[PATCH] gpib: fix spectre v1 vulnerabilities in descriptor handling

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] gpib: fix spectre v1 vulnerabilities in descriptor handling
@ 2026-04-24  9:00 Hongling Zeng
  2026-04-24  9:35 ` Greg KH
  0 siblings, 1 reply; 4+ messages in thread
From: Hongling Zeng @ 2026-04-24  9:00 UTC (permalink / raw)
  To: dpenkler, gregkh, jkoolstra, lukeyang.dev, viro, kees,
	harshit.m.mogalapalli, colin.i.king
  Cc: linux-kernel, zhongling0719, Hongling Zeng

Fix potential Spectre v1 vulnerabilities in the GPIB driver's
descriptor handling code. The issues occur when using user-controlled
handle values as array indices after bounds checking.

Use array_index_nospec() to prevent speculative execution from
bypassing the bounds check, which could leak information via
side-channel attacks.

Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
---
 drivers/gpib/common/gpib_os.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/gpib/common/gpib_os.c b/drivers/gpib/common/gpib_os.c
index 5909274ddc12..ff4019d51b51 100644
--- a/drivers/gpib/common/gpib_os.c
+++ b/drivers/gpib/common/gpib_os.c
@@ -19,6 +19,7 @@
 #include <linux/string.h>
 #include <linux/vmalloc.h>
 #include <linux/fcntl.h>
+#include <linux/nospec.h>
 #include <linux/kmod.h>
 #include <linux/uaccess.h>
 
@@ -1312,6 +1313,8 @@ static int close_dev_ioctl(struct file *filep, struct gpib_board *board, unsigne
 
 	if (cmd.handle >= GPIB_MAX_NUM_DESCRIPTORS)
 		return -EINVAL;
+	
+	cmd.handle = array_index_nospec(cmd.handle, GPIB_MAX_NUM_DESCRIPTORS);
 
 	mutex_lock(&file_priv->descriptors_mutex);
 	desc = file_priv->descriptors[cmd.handle];
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] gpib: fix spectre v1 vulnerabilities in descriptor handling
  2026-04-24  9:00 [PATCH] gpib: fix spectre v1 vulnerabilities in descriptor handling Hongling Zeng
@ 2026-04-24  9:35 ` Greg KH
  0 siblings, 0 replies; 4+ messages in thread
From: Greg KH @ 2026-04-24  9:35 UTC (permalink / raw)
  To: Hongling Zeng
  Cc: dpenkler, jkoolstra, lukeyang.dev, viro, kees,
	harshit.m.mogalapalli, colin.i.king, linux-kernel, zhongling0719

On Fri, Apr 24, 2026 at 05:00:12PM +0800, Hongling Zeng wrote:
> Fix potential Spectre v1 vulnerabilities in the GPIB driver's
> descriptor handling code. The issues occur when using user-controlled
> handle values as array indices after bounds checking.
> 
> Use array_index_nospec() to prevent speculative execution from
> bypassing the bounds check, which could leak information via
> side-channel attacks.
> 
> Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
> ---
>  drivers/gpib/common/gpib_os.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/gpib/common/gpib_os.c b/drivers/gpib/common/gpib_os.c
> index 5909274ddc12..ff4019d51b51 100644
> --- a/drivers/gpib/common/gpib_os.c
> +++ b/drivers/gpib/common/gpib_os.c
> @@ -19,6 +19,7 @@
>  #include <linux/string.h>
>  #include <linux/vmalloc.h>
>  #include <linux/fcntl.h>
> +#include <linux/nospec.h>
>  #include <linux/kmod.h>
>  #include <linux/uaccess.h>
>  
> @@ -1312,6 +1313,8 @@ static int close_dev_ioctl(struct file *filep, struct gpib_board *board, unsigne
>  
>  	if (cmd.handle >= GPIB_MAX_NUM_DESCRIPTORS)
>  		return -EINVAL;
> +	
> +	cmd.handle = array_index_nospec(cmd.handle, GPIB_MAX_NUM_DESCRIPTORS);
>  
>  	mutex_lock(&file_priv->descriptors_mutex);
>  	desc = file_priv->descriptors[cmd.handle];
> -- 
> 2.25.1
> 

What tool found this issue?

And why did you not run scripts/checkpatch.pl on the patch to notice the
error you added to the file with this change?  :(

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH] gpib: fix spectre v1 vulnerabilities in descriptor handling
@ 2026-04-24  9:50 Hongling Zeng
  2026-04-24 10:01 ` Greg KH
  0 siblings, 1 reply; 4+ messages in thread
From: Hongling Zeng @ 2026-04-24  9:50 UTC (permalink / raw)
  To: dpenkler, gregkh, jkoolstra, lukeyang.dev, viro, kees,
	harshit.m.mogalapalli, colin.i.king
  Cc: linux-kernel, zhongling0719, Hongling Zeng

smatch warnings:
drivers/gpib/common/gpib_os.c:1318 close_dev_ioctl() warn: possible
spectre second half.  'desc'

Fix potential Spectre v1 vulnerabilities in the GPIB driver's
descriptor handling code. The issues occur when using user-controlled
handle values as array indices after bounds checking.

Use array_index_nospec() to prevent speculative execution from
bypassing the bounds check, which could leak information via
side-channel attacks.

Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
---
 drivers/gpib/common/gpib_os.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/gpib/common/gpib_os.c b/drivers/gpib/common/gpib_os.c
index 5909274ddc12..d4a4043b9fa0 100644
--- a/drivers/gpib/common/gpib_os.c
+++ b/drivers/gpib/common/gpib_os.c
@@ -19,6 +19,7 @@
 #include <linux/string.h>
 #include <linux/vmalloc.h>
 #include <linux/fcntl.h>
+#include <linux/nospec.h>
 #include <linux/kmod.h>
 #include <linux/uaccess.h>
 
@@ -1313,6 +1314,8 @@ static int close_dev_ioctl(struct file *filep, struct gpib_board *board, unsigne
 	if (cmd.handle >= GPIB_MAX_NUM_DESCRIPTORS)
 		return -EINVAL;
 
+	cmd.handle = array_index_nospec(cmd.handle, GPIB_MAX_NUM_DESCRIPTORS);
+
 	mutex_lock(&file_priv->descriptors_mutex);
 	desc = file_priv->descriptors[cmd.handle];
 	if (!desc) {
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] gpib: fix spectre v1 vulnerabilities in descriptor handling
  2026-04-24  9:50 Hongling Zeng
@ 2026-04-24 10:01 ` Greg KH
  0 siblings, 0 replies; 4+ messages in thread
From: Greg KH @ 2026-04-24 10:01 UTC (permalink / raw)
  To: Hongling Zeng
  Cc: dpenkler, jkoolstra, lukeyang.dev, viro, kees,
	harshit.m.mogalapalli, colin.i.king, linux-kernel, zhongling0719

On Fri, Apr 24, 2026 at 05:50:55PM +0800, Hongling Zeng wrote:
> smatch warnings:
> drivers/gpib/common/gpib_os.c:1318 close_dev_ioctl() warn: possible
> spectre second half.  'desc'
> 
> Fix potential Spectre v1 vulnerabilities in the GPIB driver's
> descriptor handling code. The issues occur when using user-controlled
> handle values as array indices after bounds checking.
> 
> Use array_index_nospec() to prevent speculative execution from
> bypassing the bounds check, which could leak information via
> side-channel attacks.
> 
> Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
> ---
>  drivers/gpib/common/gpib_os.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/gpib/common/gpib_os.c b/drivers/gpib/common/gpib_os.c
> index 5909274ddc12..d4a4043b9fa0 100644
> --- a/drivers/gpib/common/gpib_os.c
> +++ b/drivers/gpib/common/gpib_os.c
> @@ -19,6 +19,7 @@
>  #include <linux/string.h>
>  #include <linux/vmalloc.h>
>  #include <linux/fcntl.h>
> +#include <linux/nospec.h>
>  #include <linux/kmod.h>
>  #include <linux/uaccess.h>
>  
> @@ -1313,6 +1314,8 @@ static int close_dev_ioctl(struct file *filep, struct gpib_board *board, unsigne
>  	if (cmd.handle >= GPIB_MAX_NUM_DESCRIPTORS)
>  		return -EINVAL;
>  
> +	cmd.handle = array_index_nospec(cmd.handle, GPIB_MAX_NUM_DESCRIPTORS);
> +
>  	mutex_lock(&file_priv->descriptors_mutex);
>  	desc = file_priv->descriptors[cmd.handle];
>  	if (!desc) {
> -- 
> 2.25.1
> 

Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- This looks like a new version of a previously submitted patch, but you
  did not list below the --- line any changes from the previous version.
  Please read the section entitled "The canonical patch format" in the
  kernel file, Documentation/process/submitting-patches.rst for what
  needs to be done here to properly describe this.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-04-24 10:01 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-24  9:00 [PATCH] gpib: fix spectre v1 vulnerabilities in descriptor handling Hongling Zeng
2026-04-24  9:35 ` Greg KH
  -- strict thread matches above, loose matches on Subject: below --
2026-04-24  9:50 Hongling Zeng
2026-04-24 10:01 ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox