@@ -264,23 +264,29 @@ static inline void io_meta_restore(struct io_async_rw *io, struct kiocb *kiocb)
static int io_prep_rw_pi(struct io_kiocb *req, struct io_rw *rw, int ddir,
u64 attr_ptr, u64 attr_type_mask)
{
- struct io_uring_attr_pi pi_attr;
+ struct io_uring_attr_pi __pi_attr;
+ struct io_uring_attr_pi *pi_attr;
struct io_async_rw *io;
+ void __user *pi_addr;
+ size_t pi_len;
int ret;
- if (copy_from_user(&pi_attr, u64_to_user_ptr(attr_ptr),
+ if (copy_from_user(&__pi_attr, u64_to_user_ptr(attr_ptr),
sizeof(pi_attr)))
return -EFAULT;
+ pi_attr = &__pi_attr;
- if (pi_attr.rsvd)
+ if (pi_attr->rsvd)
return -EINVAL;
io = req->async_data;
- io->meta.flags = pi_attr.flags;
- io->meta.app_tag = pi_attr.app_tag;
- io->meta.seed = pi_attr.seed;
- ret = import_ubuf(ddir, u64_to_user_ptr(pi_attr.addr),
- pi_attr.len, &io->meta.iter);
+ io->meta.flags = READ_ONCE(pi_attr->flags);
+ io->meta.app_tag = READ_ONCE(pi_attr->app_tag);
+ io->meta.seed = READ_ONCE(pi_attr->seed);
+
+ pi_addr = u64_to_user_ptr(READ_ONCE(pi_attr->addr));
+ pi_len = READ_ONCE(pi_attr->len);
+ ret = import_ubuf(ddir, pi_addr, pi_len, &io->meta.iter);
if (unlikely(ret < 0))
return ret;
req->flags |= REQ_F_HAS_METADATA;
In preparation to pre-mapped attributes read struct io_uring_attr_pi with READ_ONCE and use an intermediate pointer. Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> --- io_uring/rw.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-)