From: Gabriel Krisman Bertazi <krisman@suse.de>
To: Jens Axboe <axboe@kernel.dk>
Cc: io-uring@vger.kernel.org
Subject: Re: [PATCH 2/6] io_uring/rsrc: unify nospec indexing for direct descriptors
Date: Tue, 21 Apr 2026 13:09:00 -0400 [thread overview]
Message-ID: <877bq0qlzn.fsf@mailhost.krisman.be> (raw)
In-Reply-To: <20260421135626.581917-3-axboe@kernel.dk> (Jens Axboe's message of "Tue, 21 Apr 2026 07:51:39 -0600")
Jens Axboe <axboe@kernel.dk> writes:
> For file updates, the node reset isn't capping the value via
> array_index_nospec() like the other paths do. Ensure it's all sane and
> have the update path do the proper capping as well.
>
> Signed-off-by: Jens Axboe <axboe@kernel.dk>
Reviewed-by: Gabriel Krisman Bertazi <krisman@suse.de>
> ---
> io_uring/rsrc.c | 3 +++
> io_uring/rsrc.h | 9 +++++++--
> 2 files changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c
> index fd36e0e319a2..c042054c3b5f 100644
> --- a/io_uring/rsrc.c
> +++ b/io_uring/rsrc.c
> @@ -238,6 +238,9 @@ static int __io_sqe_files_update(struct io_ring_ctx *ctx,
> continue;
>
> i = up->offset + done;
> + if (i >= ctx->file_table.data.nr)
> + break;
> + i = array_index_nospec(i, ctx->file_table.data.nr);
> if (io_reset_rsrc_node(ctx, &ctx->file_table.data, i))
> io_file_bitmap_clear(&ctx->file_table, i);
>
> diff --git a/io_uring/rsrc.h b/io_uring/rsrc.h
> index cff0f8834c35..44e3386f7c1c 100644
> --- a/io_uring/rsrc.h
> +++ b/io_uring/rsrc.h
> @@ -109,10 +109,15 @@ static inline void io_put_rsrc_node(struct io_ring_ctx *ctx, struct io_rsrc_node
> }
>
> static inline bool io_reset_rsrc_node(struct io_ring_ctx *ctx,
> - struct io_rsrc_data *data, int index)
> + struct io_rsrc_data *data,
> + unsigned int index)
> {
> - struct io_rsrc_node *node = data->nodes[index];
> + struct io_rsrc_node *node;
>
> + if (index >= data->nr)
> + return false;
> + index = array_index_nospec(index, data->nr);
> + node = data->nodes[index];
> if (!node)
> return false;
> io_put_rsrc_node(ctx, node);
--
Gabriel Krisman Bertazi
next prev parent reply other threads:[~2026-04-21 17:09 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-21 13:51 [PATCHSET 0/6] Various bug fixes Jens Axboe
2026-04-21 13:51 ` [PATCH 1/6] io_uring: fix spurious fput in registered ring path Jens Axboe
2026-04-21 17:05 ` Gabriel Krisman Bertazi
2026-04-21 13:51 ` [PATCH 2/6] io_uring/rsrc: unify nospec indexing for direct descriptors Jens Axboe
2026-04-21 17:09 ` Gabriel Krisman Bertazi [this message]
2026-04-21 13:51 ` [PATCH 3/6] io_uring/rsrc: use kvfree() for the imu cache Jens Axboe
2026-04-21 13:51 ` [PATCH 4/6] io_uring/rw: add defensive hardening for negative kbuf lengths Jens Axboe
2026-04-21 17:10 ` Gabriel Krisman Bertazi
2026-04-21 13:51 ` [PATCH 5/6] io_uring/futex: ensure partial wakes are appropriately dequeued Jens Axboe
2026-04-21 17:11 ` Gabriel Krisman Bertazi
2026-04-21 13:51 ` [PATCH 6/6] io_uring/register: fix ring resizing with mixed/large SQEs/CQEs Jens Axboe
2026-04-21 17:12 ` Gabriel Krisman Bertazi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877bq0qlzn.fsf@mailhost.krisman.be \
--to=krisman@suse.de \
--cc=axboe@kernel.dk \
--cc=io-uring@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.