From: Linus Probert <linus.probert@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Linus Probert <linus.probert@gmail.com>,
error27@gmail.com, kernel-janitors@vger.kernel.org,
linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] staging: rtl8723bs: fix potential speculative cpu oob read
Date: Wed, 29 Apr 2026 14:45:20 +0200 [thread overview]
Message-ID: <177746672061.1273374.6835519289220492184.b4-reply@b4> (raw)
In-Reply-To: <2026042959-discourse-favorable-edc5@gregkh>
On 2026-04-29 13:31:46+02:00, Greg Kroah-Hartman wrote:
> On Wed, Apr 29, 2026 at 01:10:16PM +0200, Linus Probert wrote:
>
> > Fixes potential speculative cpu oob read in os_intfs.c by guarding the
> > index with array_index_nospec.
> >
> > Fixes smatch warning:
> > warn: potential spectre issue 'rtw_1d_to_queue' [r]
>
> Is this value controlled by a user? Or is it just a normal operation
> that happens that is not controlled? In other words, can a user
> manipulate this directly to be out of range?
>
> thanks,
>
> greg k-h
To my understanding, yes. Which is somewhat limited due to being rather
new to kernel code and not having access to this hardware. The priority
is extracted from ip header which can be user controlled.
However, looking closer at the execution before I see that in both cases
bounding is performed on the value as follows:
dscp = ip_hdr(skb)->tos & 0xfc;
prio = dscp >> 5;
So my change here adds no additional security. The smatch warning is a
false positive. It only warned on one of the cases. Most likely because
the bounding happened in a function call and it only sees the u32.
Some quick LLM research told me this (in my own words but have not
verified extensively):
The case where the bounding is performed in a function call could be
susceptible to *Spectre v4 (Speculative Store Bypass)*.
But the fix I applied here only applies to v1 so no additional security
on that front either.
This is probably best to NAK unless we just want to remove a false
positive smatch warning. But I personally don't agree with that.
Br,
Linus
next prev parent reply other threads:[~2026-04-29 12:45 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-29 11:10 [PATCH] staging: rtl8723bs: fix potential speculative cpu oob read Linus Probert
2026-04-29 11:31 ` Greg Kroah-Hartman
2026-04-29 12:45 ` Linus Probert [this message]
2026-04-29 13:53 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=177746672061.1273374.6835519289220492184.b4-reply@b4 \
--to=linus.probert@gmail.com \
--cc=error27@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox