It is very unlikely for processor to speculate on the func_table index. The index is uchar and func_table is of size 256. So the compiler would need to screw up and generate a really bad code. But to stay on the safe side, forbid speculation on this user passed index. Signed-off-by: Jiri Slaby <jslaby@xxxxxxx> Cc: Jiri Kosina <jikos@xxxxxxxxxx> --- drivers/tty/vt/keyboard.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c index f80199984ee0..0db53b5b3acf 100644 --- a/drivers/tty/vt/keyboard.c +++ b/drivers/tty/vt/keyboard.c @@ -32,6 +32,7 @@ #include <linux/tty.h> #include <linux/tty_flip.h> #include <linux/mm.h> +#include <linux/nospec.h> #include <linux/string.h> #include <linux/init.h> #include <linux/slab.h> @@ -2019,7 +2020,7 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm) goto reterr; } kbs->kb_string[sizeof(kbs->kb_string)-1] = '\0'; - i = kbs->kb_func; + i = array_index_nospec(kbs->kb_func, MAX_NR_FUNC); switch (cmd) { case KDGKBSENT: -- 2.28.0