io_uring_cmd_sock() does a read of cmd->sqe->cmd_op, which may look like it's the userspace shared SQE, but it's a copy at this point. Use cmd->cmd_op rather than dip into the allocated SQE copy - it's both simpler and faster and leaves less room for confusion. Link: https://lore.kernel.org/r/20250121-uring-sockcmd-fix-v1-1-add742802a29@xxxxxxxxxx Signed-off-by: Jens Axboe <axboe@xxxxxxxxx> --- diff --git a/io_uring/uring_cmd.c b/io_uring/uring_cmd.c index fc94c465a985..3993c9339ac7 100644 --- a/io_uring/uring_cmd.c +++ b/io_uring/uring_cmd.c @@ -350,7 +350,7 @@ int io_uring_cmd_sock(struct io_uring_cmd *cmd, unsigned int issue_flags) if (!prot || !prot->ioctl) return -EOPNOTSUPP; - switch (cmd->sqe->cmd_op) { + switch (cmd->cmd_op) { case SOCKET_URING_OP_SIOCINQ: ret = prot->ioctl(sk, SIOCINQ, &arg); if (ret) -- Jens Axboe
