io_uring/sync: validate passed in offset

[ Upstream commit 649dd18f559891bdafc5532d737c7dfb56060a6d ] Check if the passed in offset is negative once cast to sync->off. This ensures that -EINVAL is returned for that case, like it would be for sync_file_range(2). Fixes: c992fe2925d7 ("io_uring: add fsync support") Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Jens Axboe <axboe@kernel.dk> 2026-01-21 11:48:56 -0700
committer: Sasha Levin <sashal@kernel.org> 2026-03-04 07:19:27 -0500
commit: ca762fa01f64687b10050c038b8b9bcc84cfa872 (patch)
tree: bf92a9080b2d2fb524e121d0a7d4e8166a560996 /io_uring
parent: f2cf475d23b8486dfa414f7ac09f918ffd3c32a5 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/io_uring/sync.c b/io_uring/sync.c
index 255f68c37e55..27bd0a26500b 100644
--- a/io_uring/sync.c
+++ b/io_uring/sync.c
@@ -62,6 +62,8 @@ int io_fsync_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
 		return -EINVAL;
 
 	sync->off = READ_ONCE(sqe->off);
+	if (sync->off < 0)
+		return -EINVAL;
 	sync->len = READ_ONCE(sqe->len);
 	req->flags |= REQ_F_FORCE_ASYNC;
 	return 0;
author	Jens Axboe <axboe@kernel.dk>	2026-01-21 11:48:56 -0700
committer	Sasha Levin <sashal@kernel.org>	2026-03-04 07:19:27 -0500
commit	ca762fa01f64687b10050c038b8b9bcc84cfa872 (patch)
tree	bf92a9080b2d2fb524e121d0a7d4e8166a560996 /io_uring
parent	f2cf475d23b8486dfa414f7ac09f918ffd3c32a5 (diff)