Re: [PATCH] io_uring: propagate array_index_nospec opcode into req->opcode

Next message: Heechan Kang: "[PATCH v2] io_uring/waitid: clear waitid info before copying it to userspace"
Previous message: Jens Axboe: "Re: [PATCH v2] io_uring/waitid: clear waitid info before copying it to userspace"
In reply to: Jens Axboe: "Re: [PATCH] io_uring: propagate array_index_nospec opcode into req-&gt;opcode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jens Axboe

Date: Sat May 16 2026 - 15:06:58 EST

On 5/16/26 1:05 PM, Jens Axboe wrote:
>
> On Fri, 15 May 2026 10:58:11 -0400, Michael Bommarito wrote:
>> Commit 1e988c3fe126 ("io_uring: prevent opcode speculation") added
>> array_index_nospec() to the local opcode in io_init_req(), but the
>> sanitised value is not written back to req->opcode. The
>> unconditional write at the top of io_init_req() stores the raw byte
>> into the persistent field; the success path of the bounds check
>> leaves it unchanged, and downstream consumers read the raw value.
>>
>> [...]
>
> Applied, thanks!
>
> [1/1] io_uring: propagate array_index_nospec opcode into req->opcode
> (no commit info)

Oops, was just applied for review, nothing has been applied. Awaiting
a v2 based on the feedback.

--
Jens Axboe