Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4775128imu;
        Tue, 18 Dec 2018 23:24:26 -0800 (PST)
X-Google-Smtp-Source: AFSGD/WyP779K4rsODwKEX4SxcBJhweOSzYbMVk9ly0BEra81h+fqqElQWKGJuXQY7VY+hIrhtty
X-Received: by 2002:a62:6e07:: with SMTP id j7mr20128971pfc.135.1545204266428;
        Tue, 18 Dec 2018 23:24:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1545204266; cv=none;
        d=google.com; s=arc-20160816;
        b=iJ04oPaH2yFqaz8wk3LCOI18+h6cuFXa53ygZmXjZsirGTw6XGbfI+rv631HBnmQbU
         fsSLC6wGt1g673pTyAvkzB9Qv/ySNI2++1Hd410bkDPr4I+FJ/d4DRA/OAToLRT+WXQL
         Sd7EJs2f4SE7/4bpara7p+2G7brBaRohym1VKt5aAHNKFd+CHxGeFKZE30S1/PDXNy5r
         1A/OWscGcL+QXoT3+3YamhXUsvuS1ftgcyWMpPmzfrfg8o/b35Z4AVmHGZCPiKopaSxk
         SsniBN+lDcbLdNU7FS2469OiKOLUcBWc+LKSgmZ+EVjNsKXc3x9BUPLXfNrCXpQKf0YS
         clEA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=SoWGO7SWLvbKgmefQX6FlB0bGMdCxOnNw/z9u0xM66Y=;
        b=FBSE4heeZ9Ydn0DnHumntyDgA6Vl4aXgyVtHisO9PDArQa4LaUHUoJ7pJk511HgyD6
         jQ50J4pLW1yIIBJxZLOF7X+uayGAS4FYJtZ72nWvP7qg5EhtfnCuYBN452/1Ntnow8uZ
         6fWc4dfKVXT2mwH+QKZTjqE1Zj413JtXDn2F5A4TrhhBcjEZKXjPUgcn/qzH/cKfxQTA
         y/ZoBthbYAGdR3FK4373QuPwFdT80rD7j17iLNq4YU/tYqieG8kFA4ir++P7S/udzUUF
         1BMrgdUsTvSMNvn9HvValHjKT9i8CjPeaxv9TR/d//ifAbYbNp0jAhnKDKpq7PgRbcnm
         lQMQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=UWrsF6gS;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y12si14760789plk.174.2018.12.18.23.24.09;
        Tue, 18 Dec 2018 23:24:26 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=UWrsF6gS;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728233AbeLSHLI (ORCPT <rfc822;uzarths@gmail.com> + 99 others);
        Wed, 19 Dec 2018 02:11:08 -0500
Received: from mail.kernel.org ([198.145.29.99]:37118 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727717AbeLSHLI (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 19 Dec 2018 02:11:08 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id D32C721841;
        Wed, 19 Dec 2018 07:11:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1545203467;
        bh=LIlrEOL2fiXT3Hyb1BuH3YNBtVjNvYNHAcx9tvvzyec=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=UWrsF6gSuXKcAIf9wBGbm1o3zcqPhP5PvCexDT9TCV6QLfU6q6z2RJhiVlPS2WQcC
         RTWGHtMlmgCDm1XgOukpJleglDwFyOEDor0Holu1vC77FjZj3Xswm2SGMvgRXANP/l
         0n3gQ9goy07K471KHKB819kYJNEJxJngo06LPH9U=
Date:   Wed, 19 Dec 2018 08:11:04 +0100
From:   Greg KH <gregkh@linuxfoundation.org>
To:     Omer Tripp <trippo@google.com>
Cc:     ghackmann@android.com, viro@zeniv.linux.org.uk,
        linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
        Greg Hackmann <ghackmann@google.com>, stable@vger.kernel.org
Subject: Re: [PATCH] fs: fix possible Spectre V1 indexing in __close_fd()
Message-ID: <20181219071104.GA25037@kroah.com>
References: <20180924181500.125257-1-ghackmann@google.com>
 <20180924183911.GB9122@kroah.com>
 <20181015133708.GB10221@kroah.com>
 <CALTzUognuG-N4M5w9xugxF7KZjUxF_9O32fKoUt2v7st70ppmw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CALTzUognuG-N4M5w9xugxF7KZjUxF_9O32fKoUt2v7st70ppmw@mail.gmail.com>
User-Agent: Mutt/1.11.1 (2018-12-01)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Oct 15, 2018 at 06:54:31AM -0700, Omer Tripp wrote:
> Hi Greg and all,
> 
> Here is my analysis of the complete gadget, and looking forward to your
> corrections/feedback if there are any inaccuracies:
> 
> 
>    1.
> 
>    __close_fd() is reachable via the close() syscall with a user-controlled
>    fd.
>    2.
> 
>    If said bounds check is mispredicted, then a user-controlled address
>    fdt->fd[fd] is obtained then dereferenced, and the value of a
>    user-controlled address is loaded into the local variable file.
>    3.
> 
>    file is then passed as an argument to filp_close, where the cache
> lines secret
>    + offsetof(f_op) and secret + offsetof(f_mode) are hot and vulnerable to
>    a timing channel attack.
> 
> 
> The mitigation proposed by Greg Hackmann blocks this gadget.

What ever happened to this patch?  Did it get reposted?  If not, can
someone please do so with this text in the changelog?

thanks,

greg k-h