patches/old/fs-prevent-out-of-bounds-array-speculation-when-closing-a-file-descriptor.patch - pub/scm/linux/kernel/git/akpm/25-new - Git at Google

 From: "Theodore Ts'o" <tytso@mit.edu>
 Subject: fs: prevent out-of-bounds array speculation when closing a file descriptor
 Date: Mon, 6 Mar 2023 13:54:50 -0500

 Google-Bug-Id: 114199369

 Link: https://lkml.kernel.org/r/20230306185450.1028235-1-tytso@mit.edu
 Signed-off-by: Theodore Ts'o <tytso@mit.edu>
 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 ---


 --- a/fs/file.c~fs-prevent-out-of-bounds-array-speculation-when-closing-a-file-descriptor
 +++ a/fs/file.c
 @@ -642,6 +642,7 @@ static struct file *pick_file(struct fil
  	if (fd >= fdt->max_fds)
  		return NULL;

 +	fd = array_index_nospec(fd, fdt->max_fds);
  	file = fdt->fd[fd];
  	if (file) {
  		rcu_assign_pointer(fdt->fd[fd], NULL);
 _
	From: "Theodore Ts'o" <tytso@mit.edu>
	Subject: fs: prevent out-of-bounds array speculation when closing a file descriptor
	Date: Mon, 6 Mar 2023 13:54:50 -0500

	Google-Bug-Id: 114199369

	Link: https://lkml.kernel.org/r/20230306185450.1028235-1-tytso@mit.edu
	Signed-off-by: Theodore Ts'o <tytso@mit.edu>
	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	---


	--- a/fs/file.c~fs-prevent-out-of-bounds-array-speculation-when-closing-a-file-descriptor
	+++ a/fs/file.c
	@@ -642,6 +642,7 @@ static struct file *pick_file(struct fil
	if (fd >= fdt->max_fds)
	return NULL;

	+ fd = array_index_nospec(fd, fdt->max_fds);
	file = fdt->fd[fd];
	if (file) {
	rcu_assign_pointer(fdt->fd[fd], NULL);
	_