Jens Axboe <axboe@xxxxxxxxx> writes:
> @@ -1270,6 +1445,27 @@ static int io_sq_offload_start(struct io_ring_ctx *ctx)
> if (!ctx->sqo_files)
> goto err;
>
> + if (ctx->flags & IORING_SETUP_SQPOLL) {
> + if (p->flags & IORING_SETUP_SQ_AFF) {
> + ctx->sqo_thread = kthread_create_on_cpu(io_sq_thread,
> + ctx, p->sq_thread_cpu,
> + "io_uring-sq");
sq_thread_cpu looks like another candidate for array_index_nospec.
Following the macros, kthread_create_on_cpu calls cpu_to_node, which
does:
return per_cpu(x86_cpu_to_node_map, cpu);
#define per_cpu(var, cpu) (*per_cpu_ptr(&(var), cpu))
#define per_cpu_ptr(ptr, cpu) \
({ \
__verify_pcpu_ptr(ptr); \
SHIFT_PERCPU_PTR((ptr), per_cpu_offset((cpu))); \
})
#define per_cpu_offset(x) (__per_cpu_offset[x])
^^^^^^^^^^^^^^^^^^^
It also looks like there's no bounds checking there, so we probably want
to make sure sq_thread_cpu can't overflow the __per_cpu_offset array
(NR_CPUS).
-Jeff
