On Thu, Feb 20, 2025 at 11:11:59AM +0000, Pavel Begunkov wrote:
> On 2/18/25 22:42, Keith Busch wrote:
> > +static int ublk_unregister_io_buf(struct io_uring_cmd *cmd,
> > + struct ublk_queue *ubq, int tag,
> > + const struct ublksrv_io_cmd *ub_cmd,
> > + unsigned int issue_flags)
> > +{
> > + struct io_ring_ctx *ctx = cmd_to_io_kiocb(cmd)->ctx;
> > + struct ublk_device *ub = cmd->file->private_data;
> > + int index = (int)ub_cmd->addr;
> > + struct ublk_rq_data *data;
> > + struct request *req;
> > +
> > + if (!ub)
> > + return -EPERM;
> > +
> > + req = blk_mq_tag_to_rq(ub->tag_set.tags[ubq->q_id], tag);
>
> Shouldn't there some speculation sanitisation for the tag as well?
> Looks like a user passed value directly indexing an array.
There are no other array speculation defenses here, so looks like a
pre-existing issue. I'll send something to address that separate from
this series.
