io_uring/timeout: READ_ONCE sqe->addr

We should use READ_ONCE when reading from a SQE, make sure timeout gets
a stable timespec address.

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/timeout.c b/io_uring/timeout.c
index 84dda24f3eb24917f624ccf8145ee7faa3e5d11a..cb61d4862fc65c00bfe5fcc8577d34971a2b6406 100644 (file)
--- a/io_uring/timeout.c
+++ b/io_uring/timeout.c
@@ -462,7 +462,7 @@ int io_timeout_remove_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
                        tr->ltimeout = true;
                if (tr->flags & ~(IORING_TIMEOUT_UPDATE_MASK|IORING_TIMEOUT_ABS))
                        return -EINVAL;
-               if (get_timespec64(&tr->ts, u64_to_user_ptr(sqe->addr2)))
+               if (get_timespec64(&tr->ts, u64_to_user_ptr(READ_ONCE(sqe->addr2))))
                        return -EFAULT;
                if (tr->ts.tv_sec < 0 || tr->ts.tv_nsec < 0)
                        return -EINVAL;
@@ -557,7 +557,7 @@ static int __io_timeout_prep(struct io_kiocb *req,
        data->req = req;
        data->flags = flags;
 
-       if (get_timespec64(&data->ts, u64_to_user_ptr(sqe->addr)))
+       if (get_timespec64(&data->ts, u64_to_user_ptr(READ_ONCE(sqe->addr))))
                return -EFAULT;
 
        if (data->ts.tv_sec < 0 || data->ts.tv_nsec < 0)