Re: [PATCH] io_uring: propagate array_index_nospec opcode into req->opcode

Next message: Takashi Iwai: "Re: [PATCH RESEND] ALSA: hda/cs35l41: Fix firmware load work teardown"
Previous message: Huang Forrest: "[BUG] KASAN: user-memory-access Write in mmput"
In reply to: Keith Busch: "Re: [PATCH] io_uring: propagate array_index_nospec opcode into req-&gt;opcode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jens Axboe

Date: Fri May 15 2026 - 12:04:49 EST

On 5/15/26 9:45 AM, Keith Busch wrote:
> On Fri, May 15, 2026 at 10:58:11AM -0400, Michael Bommarito wrote:
>> The compiled change is one instruction (a single mov of the clamped
>> byte to req->opcode); the cmp/sbb/and clamp triplet is unchanged.
>> No functional change: array_index_nospec() is a no-op for opcodes in
>> [0, IORING_OP_LAST), and out-of-range opcodes are still rejected at
>> the bounds check above this assignment.
>
> Since the bounds check above already catches an invalid opcode, why does
> it need to be re-initialized to the clamped value? Surely it's already
> the same value if we've taken this path, no?

It's to avoid speculation values being used. If the ->opcode store is
the last one, then it doesn't exist.

It's pretty narrow and mostly theoretical, but does make sense.

--
Jens Axboe