From: "zhangyi (F)" yi.zhang@huawei.com
maillist inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8U48M CVE: NA
Reference: https://lore.kernel.org/lkml/1564451504-27906-1-git-send-email-yi.zhang@huaw...
---------------------------
io_[p]getevents syscall should return -EINVAL if timeout is out of range, add this validity check.
Signed-off-by: zhangyi (F) yi.zhang@huawei.com Reviewed-by: Jeff Moyer jmoyer@redhat.com Cc: Jeff Moyer jmoyer@redhat.com Cc: Arnd Bergmann arnd@arndb.de Cc: Deepa Dinamani deepa.kernel@gmail.com Signed-off-by: Baokun Li libaokun1@huawei.com --- fs/aio.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/fs/aio.c b/fs/aio.c index f8589caef9c1..73555729bc36 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -2170,10 +2170,17 @@ static long do_io_getevents(aio_context_t ctx_id, struct io_event __user *events, struct timespec64 *ts) { - ktime_t until = ts ? timespec64_to_ktime(*ts) : KTIME_MAX; - struct kioctx *ioctx = lookup_ioctx(ctx_id); + ktime_t until = KTIME_MAX; + struct kioctx *ioctx = NULL; long ret = -EINVAL;
+ if (ts) { + if (!timespec64_valid(ts)) + return ret; + until = timespec64_to_ktime(*ts); + } + + ioctx = lookup_ioctx(ctx_id); if (likely(ioctx)) { if (likely(min_nr <= nr && min_nr >= 0)) ret = read_events(ioctx, min_nr, nr, events, until);