Commit cf18e36
io_uring: propagate array_index_nospec opcode into req->opcode
Commit 1e988c3 ("io_uring: prevent opcode speculation") added
array_index_nospec() to io_init_req(), but applied it only to a local
opcode variable. req->opcode is initialized from sqe->opcode before the
bounds check and remains the raw value.
Keep req->opcode as the canonical opcode in io_init_req(): reject
out-of-range values architecturally, then write the array_index_nospec()
result back to req->opcode before any table lookup. This keeps downstream
users of req->opcode from observing the raw user byte on a mispredicted
path.
No functional change: array_index_nospec() is a no-op for opcodes in
[0, IORING_OP_LAST), and out-of-range opcodes are still rejected at the
bounds check above the assignment.
Fixes: 1e988c3 ("io_uring: prevent opcode speculation")
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260517213010.696135-1-michael.bommarito@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>1 parent 93d93f5 commit cf18e36
1 file changed
Lines changed: 4 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1738 | 1738 | | |
1739 | 1739 | | |
1740 | 1740 | | |
1741 | | - | |
1742 | 1741 | | |
1743 | 1742 | | |
1744 | | - | |
| 1743 | + | |
1745 | 1744 | | |
1746 | 1745 | | |
1747 | 1746 | | |
| |||
1751 | 1750 | | |
1752 | 1751 | | |
1753 | 1752 | | |
1754 | | - | |
| 1753 | + | |
1755 | 1754 | | |
1756 | 1755 | | |
1757 | 1756 | | |
1758 | | - | |
| 1757 | + | |
1759 | 1758 | | |
1760 | | - | |
| 1759 | + | |
1761 | 1760 | | |
1762 | 1761 | | |
1763 | 1762 | | |
| |||
0 commit comments