io_uring/rsrc: unify nospec indexing for direct descriptors

For file updates, the node reset isn't capping the value via
array_index_nospec() like the other paths do. Ensure it's all sane and
have the update path do the proper capping as well.

Reviewed-by: Gabriel Krisman Bertazi <krisman@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c
index fd36e0e319a25b27baa2608e8f150565a5adc5a4..c042054c3b5f415f4973859cf277aeb347d784d4 100644 (file)
--- a/io_uring/rsrc.c
+++ b/io_uring/rsrc.c
@@ -238,6 +238,9 @@ static int __io_sqe_files_update(struct io_ring_ctx *ctx,
                        continue;
 
                i = up->offset + done;
+               if (i >= ctx->file_table.data.nr)
+                       break;
+               i = array_index_nospec(i, ctx->file_table.data.nr);
                if (io_reset_rsrc_node(ctx, &ctx->file_table.data, i))
                        io_file_bitmap_clear(&ctx->file_table, i);
 

diff --git a/io_uring/rsrc.h b/io_uring/rsrc.h
index cff0f8834c353de624cbbc53d9f8ac04eed59717..44e3386f7c1ca9f865aded7f2e0172c73a306e1d 100644 (file)
--- a/io_uring/rsrc.h
+++ b/io_uring/rsrc.h
@@ -109,10 +109,15 @@ static inline void io_put_rsrc_node(struct io_ring_ctx *ctx, struct io_rsrc_node
 }
 
 static inline bool io_reset_rsrc_node(struct io_ring_ctx *ctx,
-                                     struct io_rsrc_data *data, int index)
+                                     struct io_rsrc_data *data,
+                                     unsigned int index)
 {
-       struct io_rsrc_node *node = data->nodes[index];
+       struct io_rsrc_node *node;
 
+       if (index >= data->nr)
+               return false;
+       index = array_index_nospec(index, data->nr);
+       node = data->nodes[index];
        if (!node)
                return false;
        io_put_rsrc_node(ctx, node);