This patch fix another scene lead to the issue which
"io_uring: Fix undefined-behaviour in io_issue_sqe" commit descript.
Add check if timeout is legal which user space pass in when call
io_timeout_remove_prep to update timeout value.
Signed-off-by: Ye Bin <yebin10@xxxxxxxxxx>
---
fs/io_uring.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 39fd7372b324..de913334f22e 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -6114,6 +6114,8 @@ static int io_timeout_remove_prep(struct io_kiocb *req,
return -EINVAL;
if (get_timespec64(&tr->ts, u64_to_user_ptr(sqe->addr2)))
return -EFAULT;
+ if (tr->ts.tv_sec < 0 || tr->ts.tv_nsec < 0)
+ return -EINVAL;
} else if (tr->flags) {
/* timeout removal doesn't support flags */
return -EINVAL;
--
2.31.1
