On 1/28/19 2:13 PM, Jeff Moyer wrote:
> Jens Axboe <axboe@xxxxxxxxx> writes:
>
>> @@ -1270,6 +1445,27 @@ static int io_sq_offload_start(struct io_ring_ctx *ctx)
>> if (!ctx->sqo_files)
>> goto err;
>>
>> + if (ctx->flags & IORING_SETUP_SQPOLL) {
>> + if (p->flags & IORING_SETUP_SQ_AFF) {
>> + ctx->sqo_thread = kthread_create_on_cpu(io_sq_thread,
>> + ctx, p->sq_thread_cpu,
>> + "io_uring-sq");
>
> sq_thread_cpu looks like another candidate for array_index_nospec.
> Following the macros, kthread_create_on_cpu calls cpu_to_node, which
> does:
> return per_cpu(x86_cpu_to_node_map, cpu);
>
> #define per_cpu(var, cpu) (*per_cpu_ptr(&(var), cpu))
> #define per_cpu_ptr(ptr, cpu) \
> ({ \
> __verify_pcpu_ptr(ptr); \
> SHIFT_PERCPU_PTR((ptr), per_cpu_offset((cpu))); \
> })
> #define per_cpu_offset(x) (__per_cpu_offset[x])
> ^^^^^^^^^^^^^^^^^^^
>
> It also looks like there's no bounds checking there, so we probably want
> to make sure sq_thread_cpu can't overflow the __per_cpu_offset array
> (NR_CPUS).
Added, can't hurt in any case.
--
Jens Axboe
