From c64c67c0748be5afb769a4eedbeb3ce6de36958f Mon Sep 17 00:00:00 2001
From: Al Viro <viro@zeniv.linux.org.uk>
Date: Mon, 6 Mar 2023 19:58:56 -0500
Subject: [PATCH 1/2] alpha: fix lazy-FPU mis(merged/applied/whatnot)

Looks like a braino that used to be fixed in e.g. #next.alpha
had gotten into alpha.git cherry-picked version of that patch.

Sure, alpha has no preempt, but preempt_enable() in place of
preempt_disable() is actively confusing the readers...

Other than that, the cherry-picked variant matches what I have.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
 arch/alpha/lib/fpreg.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/alpha/lib/fpreg.c b/arch/alpha/lib/fpreg.c
index 612c5eca71bc0..7c08b225261c4 100644
--- a/arch/alpha/lib/fpreg.c
+++ b/arch/alpha/lib/fpreg.c
@@ -23,7 +23,7 @@ alpha_read_fp_reg (unsigned long reg)
 
 	if (unlikely(reg >= 32))
 		return 0;
-	preempt_enable();
+	preempt_disable();
 	if (current_thread_info()->status & TS_SAVED_FP)
 		val = current_thread_info()->fp[reg];
 	else switch (reg) {
@@ -133,7 +133,7 @@ alpha_read_fp_reg_s (unsigned long reg)
 	if (unlikely(reg >= 32))
 		return 0;
 
-	preempt_enable();
+	preempt_disable();
 	if (current_thread_info()->status & TS_SAVED_FP) {
 		LDT(0, current_thread_info()->fp[reg]);
 		STS(0, val);

From 609d54441493c99f21c1823dfd66fa7f4c512ff4 Mon Sep 17 00:00:00 2001
From: Theodore Ts'o <tytso@mit.edu>
Date: Mon, 6 Mar 2023 13:54:50 -0500
Subject: [PATCH 2/2] fs: prevent out-of-bounds array speculation when closing
 a file descriptor

Google-Bug-Id: 114199369
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
 fs/file.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/file.c b/fs/file.c
index c942c89ca4cda..7893ea161d770 100644
--- a/fs/file.c
+++ b/fs/file.c
@@ -642,6 +642,7 @@ static struct file *pick_file(struct files_struct *files, unsigned fd)
 	if (fd >= fdt->max_fds)
 		return NULL;
 
+	fd = array_index_nospec(fd, fdt->max_fds);
 	file = fdt->fd[fd];
 	if (file) {
 		rcu_assign_pointer(fdt->fd[fd], NULL);