From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-fsdevel-owner@vger.kernel.org>
Received: from bombadil.infradead.org ([198.137.202.133]:43554 "EHLO
        bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725554AbeLXOk1 (ORCPT
        <rfc822;linux-fsdevel@vger.kernel.org>);
        Mon, 24 Dec 2018 09:40:27 -0500
Date: Mon, 24 Dec 2018 06:40:21 -0800
From: Matthew Wilcox <willy@infradead.org>
To: Greg Hackmann <ghackmann@android.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
        Omer Tripp <trippo@google.com>, linux-fsdevel@vger.kernel.org,
        linux-kernel@vger.kernel.org, gregkh@linuxfoundation.org,
        stable@vger.kernel.org
Subject: Re: [PATCH v2] fs: fix possible Spectre V1 indexing in __close_fd()
Message-ID: <20181224144021.GN10600@bombadil.infradead.org>
References: <20181224142642.7385-1-ghackmann@android.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20181224142642.7385-1-ghackmann@android.com>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

On Mon, Dec 24, 2018 at 06:26:42AM -0800, Greg Hackmann wrote:
> +++ b/fs/file.c
> @@ -18,6 +18,7 @@
>  #include <linux/bitops.h>
>  #include <linux/spinlock.h>
>  #include <linux/rcupdate.h>
> +#include <linux/nospec.h>
>  
>  unsigned int sysctl_nr_open __read_mostly = 1024*1024;
>  unsigned int sysctl_nr_open_min = BITS_PER_LONG;
> @@ -626,6 +627,7 @@ int __close_fd(struct files_struct *files, unsigned fd)
>  	fdt = files_fdtable(files);
>  	if (fd >= fdt->max_fds)
>  		goto out_unlock;
> +	fd = array_index_nospec(fd, fdt->max_fds);
>  	file = fdt->fd[fd];
>  	if (!file)
>  		goto out_unlock;

This is insufficient.  do_dup2() has a similar problem.