releases/4.14.71/switchtec-fix-spectre-v1-vulnerability.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 46feb6b495f7628a6dbf36c4e6d80faf378372d4 Mon Sep 17 00:00:00 2001
 From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
 Date: Thu, 16 Aug 2018 14:06:46 -0500
 Subject: switchtec: Fix Spectre v1 vulnerability

 From: Gustavo A. R. Silva <gustavo@embeddedor.com>

 commit 46feb6b495f7628a6dbf36c4e6d80faf378372d4 upstream.

 p.port can is indirectly controlled by user-space, hence leading to
 a potential exploitation of the Spectre variant 1 vulnerability.

 This issue was detected with the help of Smatch:

   drivers/pci/switch/switchtec.c:912 ioctl_port_to_pff() warn: potential spectre issue 'pcfg->dsp_pff_inst_id' [r]

 Fix this by sanitizing p.port before using it to index
 pcfg->dsp_pff_inst_id

 Notice that given that speculation windows are large, the policy is to kill
 the speculation on the first load and not worry if it can be completed with
 a dependent load/store [1].

 [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

 Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
 Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
 Acked-by: Logan Gunthorpe <logang@deltatee.com>
 Cc: stable@vger.kernel.org
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  drivers/pci/switch/switchtec.c |    4 ++++
  1 file changed, 4 insertions(+)

 --- a/drivers/pci/switch/switchtec.c
 +++ b/drivers/pci/switch/switchtec.c
 @@ -24,6 +24,8 @@
  #include <linux/cdev.h>
  #include <linux/wait.h>

 +#include <linux/nospec.h>
 +
  MODULE_DESCRIPTION("Microsemi Switchtec(tm) PCIe Management Driver");
  MODULE_VERSION("0.1");
  MODULE_LICENSE("GPL");
 @@ -1173,6 +1175,8 @@ static int ioctl_port_to_pff(struct swit
  	default:
  		if (p.port > ARRAY_SIZE(pcfg->dsp_pff_inst_id))
  			return -EINVAL;
 +		p.port = array_index_nospec(p.port,
 +					ARRAY_SIZE(pcfg->dsp_pff_inst_id) + 1);
  		p.pff = ioread32(&pcfg->dsp_pff_inst_id[p.port - 1]);
  		break;
  	}
	From 46feb6b495f7628a6dbf36c4e6d80faf378372d4 Mon Sep 17 00:00:00 2001
	From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
	Date: Thu, 16 Aug 2018 14:06:46 -0500
	Subject: switchtec: Fix Spectre v1 vulnerability

	From: Gustavo A. R. Silva <gustavo@embeddedor.com>

	commit 46feb6b495f7628a6dbf36c4e6d80faf378372d4 upstream.

	p.port can is indirectly controlled by user-space, hence leading to
	a potential exploitation of the Spectre variant 1 vulnerability.

	This issue was detected with the help of Smatch:

	drivers/pci/switch/switchtec.c:912 ioctl_port_to_pff() warn: potential spectre issue 'pcfg->dsp_pff_inst_id' [r]

	Fix this by sanitizing p.port before using it to index
	pcfg->dsp_pff_inst_id

	Notice that given that speculation windows are large, the policy is to kill
	the speculation on the first load and not worry if it can be completed with
	a dependent load/store [1].

	[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

	Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
	Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
	Acked-by: Logan Gunthorpe <logang@deltatee.com>
	Cc: stable@vger.kernel.org
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	drivers/pci/switch/switchtec.c \| 4 ++++
	1 file changed, 4 insertions(+)

	--- a/drivers/pci/switch/switchtec.c
	+++ b/drivers/pci/switch/switchtec.c
	@@ -24,6 +24,8 @@
	#include <linux/cdev.h>
	#include <linux/wait.h>

	+#include <linux/nospec.h>
	+
	MODULE_DESCRIPTION("Microsemi Switchtec(tm) PCIe Management Driver");
	MODULE_VERSION("0.1");
	MODULE_LICENSE("GPL");
	@@ -1173,6 +1175,8 @@ static int ioctl_port_to_pff(struct swit
	default:
	if (p.port > ARRAY_SIZE(pcfg->dsp_pff_inst_id))
	return -EINVAL;
	+ p.port = array_index_nospec(p.port,
	+ ARRAY_SIZE(pcfg->dsp_pff_inst_id) + 1);
	p.pff = ioread32(&pcfg->dsp_pff_inst_id[p.port - 1]);
	break;
	}