From fbf954c96bb4089b3097adde723216a4668f854b Mon Sep 17 00:00:00 2001
From: Vincent Fu <vincent.fu@samsung.com>
Date: Fri, 7 Jun 2024 09:37:49 -0400
Subject: [PATCH] engines/io_uring: eliminate FDP memory corruption risk

We only allocate FDP_MAX_RUHS reclaim unit handle status descriptors. It
is possible that the device will have more than this many descriptors.
Make sure we do not run over the end of the buffer we have allocated
when this happens.

Signed-off-by: Vincent Fu <vincent.fu@samsung.com>
---
 engines/io_uring.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/engines/io_uring.c b/engines/io_uring.c
index cf8cf289..7e083010 100644
--- a/engines/io_uring.c
+++ b/engines/io_uring.c
@@ -1545,6 +1545,8 @@ static int fio_ioring_cmd_fetch_ruhs(struct thread_data *td, struct fio_file *f,
 		goto free;
 
 	fruhs_info->nr_ruhs = le16_to_cpu(ruhs->nruhsd);
+	if (fruhs_info->nr_ruhs > FDP_MAX_RUHS)
+		fruhs_info->nr_ruhs = FDP_MAX_RUHS;
 	for (i = 0; i < fruhs_info->nr_ruhs; i++)
 		fruhs_info->plis[i] = le16_to_cpu(ruhs->ruhss[i].pid);
 free:
-- 
2.25.1