On 2/18/25 22:42, Keith Busch wrote:
From: Keith Busch <kbusch@xxxxxxxxxx>
...
+int io_buffer_register_bvec(struct io_ring_ctx *ctx, struct request *rq,
+ void (*release)(void *), unsigned int index,
+ unsigned int issue_flags)
+{
+ struct io_rsrc_data *data = &ctx->buf_table;
+ struct req_iterator rq_iter;
+ struct io_mapped_ubuf *imu;
+ struct io_rsrc_node *node;
+ struct bio_vec bv, *bvec;
+ int ret = 0;
+ u16 nr_bvecs;
+
+ io_ring_submit_lock(ctx, issue_flags);
+
+ if (io_rsrc_node_lookup(data, index)) {
I don't think array nospec inside is enough as you use the
old unsanitised index below to assign the node, and it seems
like it can speculate there.
Same in io_buffer_unregister_bvec().
...
+ node->buf = imu;
+ data->nodes[index] = node;
+unlock:
+ io_ring_submit_unlock(ctx, issue_flags);
+ return ret;
+}
+EXPORT_SYMBOL_GPL(io_buffer_register_bvec);
+
+void io_buffer_unregister_bvec(struct io_ring_ctx *ctx, unsigned int index,
+ unsigned int issue_flags)
+{
+ struct io_rsrc_data *data = &ctx->buf_table;
+ struct io_rsrc_node *node;
+
+ io_ring_submit_lock(ctx, issue_flags);
+
+ if (!data->nr)
+ goto unlock;
+
+ node = io_rsrc_node_lookup(data, index);
+ if (!node || !node->buf->release)
+ goto unlock;
+
+ io_put_rsrc_node(ctx, node);
+ data->nodes[index] = NULL;
+unlock:
+ io_ring_submit_unlock(ctx, issue_flags);
+}
+EXPORT_SYMBOL_GPL(io_buffer_unregister_bvec);
--
Pavel Begunkov
