From: Pavel Begunkov asml.silence@gmail.com
[ Upstream commit 953c37e066f05a3dca2d74643574b8dfe8a83983 ]
We use array_index_nospec() for registered buffer indexes, but don't use it while poking into rsrc tags, fix that.
Fixes: 634d00df5e1cf ("io_uring: add full-fledged dynamic buffers support") Signed-off-by: Pavel Begunkov asml.silence@gmail.com Link: https://lore.kernel.org/r/f02fafc5a9c0dd69be2b0618c38831c078232ff0.168139579... Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: Sasha Levin sashal@kernel.org --- io_uring/rsrc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c index 7a43aed8e395c..e6fec9e971eac 100644 --- a/io_uring/rsrc.c +++ b/io_uring/rsrc.c @@ -577,7 +577,7 @@ static int __io_sqe_buffers_update(struct io_ring_ctx *ctx, }
ctx->user_bufs[i] = imu; - *io_get_tag_slot(ctx->buf_data, offset) = tag; + *io_get_tag_slot(ctx->buf_data, i) = tag; }
if (needs_switch)