Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp37369ybl; Thu, 22 Aug 2019 19:16:05 -0700 (PDT) X-Google-Smtp-Source: APXvYqzgJV47z1J2E9Gz/NHUx2BmTYL9A309p09zBZnZg4WTE//wJp5CUELY/M/FyYJkQIVKTrBY X-Received: by 2002:a17:902:3003:: with SMTP id u3mr1979749plb.161.1566526565656; Thu, 22 Aug 2019 19:16:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566526565; cv=none; d=google.com; s=arc-20160816; b=Q5z8+SJDGhfYHyxsaTafieR1L0Lvdz6NsBlDEzW80w//cP+nChUo0bweCcvm03jKBd aqqMORiy6S7FAuQCXVjfpXYBxRZP8IKFCAjxXgowZXpwj4ABRbSgi2POTjTgHePrd5Bt XuWtlO6V2iA2PAGivI+gM+DDjK5GpIzAjTEosPisatuYebGT62OsEAlHeYdheCbPibKn WuJMGUIk9TduwiQVv4nAcwIsrcrJ8g3sJEFmlia+Ll9nWluk0FW9kM68I7/jkH106QEh WLvzmV/rmvvOSIfIy1LeUixdAkiep6I37W8YhsQGFsItewRxJmAh2R3UzilIFuRl2QNj VN5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Mq0ECVUT/oVkoQ2yxZC3ulP+py1Qy1PcYyhOxCVywuk=; b=IX/26ohmYg2aASZSp/C+XgacDJRiRuYI6wpYP48u0ZJJlJFTPfWTR7765tjU83exu1 bKoVm97Hvk1j9aK0EmgxePZmefeEZZi2gnFlqe7W15mzKIAYfIkwCkwclxJtPZ2dQOOu i50y0jGQakdFI5FAmlXlY5VIpEluOLcQ1CKP1DIunw4IEhFqQD3HI5rBKtojYcaF8FcE tSlYmMqom0xm/OrfrxmmF0kWYxyxcPOh8VmWx/p3a6tLEaOTFWNaoFR0dEfDfOZthihz 2KATOBr4sL9szsVLsSG6pJ386idY3ho0bWrfK6Duok/zWNZlhU3YOnbDleDmts7NnZsz b8FA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=HhS+o1Ma; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w188si1179370pfb.175.2019.08.22.19.15.50; Thu, 22 Aug 2019 19:16:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=HhS+o1Ma; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404908AbfHVR14 (ORCPT + 99 others); Thu, 22 Aug 2019 13:27:56 -0400 Received: from mail.kernel.org ([198.145.29.99]:51876 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404704AbfHVR0V (ORCPT ); Thu, 22 Aug 2019 13:26:21 -0400 Received: from localhost (wsip-184-188-36-2.sd.sd.cox.net [184.188.36.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5F4F8206DD; Thu, 22 Aug 2019 17:26:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1566494780; bh=lWZcLGMxVzkLkjXVAnVVtVjDSKLQt1ZNIi+upVQUH3g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HhS+o1MapEos+AQFTODiorujQvG2/jlgzLJVw+Sdv6rbv+NaA3Gh+ZdG5uRkuNWiD fv1NAPGvDPJaXP0Hp3ruX+WOnaLQuPBkNeuLfpNxGmt6AT8psfFJPm0oyW860Un4zs VfKAfpW/huLdAnC/cORdx6fEIKOby+4HkpflOOOM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tony Luck , Doug Ledford , Sasha Levin Subject: [PATCH 4.19 46/85] IB/core: Add mitigation for Spectre V1 Date: Thu, 22 Aug 2019 10:19:19 -0700 Message-Id: <20190822171733.289701089@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20190822171731.012687054@linuxfoundation.org> References: <20190822171731.012687054@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 61f259821dd3306e49b7d42a3f90fb5a4ff3351b ] Some processors may mispredict an array bounds check and speculatively access memory that they should not. With a user supplied array index we like to play things safe by masking the value with the array size before it is used as an index. Signed-off-by: Tony Luck Link: https://lore.kernel.org/r/20190731043957.GA1600@agluck-desk2.amr.corp.intel.com Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin --- drivers/infiniband/core/user_mad.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c index c34a6852d691f..a18f3f8ad77fe 100644 --- a/drivers/infiniband/core/user_mad.c +++ b/drivers/infiniband/core/user_mad.c @@ -49,6 +49,7 @@ #include #include #include +#include #include @@ -868,11 +869,14 @@ static int ib_umad_unreg_agent(struct ib_umad_file *file, u32 __user *arg) if (get_user(id, arg)) return -EFAULT; + if (id >= IB_UMAD_MAX_AGENTS) + return -EINVAL; mutex_lock(&file->port->file_mutex); mutex_lock(&file->mutex); - if (id >= IB_UMAD_MAX_AGENTS || !__get_agent(file, id)) { + id = array_index_nospec(id, IB_UMAD_MAX_AGENTS); + if (!__get_agent(file, id)) { ret = -EINVAL; goto out; } -- 2.20.1