From nobody Fri Jun 19 07:53:05 2026 Received: from mailgw.kylinos.cn (mailgw.kylinos.cn [124.126.103.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DCFBB320A00 for ; Fri, 24 Apr 2026 09:51:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=124.126.103.232 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777024269; cv=none; b=qaPrUQFJZDGiK6UGwyuoTgytML62MwmpqVS1EmFUBvrbP8ewqhYKrurP2zCR/m8eenJ+Uz5KWYYewSLNIK9MwytuoyIKj59oP7QfEiQ6zKMLC6qtZX7DpkhuhL8pl+lylMDujpsABW3Ozf+GkFG9kr45wjah+4Dg0VwJlkzTnpw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777024269; c=relaxed/simple; bh=Oep4ON9M801TyCLzh4KQZw6jsL2u8xx8hK/egbjewMQ=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=caZ6GkDzXV3j9pvwnaJMFjCUJEJALW6x+oZqyODwmxmsYSnNKTJRiewfICbuyDvbQmsdWGklVjXtMKjSe96JrfvkDq1bKKSonOSzdY6+W0KRZl9JEcRDFJ2R1I6Z964c69W2pQu2J9iOfmfJAtRYSD+QYTKQq8TnWvJY/jW2/Lo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=kylinos.cn; spf=pass smtp.mailfrom=kylinos.cn; arc=none smtp.client-ip=124.126.103.232 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=kylinos.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=kylinos.cn X-UUID: 195194ec3fc311f1aa26b74ffac11d73-20260424 X-CID-CACHE: Type:Local,Time:202604241700+08,HitQuantity:1 X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.3.12,REQID:05055bd1-1038-42a1-a098-87bca8180c4f,IP:0,U RL:0,TC:0,Content:0,EDM:0,RT:0,SF:0,FILE:0,BULK:0,RULE:Release_Ham,ACTION: release,TS:0 X-CID-META: VersionHash:e7bac3a,CLOUDID:558b8d258899b3a7bea5b61780e1928a,BulkI D:nil,BulkQuantity:0,Recheck:0,SF:102|850|898,TC:nil,Content:0|15|50,EDM:- 3,IP:nil,URL:0,File:nil,RT:nil,Bulk:nil,QS:nil,BEC:nil,COL:0,OSI:0,OSA:0,A V:0,LES:1,SPR:NO,DKR:0,DKP:0,BRR:0,BRE:0,ARC:0 X-CID-BVR: 2,SSN|SDN X-CID-BAS: 2,SSN|SDN,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR X-CID-RHF: D41D8CD98F00B204E9800998ECF8427E X-UUID: 195194ec3fc311f1aa26b74ffac11d73-20260424 X-User: zenghongling@kylinos.cn Received: from localhost.localdomain [(10.44.16.150)] by mailgw.kylinos.cn (envelope-from ) (Generic MTA with TLSv1.3 TLS_AES_256_GCM_SHA384 256/256) with ESMTP id 1584108913; Fri, 24 Apr 2026 17:51:00 +0800 From: Hongling Zeng To: dpenkler@gmail.com, gregkh@linuxfoundation.org, jkoolstra@xs4all.nl, lukeyang.dev@gmail.com, viro@zeniv.linux.org.uk, kees@kernel.org, harshit.m.mogalapalli@oracle.com, colin.i.king@gmail.com Cc: linux-kernel@vger.kernel.org, zhongling0719@126.com, Hongling Zeng Subject: [PATCH] gpib: fix spectre v1 vulnerabilities in descriptor handling Date: Fri, 24 Apr 2026 17:50:55 +0800 Message-Id: <20260424095055.19353-1-zenghongling@kylinos.cn> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" smatch warnings: drivers/gpib/common/gpib_os.c:1318 close_dev_ioctl() warn: possible spectre second half. 'desc' Fix potential Spectre v1 vulnerabilities in the GPIB driver's descriptor handling code. The issues occur when using user-controlled handle values as array indices after bounds checking. Use array_index_nospec() to prevent speculative execution from bypassing the bounds check, which could leak information via side-channel attacks. Signed-off-by: Hongling Zeng --- drivers/gpib/common/gpib_os.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpib/common/gpib_os.c b/drivers/gpib/common/gpib_os.c index 5909274ddc12..d4a4043b9fa0 100644 --- a/drivers/gpib/common/gpib_os.c +++ b/drivers/gpib/common/gpib_os.c @@ -19,6 +19,7 @@ #include #include #include +#include #include #include =20 @@ -1313,6 +1314,8 @@ static int close_dev_ioctl(struct file *filep, struct= gpib_board *board, unsigne if (cmd.handle >=3D GPIB_MAX_NUM_DESCRIPTORS) return -EINVAL; =20 + cmd.handle =3D array_index_nospec(cmd.handle, GPIB_MAX_NUM_DESCRIPTORS); + mutex_lock(&file_priv->descriptors_mutex); desc =3D file_priv->descriptors[cmd.handle]; if (!desc) { --=20 2.25.1