protect the fetch of ->fd[fd] in do_dup2() from mispredictions

jira LE-3201
cve CVE-2024-42265
Rebuild_History Non-Buildable kernel-rt-4.18.0-553.22.1.rt7.363.el8_10
Rebuild_CHGLOG: - protect the fetch of ->fd[fd] in do_dup2() from mispredictions (CKI Backport Bot) [RHEL-55123] {CVE-2024-42265}
Rebuild_FUZZ: 95.80%
commit-author Al Viro <viro@zeniv.linux.org.uk>
commit 8aa37bd

both callers have verified that fd is not greater than ->max_fds;
however, misprediction might end up with
        tofree = fdt->fd[fd];
being speculatively executed.  That's wrong for the same reasons
why it's wrong in close_fd()/file_close_fd_locked(); the same
solution applies - array_index_nospec(fd, fdt->max_fds) could differ
from fd only in case of speculative execution on mispredicted path.

	Cc: stable@vger.kernel.org
	Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit 8aa37bd)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

Author: PlaidCat

fs/file.c

@@ -1064,6 +1064,7 @@ __releases(&files->file_lock)
 	 * tables and this condition does not arise without those.
 	 */
 	fdt = files_fdtable(files);
+	fd = array_index_nospec(fd, fdt->max_fds);
 	tofree = fdt->fd[fd];
 	if (!tofree && fd_is_open(fd, fdt))
 		goto Ebusy;