| From: Peter Zijlstra <peterz@infradead.org> |
| Date: Fri, 20 Apr 2018 14:29:51 +0200 |
| Subject: sched/core: Fix possible Spectre-v1 indexing for |
| sched_prio_to_weight[] |
| |
| commit 7281c8dec8a87685cb54d503d8cceef5a0fc2fdd upstream. |
| |
| > kernel/sched/core.c:6921 cpu_weight_nice_write_s64() warn: potential spectre issue 'sched_prio_to_weight' |
| |
| Userspace controls @nice, so sanitize the value before using it to |
| index an array. |
| |
| Reported-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> |
| Cc: Linus Torvalds <torvalds@linux-foundation.org> |
| Cc: Mike Galbraith <efault@gmx.de> |
| Cc: Peter Zijlstra <peterz@infradead.org> |
| Cc: Thomas Gleixner <tglx@linutronix.de> |
| Cc: linux-kernel@vger.kernel.org |
| Signed-off-by: Ingo Molnar <mingo@kernel.org> |
| [bwh: Backported to 3.16: Vulnerable array lookup is in set_load_weight()] |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| --- a/kernel/sched/core.c |
| +++ b/kernel/sched/core.c |
| @@ -74,6 +74,7 @@ |
| #include <linux/binfmts.h> |
| #include <linux/context_tracking.h> |
| #include <linux/compiler.h> |
| +#include <linux/nospec.h> |
| |
| #include <asm/switch_to.h> |
| #include <asm/tlb.h> |
| @@ -820,6 +821,8 @@ static void set_load_weight(struct task_ |
| return; |
| } |
| |
| + prio = array_index_nospec(prio, 40); |
| + |
| load->weight = scale_load(prio_to_weight[prio]); |
| load->inv_weight = prio_to_wmult[prio]; |
| } |