Re: [PATCH] gpib: fix spectre v1 vulnerabilities in descriptor handling

[Greg KH]

On Fri, Apr 24, 2026 at 05:50:55PM +0800, Hongling Zeng wrote:
> smatch warnings:
> drivers/gpib/common/gpib_os.c:1318 close_dev_ioctl() warn: possible
> spectre second half.  'desc'
> 
> Fix potential Spectre v1 vulnerabilities in the GPIB driver's
> descriptor handling code. The issues occur when using user-controlled
> handle values as array indices after bounds checking.
> 
> Use array_index_nospec() to prevent speculative execution from
> bypassing the bounds check, which could leak information via
> side-channel attacks.
> 
> Signed-off-by: Hongling Zeng <zenghongling@xxxxxxxxxx>
> ---
>  drivers/gpib/common/gpib_os.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/gpib/common/gpib_os.c b/drivers/gpib/common/gpib_os.c
> index 5909274ddc12..d4a4043b9fa0 100644
> --- a/drivers/gpib/common/gpib_os.c
> +++ b/drivers/gpib/common/gpib_os.c
> @@ -19,6 +19,7 @@
>  #include <linux/string.h>
>  #include <linux/vmalloc.h>
>  #include <linux/fcntl.h>
> +#include <linux/nospec.h>
>  #include <linux/kmod.h>
>  #include <linux/uaccess.h>
>  
> @@ -1313,6 +1314,8 @@ static int close_dev_ioctl(struct file *filep, struct gpib_board *board, unsigne
>  	if (cmd.handle >= GPIB_MAX_NUM_DESCRIPTORS)
>  		return -EINVAL;
>  
> +	cmd.handle = array_index_nospec(cmd.handle, GPIB_MAX_NUM_DESCRIPTORS);
> +
>  	mutex_lock(&file_priv->descriptors_mutex);
>  	desc = file_priv->descriptors[cmd.handle];
>  	if (!desc) {
> -- 
> 2.25.1
> 

Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- This looks like a new version of a previously submitted patch, but you
  did not list below the --- line any changes from the previous version.
  Please read the section entitled "The canonical patch format" in the
  kernel file, Documentation/process/submitting-patches.rst for what
  needs to be done here to properly describe this.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot