engines/io_uring: eliminate FDP memory corruption risk

We only allocate FDP_MAX_RUHS reclaim unit handle status descriptors. It
is possible that the device will have more than this many descriptors.
Make sure we do not run over the end of the buffer we have allocated
when this happens.

Signed-off-by: Vincent Fu <vincent.fu@samsung.com>

diff --git a/engines/io_uring.c b/engines/io_uring.c
index cf8cf289e355082c6c75705df029525633ede391..7e0830102c625c868b8355c8a845662f281dad5a 100644 (file)
--- a/engines/io_uring.c
+++ b/engines/io_uring.c
@@ -1545,6 +1545,8 @@ static int fio_ioring_cmd_fetch_ruhs(struct thread_data *td, struct fio_file *f,
                goto free;
 
        fruhs_info->nr_ruhs = le16_to_cpu(ruhs->nruhsd);
+       if (fruhs_info->nr_ruhs > FDP_MAX_RUHS)
+               fruhs_info->nr_ruhs = FDP_MAX_RUHS;
        for (i = 0; i < fruhs_info->nr_ruhs; i++)
                fruhs_info->plis[i] = le16_to_cpu(ruhs->ruhss[i].pid);
 free: