diff options
| author |   Luck, Tony <tony.luck@intel.com> | 2019-07-30 21:39:57 -0700 |
|---|---|---|
| committer |   Doug Ledford <dledford@redhat.com> | 2019-08-01 11:34:11 -0400 |
| commit | 61f259821dd3306e49b7d42a3f90fb5a4ff3351b (patch) | |
| tree | a67d72f9d2a8e6ddf6486a2b784c62673f551992 | |
| parent | Do not dereference 'siw_crypto_shash' before checking (diff) | |
| download | linux-dev-61f259821dd3306e49b7d42a3f90fb5a4ff3351b.tar.xz linux-dev-61f259821dd3306e49b7d42a3f90fb5a4ff3351b.zip | |
IB/core: Add mitigation for Spectre V1
Some processors may mispredict an array bounds check and
speculatively access memory that they should not. With
a user supplied array index we like to play things safe
by masking the value with the array size before it is
used as an index.
Signed-off-by: Tony Luck <tony.luck@intel.com>
Link: https://lore.kernel.org/r/20190731043957.GA1600@agluck-desk2.amr.corp.intel.com
Signed-off-by: Doug Ledford <dledford@redhat.com>
| -rw-r--r-- | drivers/infiniband/core/user_mad.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c index 9f8a48016b41..ffdeaf6e0b68 100644 --- a/drivers/infiniband/core/user_mad.c +++ b/drivers/infiniband/core/user_mad.c @@ -49,6 +49,7 @@ #include <linux/sched.h> #include <linux/semaphore.h> #include <linux/slab.h> +#include <linux/nospec.h> #include <linux/uaccess.h> @@ -884,11 +885,14 @@ static int ib_umad_unreg_agent(struct ib_umad_file *file, u32 __user *arg) if (get_user(id, arg)) return -EFAULT; + if (id >= IB_UMAD_MAX_AGENTS) + return -EINVAL; mutex_lock(&file->port->file_mutex); mutex_lock(&file->mutex); - if (id >= IB_UMAD_MAX_AGENTS || !__get_agent(file, id)) { + id = array_index_nospec(id, IB_UMAD_MAX_AGENTS); + if (!__get_agent(file, id)) { ret = -EINVAL; goto out; } |