From: Pavel Begunkov <asml.silence@gmail.com> mainline inclusion from mainline-v6.10-rc2 commit 1e988c3fe1264708f4f92109203ac5b1d65de50b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBSVZU CVE: CVE-2025-21863 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- sqe->opcode is used for different tables, make sure we santitise it against speculations. Cc: stable@vger.kernel.org Fixes: d3656344fea03 ("io_uring: add lookup table for various opcode needs") Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Reviewed-by: Li Zetao <lizetao1@huawei.com> Link: https://lore.kernel.org/r/7eddbf31c8ca0a3947f8ed98271acc2b4349c016.173956840... Signed-off-by: Jens Axboe <axboe@kernel.dk> Conflicts: io_uring/io_uring.c [Context conflict] Signed-off-by: Long Li <leo.lilong@huawei.com> --- io_uring/io_uring.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 17a4e37a177f..883e2b74f82e 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -7196,6 +7196,8 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, if (!io_check_restriction(ctx, req, sqe_flags)) return -EACCES; + req->opcode = array_index_nospec(req->opcode, IORING_OP_LAST); + if ((sqe_flags & IOSQE_BUFFER_SELECT) && !io_op_defs[req->opcode].buffer_select) return -EOPNOTSUPP; -- 2.39.2