io_uring/fdinfo: validate opcode before checking if it's an 128b one

The mixed SQE support assumes that userspace always passes valid data, that is not the case. Validate the opcode properly before indexing the io_issue_defs[] array, and pass it through the nospec indexing as well as it's a user valid indexing a kernel array. Fixes: 1cba30bf9fdd ("io_uring: add support for IORING_SETUP_SQE_MIXED") Reported-by: syzbot+b883b008a0b1067d5833@syzkaller.appspotmail.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
author: Jens Axboe <axboe@kernel.dk> 2025-10-30 17:02:13 -0600
committer: Jens Axboe <axboe@kernel.dk> 2025-10-30 17:09:00 -0600
commit: 8cd5a59e4d512c6e1df47bf8ce60f7d16e4b3c18 (patch)
tree: 92a1db2d44ec14037c404be91f8d65f23a705b9f /io_uring/fdinfo.c
parent: 101e596e7404d07a85b38358a392009503aad797 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/io_uring/fdinfo.c b/io_uring/fdinfo.c
index 248006424cab..ac6e7edc7027 100644
--- a/io_uring/fdinfo.c
+++ b/io_uring/fdinfo.c
@@ -5,6 +5,7 @@
 #include <linux/file.h>
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>
+#include <linux/nospec.h>
 #include <linux/io_uring.h>
 
 #include <uapi/linux/io_uring.h>
@@ -107,6 +108,9 @@ static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m)
 
 		sqe = &ctx->sq_sqes[sq_idx << sq_shift];
 		opcode = READ_ONCE(sqe->opcode);
+		if (opcode >= IORING_OP_LAST)
+			continue;
+		opcode = array_index_nospec(opcode, IORING_OP_LAST);
 		if (sq_shift) {
 			sqe128 = true;
 		} else if (io_issue_defs[opcode].is_128) {
author	Jens Axboe <axboe@kernel.dk>	2025-10-30 17:02:13 -0600
committer	Jens Axboe <axboe@kernel.dk>	2025-10-30 17:09:00 -0600
commit	8cd5a59e4d512c6e1df47bf8ce60f7d16e4b3c18 (patch)
tree	92a1db2d44ec14037c404be91f8d65f23a705b9f /io_uring/fdinfo.c
parent	101e596e7404d07a85b38358a392009503aad797 (diff)