Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp2764966ybh; Mon, 5 Aug 2019 06:29:59 -0700 (PDT) X-Google-Smtp-Source: APXvYqx6TW9cO/hYE18DGbzwRM2ibH9W14QN+BMSHaxauq/UDF4xci6TG2IPKIBrQRJFv7Cukr6M X-Received: by 2002:a65:6846:: with SMTP id q6mr98215062pgt.150.1565011799233; Mon, 05 Aug 2019 06:29:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565011799; cv=none; d=google.com; s=arc-20160816; b=dpJnSuXqxEfOmZx31XhuXsChJK81keVEaIC0wMp68v1NWEtjETfX+c+QdmDzGrTSEp sB1U/y+bgwaw0vHD5TNjczITVxyJ7ZJmJPZjAG1lIIXnxoC6xNaZ2a9GdiOfehfdkTfJ bbs8XUcSiXNPELWJXx0XRrNBwjRBig4Wy6S3nY67KcCVWlyfyrlCzV5FBLx1nwN0INFD Fe0R0WyxRsoHaX0Xcx4n1LmfcMJsQnecsHB/FiROOAO4FIg2aHFPiqFYUE2ij6x/pbJQ Ls9InIbIRqKFixLEoPdZ0vFbPN/ps9taqWWpJwVMZO4xzAjBoEZz9DTMDhfPpagCW0mf dGyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ingu9pV8hYUkOYIm/R5eWw0s12unZSqcaS0IEjDOjGs=; b=ew09+iMzFanjRLhaKJq6knenGRFbQCf02+eC/YoXcYJnC2IuwCldi3o+rtsIRc9fa/ XyCK5qdPMMCkGhQQ4PZDMrrWcvUzuVjl1g9+QtTEny0rhSaBMGQSWOkGPXYMqrMYy1/C 4dFR4kgjKpBI4fEvvnn15IlXxFPCC08j1K05/lTz9QO9PWZMst1PNrnVn75a1sy+HErG gIP9ROBNRJV9ma/x4Ho1KZXpAF8CJXIM3VIZz8OWeG/n/tneJ0wBUKar9bconaVuGuBP oeVenx8VucKxiJBB+uudjuCKo4+mSM2pRxU15Q3NKL7+E7YZqkjuXgmdY4mUFC+7jmdv sNwg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="KGMJ/K/N"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 64si39192012ply.399.2019.08.05.06.29.43; Mon, 05 Aug 2019 06:29:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="KGMJ/K/N"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730122AbfHENYI (ORCPT + 99 others); Mon, 5 Aug 2019 09:24:08 -0400 Received: from mail.kernel.org ([198.145.29.99]:60842 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729795AbfHENYD (ORCPT ); Mon, 5 Aug 2019 09:24:03 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 128E520651; Mon, 5 Aug 2019 13:24:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1565011442; bh=E+gX5LX6CA8aQTOIvXbPnuz9idaM8uOhX3i/MdZY0NI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KGMJ/K/NnccMtj3R9xaS6diNsWBgXGf/Q/1Zuros6oxYYD71mXgZ9a6LIxa0IcvTQ dULCHxNMd1K4nQ8noxGxv/yvAGNVp97T4Ae7csQJRnf2RxlMuDuy9KVFTGxN6hhkz2 mD1uKWhJw3hITKmm6YSiRvs6EC3OnsBRxmAPA6XQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Gustavo A. R. Silva" , Doug Ledford Subject: [PATCH 5.2 090/131] IB/hfi1: Fix Spectre v1 vulnerability Date: Mon, 5 Aug 2019 15:02:57 +0200 Message-Id: <20190805124957.993665583@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190805124951.453337465@linuxfoundation.org> References: <20190805124951.453337465@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Gustavo A. R. Silva commit 6497d0a9c53df6e98b25e2b79f2295d7caa47b6e upstream. sl is controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. Fix this by sanitizing sl before using it to index ibp->sl_to_sc. Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/ Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva Link: https://lore.kernel.org/r/20190731175428.GA16736@embeddedor Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman --- drivers/infiniband/hw/hfi1/verbs.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/infiniband/hw/hfi1/verbs.c +++ b/drivers/infiniband/hw/hfi1/verbs.c @@ -54,6 +54,7 @@ #include #include #include +#include #include "hfi.h" #include "common.h" @@ -1536,6 +1537,7 @@ static int hfi1_check_ah(struct ib_devic sl = rdma_ah_get_sl(ah_attr); if (sl >= ARRAY_SIZE(ibp->sl_to_sc)) return -EINVAL; + sl = array_index_nospec(sl, ARRAY_SIZE(ibp->sl_to_sc)); sc5 = ibp->sl_to_sc[sl]; if (sc_to_vlt(dd, sc5) > num_vls && sc_to_vlt(dd, sc5) != 0xf)