Commit 4831f762 authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'pull-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

Pull misc fixes from Al Viro:
 "pick_file() speculation fix + fix for alpha mis(merge,cherry-pick)

  The fs/file.c one is a genuine missing speculation barrier in
  pick_file() (reachable e.g. via close(2)). The alpha one is strictly
  speaking not a bug fix, but only because confusion between
  preempt_enable() and preempt_disable() is harmless on architecture
  without CONFIG_PREEMPT.

  Looks like alpha.git picked the wrong version of patch - that braino
  used to be there in early versions, but it had been fixed quite a
  while ago..."

* tag 'pull-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  fs: prevent out-of-bounds array speculation when closing a file descriptor
  alpha: fix lazy-FPU mis(merged/applied/whatnot)
parents a0aefd30 609d5444
...@@ -23,7 +23,7 @@ alpha_read_fp_reg (unsigned long reg) ...@@ -23,7 +23,7 @@ alpha_read_fp_reg (unsigned long reg)
if (unlikely(reg >= 32)) if (unlikely(reg >= 32))
return 0; return 0;
preempt_enable(); preempt_disable();
if (current_thread_info()->status & TS_SAVED_FP) if (current_thread_info()->status & TS_SAVED_FP)
val = current_thread_info()->fp[reg]; val = current_thread_info()->fp[reg];
else switch (reg) { else switch (reg) {
...@@ -133,7 +133,7 @@ alpha_read_fp_reg_s (unsigned long reg) ...@@ -133,7 +133,7 @@ alpha_read_fp_reg_s (unsigned long reg)
if (unlikely(reg >= 32)) if (unlikely(reg >= 32))
return 0; return 0;
preempt_enable(); preempt_disable();
if (current_thread_info()->status & TS_SAVED_FP) { if (current_thread_info()->status & TS_SAVED_FP) {
LDT(0, current_thread_info()->fp[reg]); LDT(0, current_thread_info()->fp[reg]);
STS(0, val); STS(0, val);
......
...@@ -642,6 +642,7 @@ static struct file *pick_file(struct files_struct *files, unsigned fd) ...@@ -642,6 +642,7 @@ static struct file *pick_file(struct files_struct *files, unsigned fd)
if (fd >= fdt->max_fds) if (fd >= fdt->max_fds)
return NULL; return NULL;
fd = array_index_nospec(fd, fdt->max_fds);
file = fdt->fd[fd]; file = fdt->fd[fd];
if (file) { if (file) {
rcu_assign_pointer(fdt->fd[fd], NULL); rcu_assign_pointer(fdt->fd[fd], NULL);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment