io_uring: cqe init hardening

isilence · axboe · commit 31d3ba924fd8 · 2023-08-24T17:16:19.000-06:00
io_kiocb::cqe stores the completion info which we'll memcpy to userspace, and we rely on callbacks and other later steps to populate it with right values. We have never had problems with that, but it would still be safer to zero it on allocation. Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Link: https://lore.kernel.org/r/b16a3b64dde678686460d3c3792c3ba6d3d1bc7a.1692916914.git.asml.silence@gmail.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
@@ -1056,7 +1056,7 @@ static void io_preinit_req(struct io_kiocb *req, struct io_ring_ctx *ctx)
 	req->link = NULL;
 	req->async_data = NULL;
 	/* not necessary, but safer to zero */
-	req->cqe.res = 0;
+	memset(&req->cqe, 0, sizeof(req->cqe));
 }
 
 static void io_flush_cached_locked_reqs(struct io_ring_ctx *ctx,

Original file line number	Diff line number	Diff line change
`@@ -1056,7 +1056,7 @@ static void io_preinit_req(struct io_kiocb req, struct io_ring_ctx ctx)`
`1056`	`1056`	`req->link = NULL;`
`1057`	`1057`	`req->async_data = NULL;`
`1058`	`1058`	`/* not necessary, but safer to zero */`
`1059`		`- req->cqe.res = 0;`
	`1059`	`+ memset(&req->cqe, 0, sizeof(req->cqe));`
`1060`	`1060`	`}`
`1061`	`1061`
`1062`	`1062`	`static void io_flush_cached_locked_reqs(struct io_ring_ctx *ctx,`