summaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2023-03-11 04:04:10 +0100
committerLinus Torvalds <torvalds@linux-foundation.org>2023-03-11 04:04:10 +0100
commit4831f76247bc939ed1b6d71ddd23337ec8b56b8e (patch)
treefae332017a782d0fa48c64944624a349f493c0f3 /fs
parentMerge tag 'thermal-6.3-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/... (diff)
parentfs: prevent out-of-bounds array speculation when closing a file descriptor (diff)
downloadlinux-4831f76247bc939ed1b6d71ddd23337ec8b56b8e.tar.xz
linux-4831f76247bc939ed1b6d71ddd23337ec8b56b8e.zip
Merge tag 'pull-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull misc fixes from Al Viro: "pick_file() speculation fix + fix for alpha mis(merge,cherry-pick) The fs/file.c one is a genuine missing speculation barrier in pick_file() (reachable e.g. via close(2)). The alpha one is strictly speaking not a bug fix, but only because confusion between preempt_enable() and preempt_disable() is harmless on architecture without CONFIG_PREEMPT. Looks like alpha.git picked the wrong version of patch - that braino used to be there in early versions, but it had been fixed quite a while ago..." * tag 'pull-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: fs: prevent out-of-bounds array speculation when closing a file descriptor alpha: fix lazy-FPU mis(merged/applied/whatnot)
Diffstat (limited to 'fs')
-rw-r--r--fs/file.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/fs/file.c b/fs/file.c
index c942c89ca4cd..7893ea161d77 100644
--- a/fs/file.c
+++ b/fs/file.c
@@ -642,6 +642,7 @@ static struct file *pick_file(struct files_struct *files, unsigned fd)
if (fd >= fdt->max_fds)
return NULL;
+ fd = array_index_nospec(fd, fdt->max_fds);
file = fdt->fd[fd];
if (file) {
rcu_assign_pointer(fdt->fd[fd], NULL);