Re: [PATCH] gpib: fix spectre v1 vulnerabilities in descriptor handling
From: Greg KH
Date: Fri Apr 24 2026 - 05:38:25 EST
On Fri, Apr 24, 2026 at 05:00:12PM +0800, Hongling Zeng wrote:
> Fix potential Spectre v1 vulnerabilities in the GPIB driver's
> descriptor handling code. The issues occur when using user-controlled
> handle values as array indices after bounds checking.
>
> Use array_index_nospec() to prevent speculative execution from
> bypassing the bounds check, which could leak information via
> side-channel attacks.
>
> Signed-off-by: Hongling Zeng <zenghongling@xxxxxxxxxx>
> ---
> drivers/gpib/common/gpib_os.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/gpib/common/gpib_os.c b/drivers/gpib/common/gpib_os.c
> index 5909274ddc12..ff4019d51b51 100644
> --- a/drivers/gpib/common/gpib_os.c
> +++ b/drivers/gpib/common/gpib_os.c
> @@ -19,6 +19,7 @@
> #include <linux/string.h>
> #include <linux/vmalloc.h>
> #include <linux/fcntl.h>
> +#include <linux/nospec.h>
> #include <linux/kmod.h>
> #include <linux/uaccess.h>
>
> @@ -1312,6 +1313,8 @@ static int close_dev_ioctl(struct file *filep, struct gpib_board *board, unsigne
>
> if (cmd.handle >= GPIB_MAX_NUM_DESCRIPTORS)
> return -EINVAL;
> +
> + cmd.handle = array_index_nospec(cmd.handle, GPIB_MAX_NUM_DESCRIPTORS);
>
> mutex_lock(&file_priv->descriptors_mutex);
> desc = file_priv->descriptors[cmd.handle];
> --
> 2.25.1
>
What tool found this issue?
And why did you not run scripts/checkpatch.pl on the patch to notice the
error you added to the file with this change? :(
thanks,
greg k-h