From: Jiri Bohac <jbohac@suse.cz>
Patch-mainline: Never, problem no longer present in v5.14
References: bsc#1192802
Subject: drm: prevent spectre issue in vmw_execbuf_ioctl
Found by Smatch:
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c:4531 vmw_execbuf_ioctl() warn: potential spectre issue 'copy_offset' [w]
Upstream no longer has this problem, the code has been removed by commit cbfbe47fc5391852bd426e07aad7f5cf026e94c5.
---
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -32,6 +32,7 @@
#include <drm/ttm/ttm_placement.h>
#include "vmwgfx_so.h"
#include "vmwgfx_binding.h"
+#include <linux/nospec.h>
#define VMW_RES_HT_ORDER 12
@@ -4005,6 +4006,7 @@ int vmw_execbuf_ioctl(struct drm_device
offsetof(struct drm_vmw_execbuf_arg, context_handle),
sizeof(struct drm_vmw_execbuf_arg)};
struct dma_fence *in_fence = NULL;
+ int index;
if (unlikely(size < copy_offset[0])) {
VMW_DEBUG_USER("Invalid command size, ioctl %d\n",
@@ -4025,10 +4027,11 @@ int vmw_execbuf_ioctl(struct drm_device
return -EINVAL;
}
+ index = array_index_nospec(arg.version - 1, DRM_VMW_EXECBUF_VERSION);
if (arg.version > 1 &&
copy_from_user(&arg.context_handle,
(void __user *) (data + copy_offset[0]),
- copy_offset[arg.version - 1] - copy_offset[0]) != 0)
+ copy_offset[index] - copy_offset[0]) != 0)
return -EFAULT;
switch (arg.version) {