io_uring: dont overlap internal and user req flags

CQE flags take one byte that we store in req->flags together with other
REQ_F_* internal flags. CQE flags are copied directly into req and then
verified that requires some handling on failures, e.g. to make sure that
that copy doesn't set some of the internal flags.

Move all internal flags to take bits after the first byte, so we don't
need extra handling and make it safer overall.

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/b8b5b02d1ab9d786fcc7db4a3fe86db6b70b8987.1619536280.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/fs/io_uring.c b/fs/io_uring.c
index b0706f047c507a18b359a19dc7ae78972604dfb0..2872f1db6458db6a36a8eedfd76bb2689e6f00d4 100644 (file)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -702,7 +702,8 @@ enum {
        REQ_F_FORCE_ASYNC_BIT   = IOSQE_ASYNC_BIT,
        REQ_F_BUFFER_SELECT_BIT = IOSQE_BUFFER_SELECT_BIT,
 
-       REQ_F_FAIL_LINK_BIT,
+       /* first byte is taken by user flags, shift it to not overlap */
+       REQ_F_FAIL_LINK_BIT     = 8,
        REQ_F_INFLIGHT_BIT,
        REQ_F_CUR_POS_BIT,
        REQ_F_NOWAIT_BIT,
@@ -6503,14 +6504,10 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req,
        req->work.creds = NULL;
 
        /* enforce forwards compatibility on users */
-       if (unlikely(sqe_flags & ~SQE_VALID_FLAGS)) {
-               req->flags = 0;
+       if (unlikely(sqe_flags & ~SQE_VALID_FLAGS))
                return -EINVAL;
-       }
-
        if (unlikely(req->opcode >= IORING_OP_LAST))
                return -EINVAL;
-
        if (unlikely(!io_check_restriction(ctx, req, sqe_flags)))
                return -EACCES;