UBUNTU: SAUCE: Replace osb() calls with array_index_nospec()

BugLink: https://bugs.launchpad.net/bugs/1774181 The original embargoed patches introduced an arch-specific barrier macro gmb() (later renamed to osb()) which is used to prevent speculation beyond array boundaries. What finally landed in upstream is an arch-agnostic masking solution in favor of osb(). In Ubuntu, we still use osb() in a couple of places where upstream does nothing, so change those to using the masking solution. Signed-off-by: Juerg Haefliger <juergh@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

UBUNTU: SAUCE: Replace osb() calls with array_index_nospec()
BugLink: https://bugs.launchpad.net/bugs/1774181 The original embargoed patches introduced an arch-specific barrier macro gmb() (later renamed to osb()) which is used to prevent speculation beyond array boundaries. What finally landed in upstream is an arch-agnostic masking solution in favor of osb(). In Ubuntu, we still use osb() in a couple of places where upstream does nothing, so change those to using the masking solution. Signed-off-by: Juerg Haefliger <juergh@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
0a4e8a3e · Juerg Haefliger · Stefan Bader · 42092e81 · 0a4e8a3e · 0a4e8a3e
Commit 0a4e8a3e authored May 30, 2018 by Juerg Haefliger Committed by Stefan Bader Jun 07, 2018
8 changed files
--- a/drivers/net/wireless/ath/carl9170/main.c
+++ b/drivers/net/wireless/ath/carl9170/main.c
@@ -41,6 +41,7 @@
 #include <linux/module.h>
 #include <linux/etherdevice.h>
 #include <linux/random.h>
+#include <linux/nospec.h>
 #include <net/mac80211.h>
 #include <net/cfg80211.h>
 #include "hw.h"
@@ -1388,7 +1389,7 @@ static int carl9170_op_conf_tx(struct ieee80211_hw *hw,
 	mutex_lock(&ar->mutex);
 	if (queue < ar->hw->queues) {
-		osb();
+		queue = array_index_nospec(queue, ar->hw->queues); /* needed? */
 		memcpy(&ar->edcf[ar9170_qmap[queue]], param, sizeof(*param));
 		ret = carl9170_set_qos(ar);
 	} else {

--- a/drivers/scsi/qla2xxx/qla_mr.c
+++ b/drivers/scsi/qla2xxx/qla_mr.c
@@ -11,6 +11,7 @@
 #include <linux/vmalloc.h>
 #include <scsi/scsi_tcq.h>
 #include <linux/utsname.h>
+#include <linux/nospec.h>
 /* QLAFX00 specific Mailbox implementation functions */
@@ -2303,7 +2304,7 @@ qlafx00_status_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, void *pkt)
 	/* Validate handle. */
 	if (handle < req->num_outstanding_cmds) {
-		osb();
+		handle = array_index_nospec(handle, req->num_outstanding_cmds); /* needed? */
 		sp = req->outstanding_cmds[handle];
 	} else {
 		sp = NULL;
@@ -2656,7 +2657,7 @@ qlafx00_multistatus_entry(struct scsi_qla_host *vha,
 		/* Validate handle. */
 		if (handle < req->num_outstanding_cmds) {
-			osb();
+			handle = array_index_nospec(handle, req->num_outstanding_cmds); /* needed? */
 			sp = req->outstanding_cmds[handle];
 		} else {
 			sp = NULL;

--- a/drivers/thermal/int340x_thermal/int340x_thermal_zone.c
+++ b/drivers/thermal/int340x_thermal/int340x_thermal_zone.c
@@ -17,6 +17,7 @@
 #include <linux/init.h>
 #include <linux/acpi.h>
 #include <linux/thermal.h>
+#include <linux/nospec.h>
 #include "int340x_thermal_zone.h"
 static int int340x_thermal_get_zone_temp(struct thermal_zone_device *zone,
@@ -58,7 +59,7 @@ static int int340x_thermal_get_trip_temp(struct thermal_zone_device *zone,
 		return d->override_ops->get_trip_temp(zone, trip, temp);
 	if (trip < d->aux_trip_nr) {
-		osb();
+		trip = array_index_nospec(trip, d->aux_trip_nr); /* needed? */
 		*temp = d->aux_trips[trip];
 	} else if (trip == d->crt_trip_id) {
 		*temp = d->crt_temp;

--- a/fs/udf/misc.c
+++ b/fs/udf/misc.c
@@ -24,6 +24,7 @@
 #include <linux/fs.h>
 #include <linux/string.h>
 #include <linux/crc-itu-t.h>
+#include <linux/nospec.h>
 #include "udf_i.h"
 #include "udf_sb.h"
@@ -103,9 +104,9 @@ struct genericFormat *udf_add_extendedattr(struct inode *inode, uint32_t size,
 			if (le32_to_cpu(eahd->appAttrLocation) <
 					iinfo->i_lenEAttr) {
 				uint32_t aal =
-					le32_to_cpu(eahd->appAttrLocation);
+					array_index_nospec(le32_to_cpu(eahd->appAttrLocation),
+							   iinfo->i_lenEAttr); /* needed? */
-				osb();
 				memmove(&ea[offset - aal + size],
 					&ea[aal], offset - aal);
 				offset -= aal;
@@ -115,9 +116,9 @@ struct genericFormat *udf_add_extendedattr(struct inode *inode, uint32_t size,
 			if (le32_to_cpu(eahd->impAttrLocation) <
 					iinfo->i_lenEAttr) {
 				uint32_t ial =
-					le32_to_cpu(eahd->impAttrLocation);
+					array_index_nospec(le32_to_cpu(eahd->impAttrLocation),
+							   iinfo->i_lenEAttr); /* needed? */
-				osb();
 				memmove(&ea[offset - ial + size],
 					&ea[ial], offset - ial);
 				offset -= ial;
@@ -128,9 +129,9 @@ struct genericFormat *udf_add_extendedattr(struct inode *inode, uint32_t size,
 			if (le32_to_cpu(eahd->appAttrLocation) <
 					iinfo->i_lenEAttr) {
 				uint32_t aal =
-					le32_to_cpu(eahd->appAttrLocation);
+					array_index_nospec(le32_to_cpu(eahd->appAttrLocation),
+							   iinfo->i_lenEAttr); /* needed? */
-				osb();
 				memmove(&ea[offset - aal + size],
 					&ea[aal], offset - aal);
 				offset -= aal;

--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -22,6 +22,7 @@
 #include <linux/ctype.h>
 #include <linux/projid.h>
 #include <linux/fs_struct.h>
+#include <linux/nospec.h>
 /*
 * sysctl determining whether unprivileged users may unshare a new
@@ -503,7 +504,7 @@ static void *m_start(struct seq_file *seq, loff_t *ppos,
 	loff_t pos = *ppos;
 	if (pos < map->nr_extents) {
-		osb();
+		pos = array_index_nospec((unsigned long)pos, map->nr_extents); /* needed? */
 		extent = &map->extent[pos];
 	}

--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -79,6 +79,7 @@
 #include <linux/netfilter_ipv4.h>
 #include <linux/compat.h>
 #include <linux/uio.h>
+#include <linux/nospec.h>
 struct raw_frag_vec {
 	struct msghdr *msg;
@@ -464,9 +465,11 @@ static int raw_getfrag(void *from, char *to, int offset, int len, int odd,
 	struct raw_frag_vec *rfv = from;
 	if (offset < rfv->hlen) {
-		int copy = min(rfv->hlen - offset, len);
+		int copy;
+		offset = array_index_nospec(offset, rfv->hlen); /* needed? */
+		copy = min(rfv->hlen - offset, len);
-		osb();
 		if (skb->ip_summed == CHECKSUM_PARTIAL)
 			memcpy(to, rfv->hdr.c + offset, copy);
 		else

--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -62,6 +62,7 @@
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>
 #include <linux/export.h>
+#include <linux/nospec.h>
 #define	ICMPV6_HDRLEN	4	/* ICMPv6 header, RFC 4443 Section 2.1 */
@@ -715,9 +716,11 @@ static int raw6_getfrag(void *from, char *to, int offset, int len, int odd,
 	struct raw6_frag_vec *rfv = from;
 	if (offset < rfv->hlen) {
-		int copy = min(rfv->hlen - offset, len);
+		int copy;
+		offset = array_index_nospec(offset, rfv->hlen); /* needed? */
+		copy = min(rfv->hlen - offset, len);
-		osb();
 		if (skb->ip_summed == CHECKSUM_PARTIAL)
 			memcpy(to, rfv->c + offset, copy);
 		else

--- a/net/mpls/af_mpls.c
+++ b/net/mpls/af_mpls.c
@@ -42,10 +42,10 @@ static struct mpls_route *mpls_route_input_rcu(struct net *net, unsigned index)
 	struct mpls_route *rt = NULL;
 	if (index < net->mpls.platform_labels) {
-		struct mpls_route __rcu **platform_label =
+		struct mpls_route __rcu **platform_label;
-			rcu_dereference(net->mpls.platform_label);
-		osb();
+		index = array_index_nospec(index, net->mpls.platform_labels); /* needed? */
+		platform_label = rcu_dereference(net->mpls.platform_label);
 		rt = rcu_dereference(platform_label[index]);
 	}
 	return rt;