Received: by 10.223.185.116 with SMTP id b49csp2025043wrg;
        Thu, 15 Feb 2018 05:29:16 -0800 (PST)
X-Google-Smtp-Source: AH8x225BTPg8Eu8ywMhEiKHx8kXqPsRXf/2khAjhypw05JUvhmHUij/BkuczQu6TxCzUndraikSF
X-Received: by 10.99.110.131 with SMTP id j125mr2248872pgc.382.1518701355990;
        Thu, 15 Feb 2018 05:29:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518701355; cv=none;
        d=google.com; s=arc-20160816;
        b=eB5cVy/QwMWzMlFGyrv10Z9Y8Lg0b0M7Y9R3Sh9uycZE7WcwopH+qK6L51tOHvz3hd
         jSr+O8eWDjdbsJmqNgpgSLKnVShO84HtjfyyFSu2hr4h5AfA0kVbogWiHtBm00hdRbOZ
         idow5NRqjvVFTH925+4VUI2taAoC+Qdu0mU8hH+kLcG2EJy25gJm4OjEmTABh1dcs0+P
         Hb4QLJFjYtN3NLqKhozcqS9SX7957yW/HiYEOMsxzdgpXBF6tyaiLByljw450pO/96MD
         19Ol4fAWwVsn3J0o1aUbZHnGFD4eOjXwXkiApahTovu5dVDlHkPYXAzI4nCT2Bagys4H
         pS1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:message-id
         :subject:cc:to:from:date:arc-authentication-results;
        bh=OPENJUlt8qtr74NWYjlIt12nuVQx0Xd/CzEjimXemuI=;
        b=ebb6SolE3tEB+LQteb1tsTOf60wu7YA4FP1Afpbc3rTDN7nU23ugivHDUaSTYHwy67
         0CiH/igmqjQKTxxiqMMjo+v88IpeOGbttjn1DLMc8m0diaXYACVk/JAcLyAmSpj4/BF9
         FwUFSG+CF+rKTDG1/VZSwQybzn37HzJUhWl1MfYV+Fgpm5biQf53t98Jw0YxgD6bkjCU
         48X/MeIgweN6jmwGUPOtKKEWTNF+PGpfxZvbW8NYXqokxk9yOTR5UN7RSsg2pE35n3up
         GE6cPJtg5GdReauKtJ2yyRNaCtBcCQO0JjnCtBbe9p+4TIt6hVFLB3KqLBA3R6eEgTd4
         b6jQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f74si4914883pfa.365.2018.02.15.05.29.01;
        Thu, 15 Feb 2018 05:29:15 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1032283AbeBON1a (ORCPT <rfc822;kkdevenda@gmail.com> + 99 others);
        Thu, 15 Feb 2018 08:27:30 -0500
Received: from Galois.linutronix.de ([146.0.238.70]:54230 "EHLO
        Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1030561AbeBON13 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 15 Feb 2018 08:27:29 -0500
Received: from p4fea5f09.dip0.t-ipconnect.de ([79.234.95.9] helo=nanos.glx-home)
        by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
        (Exim 4.80)
        (envelope-from <tglx@linutronix.de>)
        id 1emJWC-0005qu-9s; Thu, 15 Feb 2018 14:24:08 +0100
Date:   Thu, 15 Feb 2018 14:27:30 +0100 (CET)
From:   Thomas Gleixner <tglx@linutronix.de>
To:     LKML <linux-kernel@vger.kernel.org>
cc:     Ingo Molnar <mingo@kernel.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        David Woodhouse <dwmw@amazon.co.uk>,
        Dan Williams <dan.j.williams@intel.com>,
        Greg KH <gregkh@linuxfoundation.org>
Subject: [PATCH] posix-timers: Protect posix clock array access against
 speculation
Message-ID: <alpine.DEB.2.21.1802151424490.1296@nanos.tec.linutronix.de>
User-Agent: Alpine 2.21 (DEB 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
X-Linutronix-Spam-Score: -1.0
X-Linutronix-Spam-Level: -
X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required,  ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The (clock) id argument of clockid_to_kclock() comes straight from user
space via various syscalls and is used as index into the posix_clocks
array.

Protect it against spectre v1 array out of bounds speculation.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
---
 kernel/time/posix-timers.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -50,6 +50,7 @@
 #include <linux/export.h>
 #include <linux/hashtable.h>
 #include <linux/compat.h>
+#include <linux/nospec.h>
 
 #include "timekeeping.h"
 #include "posix-timers.h"
@@ -1346,11 +1347,14 @@ static const struct k_clock * const posi
 
 static const struct k_clock *clockid_to_kclock(const clockid_t id)
 {
+	clockid_t idx = id;
+
 	if (id < 0)
 		return (id & CLOCKFD_MASK) == CLOCKFD ?
 			&clock_posix_dynamic : &clock_posix_cpu;
 
 	if (id >= ARRAY_SIZE(posix_clocks) || !posix_clocks[id])
 		return NULL;
-	return posix_clocks[id];
+
+	return posix_clocks[array_index_nospec(idx, ARRAY_SIZE(posix_clocks))];
 }