From nobody Fri Jun 19 08:04:55 2026 Received: from mailgw.kylinos.cn (mailgw.kylinos.cn [124.126.103.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8AAFB23C8C7 for ; Fri, 24 Apr 2026 09:00:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=124.126.103.232 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777021232; cv=none; b=k4mikFbBuVR/S+Af/HDgUd8o63Cf3XDIZ0w2jXOJt4YX1dcz4ivfgsaXB/mxAj8Nire0Sxwlyg4+YmMkZpqwSVV4yHJ/mAppfQGr15MkWoq6Pqv5o0JN5/s/lm1wm8sBoT6Xc6EPAHt6LZLweRew6iWt5TOr3L5LRdE9sqL+9SE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777021232; c=relaxed/simple; bh=6qPfHDSbmXiHwNEKtlWsKSKIYwbIaeUCrkZShPpor+0=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=XOSw3o9aczJaVYni2yW6Xet9tSYHF+IXiDxiD+hHehbNMqO0x/Xylj8rF08UEZdAtFFycNPUjKtRcsi3A0tK9dP8F2kJqCdI1gWladOyr2yX8fKNADg4q0VVMcrZNIHiSb9Mf9ImKQclHu7/Wjc/nkPK1aVgds6q5Su5SKR8itA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=kylinos.cn; spf=pass smtp.mailfrom=kylinos.cn; arc=none smtp.client-ip=124.126.103.232 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=kylinos.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=kylinos.cn X-UUID: 03c304283fbc11f1aa26b74ffac11d73-20260424 X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.3.12,REQID:88a98a2a-e509-41c9-affb-dda81221416d,IP:0,U RL:0,TC:0,Content:0,EDM:0,RT:0,SF:0,FILE:0,BULK:0,RULE:Release_Ham,ACTION: release,TS:0 X-CID-META: VersionHash:e7bac3a,CLOUDID:558b8d258899b3a7bea5b61780e1928a,BulkI D:nil,BulkQuantity:0,Recheck:0,SF:102|850|898,TC:nil,Content:0|15|50,EDM:- 3,IP:nil,URL:0,File:nil,RT:nil,Bulk:nil,QS:nil,BEC:nil,COL:0,OSI:0,OSA:0,A V:0,LES:1,SPR:NO,DKR:0,DKP:0,BRR:0,BRE:0,ARC:0 X-CID-BVR: 2,SSN|SDN X-CID-BAS: 2,SSN|SDN,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR X-CID-RHF: D41D8CD98F00B204E9800998ECF8427E X-UUID: 03c304283fbc11f1aa26b74ffac11d73-20260424 X-User: zenghongling@kylinos.cn Received: from localhost.localdomain [(10.44.16.150)] by mailgw.kylinos.cn (envelope-from ) (Generic MTA with TLSv1.3 TLS_AES_256_GCM_SHA384 256/256) with ESMTP id 664627954; Fri, 24 Apr 2026 17:00:17 +0800 From: Hongling Zeng To: dpenkler@gmail.com, gregkh@linuxfoundation.org, jkoolstra@xs4all.nl, lukeyang.dev@gmail.com, viro@zeniv.linux.org.uk, kees@kernel.org, harshit.m.mogalapalli@oracle.com, colin.i.king@gmail.com Cc: linux-kernel@vger.kernel.org, zhongling0719@126.com, Hongling Zeng Subject: [PATCH] gpib: fix spectre v1 vulnerabilities in descriptor handling Date: Fri, 24 Apr 2026 17:00:12 +0800 Message-Id: <20260424090012.13055-1-zenghongling@kylinos.cn> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Fix potential Spectre v1 vulnerabilities in the GPIB driver's descriptor handling code. The issues occur when using user-controlled handle values as array indices after bounds checking. Use array_index_nospec() to prevent speculative execution from bypassing the bounds check, which could leak information via side-channel attacks. Signed-off-by: Hongling Zeng --- drivers/gpib/common/gpib_os.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpib/common/gpib_os.c b/drivers/gpib/common/gpib_os.c index 5909274ddc12..ff4019d51b51 100644 --- a/drivers/gpib/common/gpib_os.c +++ b/drivers/gpib/common/gpib_os.c @@ -19,6 +19,7 @@ #include #include #include +#include #include #include =20 @@ -1312,6 +1313,8 @@ static int close_dev_ioctl(struct file *filep, struct= gpib_board *board, unsigne =20 if (cmd.handle >=3D GPIB_MAX_NUM_DESCRIPTORS) return -EINVAL; +=09 + cmd.handle =3D array_index_nospec(cmd.handle, GPIB_MAX_NUM_DESCRIPTORS); =20 mutex_lock(&file_priv->descriptors_mutex); desc =3D file_priv->descriptors[cmd.handle]; --=20 2.25.1