releases/3.16.60/sched-core-fix-possible-spectre-v1-indexing-for.patch - pub/scm/linux/kernel/git/bwh/linux-stable-queue - Git at Google

 From: Peter Zijlstra <peterz@infradead.org>
 Date: Fri, 20 Apr 2018 14:29:51 +0200
 Subject: sched/core: Fix possible Spectre-v1 indexing for
  sched_prio_to_weight[]

 commit 7281c8dec8a87685cb54d503d8cceef5a0fc2fdd upstream.

 > kernel/sched/core.c:6921 cpu_weight_nice_write_s64() warn: potential spectre issue 'sched_prio_to_weight'

 Userspace controls @nice, so sanitize the value before using it to
 index an array.

 Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
 Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
 Cc: Linus Torvalds <torvalds@linux-foundation.org>
 Cc: Mike Galbraith <efault@gmx.de>
 Cc: Peter Zijlstra <peterz@infradead.org>
 Cc: Thomas Gleixner <tglx@linutronix.de>
 Cc: linux-kernel@vger.kernel.org
 Signed-off-by: Ingo Molnar <mingo@kernel.org>
 [bwh: Backported to 3.16: Vulnerable array lookup is in set_load_weight()]
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
 --- a/kernel/sched/core.c
 +++ b/kernel/sched/core.c
 @@ -74,6 +74,7 @@
  #include <linux/binfmts.h>
  #include <linux/context_tracking.h>
  #include <linux/compiler.h>
 +#include <linux/nospec.h>

  #include <asm/switch_to.h>
  #include <asm/tlb.h>
 @@ -820,6 +821,8 @@ static void set_load_weight(struct task_
  		return;
  	}

 +	prio = array_index_nospec(prio, 40);
 +
  	load->weight = scale_load(prio_to_weight[prio]);
  	load->inv_weight = prio_to_wmult[prio];
  }
	From: Peter Zijlstra <peterz@infradead.org>
	Date: Fri, 20 Apr 2018 14:29:51 +0200
	Subject: sched/core: Fix possible Spectre-v1 indexing for
	sched_prio_to_weight[]

	commit 7281c8dec8a87685cb54d503d8cceef5a0fc2fdd upstream.

	> kernel/sched/core.c:6921 cpu_weight_nice_write_s64() warn: potential spectre issue 'sched_prio_to_weight'

	Userspace controls @nice, so sanitize the value before using it to
	index an array.

	Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
	Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
	Cc: Linus Torvalds <torvalds@linux-foundation.org>
	Cc: Mike Galbraith <efault@gmx.de>
	Cc: Peter Zijlstra <peterz@infradead.org>
	Cc: Thomas Gleixner <tglx@linutronix.de>
	Cc: linux-kernel@vger.kernel.org
	Signed-off-by: Ingo Molnar <mingo@kernel.org>
	[bwh: Backported to 3.16: Vulnerable array lookup is in set_load_weight()]
	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	---
	--- a/kernel/sched/core.c
	+++ b/kernel/sched/core.c
	@@ -74,6 +74,7 @@
	#include <linux/binfmts.h>
	#include <linux/context_tracking.h>
	#include <linux/compiler.h>
	+#include <linux/nospec.h>

	#include <asm/switch_to.h>
	#include <asm/tlb.h>
	@@ -820,6 +821,8 @@ static void set_load_weight(struct task_
	return;
	}

	+ prio = array_index_nospec(prio, 40);
	+
	load->weight = scale_load(prio_to_weight[prio]);
	load->inv_weight = prio_to_wmult[prio];
	}