From: Jiri Bohac <jbohac@suse.cz>
Patch-mainline: Never, problem no longer present in v5.14
References: bsc#1192802
Subject: drm: prevent spectre issue in vmw_execbuf_ioctl

Found by Smatch:
  drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c:4531 vmw_execbuf_ioctl() warn: potential spectre issue 'copy_offset' [w]

Upstream no longer has this problem, the code has been removed by commit cbfbe47fc5391852bd426e07aad7f5cf026e94c5.

---
 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -32,6 +32,7 @@
 #include <drm/ttm/ttm_placement.h>
 #include "vmwgfx_so.h"
 #include "vmwgfx_binding.h"
+#include <linux/nospec.h>
 
 #define VMW_RES_HT_ORDER 12
 
@@ -4005,6 +4006,7 @@ int vmw_execbuf_ioctl(struct drm_device
 		offsetof(struct drm_vmw_execbuf_arg, context_handle),
 		sizeof(struct drm_vmw_execbuf_arg)};
 	struct dma_fence *in_fence = NULL;
+	int index;
 
 	if (unlikely(size < copy_offset[0])) {
 		VMW_DEBUG_USER("Invalid command size, ioctl %d\n",
@@ -4025,10 +4027,11 @@ int vmw_execbuf_ioctl(struct drm_device
 		return -EINVAL;
 	}
 
+	index = array_index_nospec(arg.version - 1, DRM_VMW_EXECBUF_VERSION);
 	if (arg.version > 1 &&
 	    copy_from_user(&arg.context_handle,
 			   (void __user *) (data + copy_offset[0]),
-			   copy_offset[arg.version - 1] - copy_offset[0]) != 0)
+			   copy_offset[index] - copy_offset[0]) != 0)
 		return -EFAULT;
 
 	switch (arg.version) {