io_uring: do not allow multishot read to set addr or len

For addr: this field is not used, since buffer select is forced.
But by forcing it to be zero it leaves open future uses of the field.

len is actually usable, you could imagine that you want to receive
multishot up to a certain length.
However right now this is not how it is implemented, and it seems
safer to force this to be zero.

Fixes: fc68fcda0491 ("io_uring/rw: add support for IORING_OP_READ_MULTISHOT")
Signed-off-by: Dylan Yudaken <dyudaken@gmail.com>
Link: https://lore.kernel.org/r/20231106203909.197089-3-dyudaken@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/rw.c b/io_uring/rw.c
index 9e3e56b74e35eaf8cfc19d9e8baabfc467e1c2ca..8321e004ab13631ae70dd5e880beb6264f93c354 100644 (file)
--- a/io_uring/rw.c
+++ b/io_uring/rw.c
@@ -143,6 +143,7 @@ int io_prep_rw_fixed(struct io_kiocb *req, const struct io_uring_sqe *sqe)
  */
 int io_read_mshot_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
 {
+       struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw);
        int ret;
 
        /* must be used with provided buffers */
@@ -153,6 +154,9 @@ int io_read_mshot_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
        if (unlikely(ret))
                return ret;
 
+       if (rw->addr || rw->len)
+               return -EINVAL;
+
        req->flags |= REQ_F_APOLL_MULTISHOT;
        return 0;
 }