqe_addr; + int ret; if (unlikely(ctx->flags & IORING_SETUP_IOPOLL)) return -EINVAL;
The problem is that this enum is unsigned, and we do use "ret" for the enum values, but we also use it for negative error codes. If it's not signed then it causes a problem in the error handling. Fixes: 6ec62e598211 ("io_uring: support for generic async request cancel") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- fs/io_uring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)