io_uring/cmd: don't expose entire cmd async data

io_uring needs private bits in cmd's ->async_data, and they should never
be exposed to drivers as it'd certainly be abused. Leave struct
io_uring_cmd_data for the drivers but wrap it into a structure. It's a
prep patch and doesn't do anything useful yet.

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/20250319061251.21452-3-sidong.yang@furiosa.ai
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 7f26ad334e307fb7c4d99a2979bfb6eb15da3d4a..5eb9be063a7c90d24c341554c7f91c49795032e6 100644 (file)
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -335,7 +335,7 @@ static __cold struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
                            sizeof(struct io_async_rw),
                            offsetof(struct io_async_rw, clear));
        ret |= io_alloc_cache_init(&ctx->cmd_cache, IO_ALLOC_CACHE_MAX,
-                           sizeof(struct io_uring_cmd_data), 0);
+                           sizeof(struct io_async_cmd), 0);
        spin_lock_init(&ctx->msg_lock);
        ret |= io_alloc_cache_init(&ctx->msg_cache, IO_ALLOC_CACHE_MAX,
                            sizeof(struct io_kiocb), 0);

diff --git a/io_uring/opdef.c b/io_uring/opdef.c
index 7fd173197b1e0621b217474df869bb564969c1ec..e4aa61a414fbe95e8469b7ecdcd4dcf38ebe7f0c 100644 (file)
--- a/io_uring/opdef.c
+++ b/io_uring/opdef.c
@@ -416,7 +416,7 @@ const struct io_issue_def io_issue_defs[] = {
                .plug                   = 1,
                .iopoll                 = 1,
                .iopoll_queue           = 1,
-               .async_size             = sizeof(struct io_uring_cmd_data),
+               .async_size             = sizeof(struct io_async_cmd),
                .prep                   = io_uring_cmd_prep,
                .issue                  = io_uring_cmd,
        },

diff --git a/io_uring/uring_cmd.c b/io_uring/uring_cmd.c
index 792bd54851b1a7f60f9886653178013c8df2bd17..7c126ee497ea8f28cc270661c1ff249c66b15051 100644 (file)
--- a/io_uring/uring_cmd.c
+++ b/io_uring/uring_cmd.c
@@ -19,7 +19,8 @@
 static void io_req_uring_cleanup(struct io_kiocb *req, unsigned int issue_flags)
 {
        struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd);
-       struct io_uring_cmd_data *cache = req->async_data;
+       struct io_async_cmd *ac = req->async_data;
+       struct io_uring_cmd_data *cache = &ac->data;
 
        if (cache->op_data) {
                kfree(cache->op_data);
@@ -169,12 +170,15 @@ static int io_uring_cmd_prep_setup(struct io_kiocb *req,
                                   const struct io_uring_sqe *sqe)
 {
        struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd);
-       struct io_uring_cmd_data *cache;
+       struct io_async_cmd *ac;
 
-       cache = io_uring_alloc_async_data(&req->ctx->cmd_cache, req);
-       if (!cache)
+       /* see io_uring_cmd_get_async_data() */
+       BUILD_BUG_ON(offsetof(struct io_async_cmd, data) != 0);
+
+       ac = io_uring_alloc_async_data(&req->ctx->cmd_cache, req);
+       if (!ac)
                return -ENOMEM;
-       cache->op_data = NULL;
+       ac->data.op_data = NULL;
 
        /*
         * Unconditionally cache the SQE for now - this is only needed for
@@ -183,8 +187,8 @@ static int io_uring_cmd_prep_setup(struct io_kiocb *req,
         * that it doesn't read in per-op data, play it safe and ensure that
         * any SQE data is stable beyond prep. This can later get relaxed.
         */
-       memcpy(cache->sqes, sqe, uring_sqe_size(req->ctx));
-       ioucmd->sqe = cache->sqes;
+       memcpy(ac->data.sqes, sqe, uring_sqe_size(req->ctx));
+       ioucmd->sqe = ac->data.sqes;
        return 0;
 }
 

diff --git a/io_uring/uring_cmd.h b/io_uring/uring_cmd.h
index f6837ee0955b9f482d8ea04e73f09ce2adbc60b9..2ec3a8785534631339e2fe1ada966b90eb68a02c 100644 (file)
--- a/io_uring/uring_cmd.h
+++ b/io_uring/uring_cmd.h
@@ -1,5 +1,11 @@
 // SPDX-License-Identifier: GPL-2.0
 
+#include <linux/io_uring/cmd.h>
+
+struct io_async_cmd {
+       struct io_uring_cmd_data        data;
+};
+
 int io_uring_cmd(struct io_kiocb *req, unsigned int issue_flags);
 int io_uring_cmd_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe);