[PATCH] gpib: fix spectre v1 vulnerabilities in descriptor handling

Next message: Neil Armstrong: "Re: [PATCH v4 6/8] arm64: dts: amlogic: t7: Add thermal sensor nodes"
Previous message: Mahesh Vaidya: "[PATCH 3/3] PCI: altera: add Agilex 5 support"
In reply to: Greg KH: "Re: [PATCH] gpib: fix spectre v1 vulnerabilities in descriptor handling"
Next in thread: Greg KH: "Re: [PATCH] gpib: fix spectre v1 vulnerabilities in descriptor handling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Hongling Zeng

Date: Fri Apr 24 2026 - 05:52:33 EST

smatch warnings:
drivers/gpib/common/gpib_os.c:1318 close_dev_ioctl() warn: possible
spectre second half. 'desc'

Fix potential Spectre v1 vulnerabilities in the GPIB driver's
descriptor handling code. The issues occur when using user-controlled
handle values as array indices after bounds checking.

Use array_index_nospec() to prevent speculative execution from
bypassing the bounds check, which could leak information via
side-channel attacks.

Signed-off-by: Hongling Zeng <zenghongling@xxxxxxxxxx>
---
drivers/gpib/common/gpib_os.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/gpib/common/gpib_os.c b/drivers/gpib/common/gpib_os.c
index 5909274ddc12..d4a4043b9fa0 100644
--- a/drivers/gpib/common/gpib_os.c
+++ b/drivers/gpib/common/gpib_os.c
@@ -19,6 +19,7 @@
#include <linux/string.h>
#include <linux/vmalloc.h>
#include <linux/fcntl.h>
+#include <linux/nospec.h>
#include <linux/kmod.h>
#include <linux/uaccess.h>

@@ -1313,6 +1314,8 @@ static int close_dev_ioctl(struct file *filep, struct gpib_board *board, unsigne
if (cmd.handle >= GPIB_MAX_NUM_DESCRIPTORS)
return -EINVAL;

+ cmd.handle = array_index_nospec(cmd.handle, GPIB_MAX_NUM_DESCRIPTORS);
+
mutex_lock(&file_priv->descriptors_mutex);
desc = file_priv->descriptors[cmd.handle];
if (!desc) {
--
2.25.1