Commit 53262c91 authored Apr 20, 2026 by Jens Axboe

io_uring/rsrc: unify nospec indexing for direct descriptors



For file updates, the node reset isn't capping the value via
array_index_nospec() like the other paths do. Ensure it's all sane and
have the update path do the proper capping as well.

Reviewed-by: Gabriel Krisman Bertazi <krisman@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

parent 8e1f412b

io_uring/rsrc.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -238,6 +238,9 @@ static int __io_sqe_files_update(struct io_ring_ctx *ctx,
		continue;

		i = up->offset + done;
		if (i >= ctx->file_table.data.nr)
		break;
		i = array_index_nospec(i, ctx->file_table.data.nr);
		if (io_reset_rsrc_node(ctx, &ctx->file_table.data, i))
		io_file_bitmap_clear(&ctx->file_table, i);

io_uring/rsrc.h

+7 −2

Original line number	Diff line number	Diff line
		@@ -109,10 +109,15 @@ static inline void io_put_rsrc_node(struct io_ring_ctx *ctx, struct io_rsrc_node
		}

		static inline bool io_reset_rsrc_node(struct io_ring_ctx *ctx,
		struct io_rsrc_data *data, int index)
		struct io_rsrc_data *data,
		unsigned int index)
		{
		struct io_rsrc_node *node = data->nodes[index];
		struct io_rsrc_node *node;

		if (index >= data->nr)
		return false;
		index = array_index_nospec(index, data->nr);
		node = data->nodes[index];
		if (!node)
		return false;
		io_put_rsrc_node(ctx, node);