Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2018-10-15 17:57:31 +0200
committerTakashi Iwai <tiwai@suse.de>2018-10-15 17:57:31 +0200
commit6f8d9b681148b05d06ea9456e231839ac8b4f5f8 (patch)
tree0cca3b58b88cbd53685b059b30737e5275d8d81a
parent5340d75c6ce6feade153e043c9b15ac81fcbc3e2 (diff)
switchtec: Fix Spectre v1 vulnerability (bsc#1051510).
-rw-r--r--patches.drivers/switchtec-Fix-Spectre-v1-vulnerability.patch54
-rw-r--r--series.conf1
2 files changed, 55 insertions, 0 deletions
diff --git a/patches.drivers/switchtec-Fix-Spectre-v1-vulnerability.patch b/patches.drivers/switchtec-Fix-Spectre-v1-vulnerability.patch
new file mode 100644
index 0000000000..1ff9749515
--- /dev/null
+++ b/patches.drivers/switchtec-Fix-Spectre-v1-vulnerability.patch
@@ -0,0 +1,54 @@
+From 46feb6b495f7628a6dbf36c4e6d80faf378372d4 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Thu, 16 Aug 2018 14:06:46 -0500
+Subject: [PATCH] switchtec: Fix Spectre v1 vulnerability
+Git-commit: 46feb6b495f7628a6dbf36c4e6d80faf378372d4
+Patch-mainline: v4.19-rc4
+References: bsc#1051510
+
+p.port can is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+ drivers/pci/switch/switchtec.c:912 ioctl_port_to_pff() warn: potential spectre issue 'pcfg->dsp_pff_inst_id' [r]
+
+Fix this by sanitizing p.port before using it to index
+pcfg->dsp_pff_inst_id
+
+Notice that given that speculation windows are large, the policy is to kill
+the speculation on the first load and not worry if it can be completed with
+a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Logan Gunthorpe <logang@deltatee.com>
+Cc: stable@vger.kernel.org
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/pci/switch/switchtec.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/pci/switch/switchtec.c
++++ b/drivers/pci/switch/switchtec.c
+@@ -24,6 +24,8 @@
+ #include <linux/cdev.h>
+ #include <linux/wait.h>
+
++#include <linux/nospec.h>
++
+ MODULE_DESCRIPTION("Microsemi Switchtec(tm) PCIe Management Driver");
+ MODULE_VERSION("0.1");
+ MODULE_LICENSE("GPL");
+@@ -1155,6 +1157,8 @@ static int ioctl_port_to_pff(struct swit
+ default:
+ if (p.port > ARRAY_SIZE(pcfg->dsp_pff_inst_id))
+ return -EINVAL;
++ p.port = array_index_nospec(p.port,
++ ARRAY_SIZE(pcfg->dsp_pff_inst_id) + 1);
+ p.pff = ioread32(&pcfg->dsp_pff_inst_id[p.port - 1]);
+ break;
+ }
diff --git a/series.conf b/series.conf
index a179c87e69..ce6b68009f 100644
--- a/series.conf
+++ b/series.conf
@@ -17729,6 +17729,7 @@
patches.drivers/drm-nouveau-TBDdevinit-don-t-fail-when-PMU-PRE_OS-is.patch
patches.drivers/drm-nouveau-disp-fix-DP-disable-race.patch
patches.drivers/Revert-PCI-Add-ACS-quirk-for-Intel-300-series
+ patches.drivers/switchtec-Fix-Spectre-v1-vulnerability.patch
patches.arch/s390-sles15-15-04-crypto-paes-fix.patch
patches.drivers/mmc-omap_hsmmc-fix-wakeirq-handling-on-removal.patch
patches.drivers/pstore-Fix-incorrect-persistent-ram-buffer-mapping.patch