From: Vincent Fu <vincent.fu@samsung.com>
Date: Fri, 7 Jun 2024 13:37:49 +0000 (-0400)
Subject: engines/io_uring: eliminate FDP memory corruption risk
X-Git-Tag: fio-3.38~57
X-Git-Url: https://git.kernel.dk/?a=commitdiff_plain;h=fbf954c96bb4089b3097adde723216a4668f854b;p=fio.git

engines/io_uring: eliminate FDP memory corruption risk

We only allocate FDP_MAX_RUHS reclaim unit handle status descriptors. It
is possible that the device will have more than this many descriptors.
Make sure we do not run over the end of the buffer we have allocated
when this happens.

Signed-off-by: Vincent Fu <vincent.fu@samsung.com>
---

diff --git a/engines/io_uring.c b/engines/io_uring.c
index cf8cf289..7e083010 100644
--- a/engines/io_uring.c
+++ b/engines/io_uring.c
@@ -1545,6 +1545,8 @@ static int fio_ioring_cmd_fetch_ruhs(struct thread_data *td, struct fio_file *f,
 		goto free;
 
 	fruhs_info->nr_ruhs = le16_to_cpu(ruhs->nruhsd);
+	if (fruhs_info->nr_ruhs > FDP_MAX_RUHS)
+		fruhs_info->nr_ruhs = FDP_MAX_RUHS;
 	for (i = 0; i < fruhs_info->nr_ruhs; i++)
 		fruhs_info->plis[i] = le16_to_cpu(ruhs->ruhss[i].pid);
 free: