[PATCH] io_uring/tctx: prevent loop variable modification

[PATCH] io_uring/tctx: prevent loop variable modification

[Yang Xiuwei]

Modifying the loop variable with array_index_nospec() can skip indices
and cause an infinite loop when end > IO_RINGFD_REG_MAX and all slots
are occupied.

Use a separate 'idx' variable instead.

Signed-off-by: Yang Xiuwei <yangxiuwei@kylinos.cn>

diff --git a/io_uring/tctx.c b/io_uring/tctx.c
index 6d6f44215ec8..fcf79df923a0 100644
--- a/io_uring/tctx.c
+++ b/io_uring/tctx.c
@@ -221,14 +221,15 @@ void io_uring_unreg_ringfd(void)
 int io_ring_add_registered_file(struct io_uring_task *tctx, struct file *file,
 				     int start, int end)
 {
-	int offset;
+	int offset, idx;
+
 	for (offset = start; offset < end; offset++) {
-		offset = array_index_nospec(offset, IO_RINGFD_REG_MAX);
-		if (tctx->registered_rings[offset])
+		idx = array_index_nospec(offset, IO_RINGFD_REG_MAX);
+		if (tctx->registered_rings[idx])
 			continue;
 
-		tctx->registered_rings[offset] = file;
-		return offset;
+		tctx->registered_rings[idx] = file;
+		return idx;
 	}
 	return -EBUSY;
 }
-- 
2.25.1

Re: [PATCH] io_uring/tctx: prevent loop variable modification

[Jens Axboe]

On 2/8/26 11:19 PM, Yang Xiuwei wrote:
> Modifying the loop variable with array_index_nospec() can skip indices
> and cause an infinite loop when end > IO_RINGFD_REG_MAX and all slots
> are occupied.
> 
> Use a separate 'idx' variable instead.
> 
> Signed-off-by: Yang Xiuwei <yangxiuwei@kylinos.cn>
> 
> diff --git a/io_uring/tctx.c b/io_uring/tctx.c
> index 6d6f44215ec8..fcf79df923a0 100644
> --- a/io_uring/tctx.c
> +++ b/io_uring/tctx.c
> @@ -221,14 +221,15 @@ void io_uring_unreg_ringfd(void)
>  int io_ring_add_registered_file(struct io_uring_task *tctx, struct file *file,
>  				     int start, int end)
>  {
> -	int offset;
> +	int offset, idx;
> +
>  	for (offset = start; offset < end; offset++) {
> -		offset = array_index_nospec(offset, IO_RINGFD_REG_MAX);
> -		if (tctx->registered_rings[offset])
> +		idx = array_index_nospec(offset, IO_RINGFD_REG_MAX);
> +		if (tctx->registered_rings[idx])
>  			continue;
>  
> -		tctx->registered_rings[offset] = file;
> -		return offset;
> +		tctx->registered_rings[idx] = file;
> +		return idx;
>  	}
>  	return -EBUSY;
>  }

I think this is fine as a cleanup as it makes it more clear, but I fail
to see how you can ever have this cause an issue.

-- 
Jens Axboe

Re: [PATCH] io_uring/tctx: prevent loop variable modification

[Yang Xiuwei]

On 2/9/26 5:42 AM, Jens Axboe wrote:
> I think this is fine as a cleanup as it makes it more clear, but I fail
> to see how you can ever have this cause an issue.

You're right - this isn't a bug fix. The current callers already validate
bounds, so there's no actual issue.

My intention was code cleanup: avoiding loop variable modification in the
loop body improves clarity by separating the logical index from the
sanitized array index.

Sorry for the misleading commit message. Should I send a v2 framing it
as a cleanup?

Re: [PATCH] io_uring/tctx: prevent loop variable modification

[Jens Axboe]

On 2/9/26 6:31 PM, Yang Xiuwei wrote:
> On 2/9/26 5:42 AM, Jens Axboe wrote:
>> I think this is fine as a cleanup as it makes it more clear, but I fail
>> to see how you can ever have this cause an issue.
> 
> You're right - this isn't a bug fix. The current callers already validate
> bounds, so there's no actual issue.
> 
> My intention was code cleanup: avoiding loop variable modification in the
> loop body improves clarity by separating the logical index from the
> sanitized array index.
> 
> Sorry for the misleading commit message. Should I send a v2 framing it
> as a cleanup?

Please do, the existing commit message is actively misleading. If
something is a cleanup or style improvement, it should not be implying
that it's fixing a bug, let alone one that claims it can "cause infinite
loops".

-- 
Jens Axboe