From: Jiri Bohac <jbohac@suse.cz>
Patch-mainline: Never, problem no longer present in v5.14
References: bsc#1192802
Subject: drm: fix spectre issue in vmw_execbuf_ioctl

Found by Smatch:
  drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c:4531 vmw_execbuf_ioctl() warn: potential spectre issue 'copy_offset' [w]

Upstream no longer has this problem, the code has been removed by commit cbfbe47fc5391852bd426e07aad7f5cf026e94c5.

---
 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -31,6 +31,7 @@
 #include <drm/ttm/ttm_placement.h>
 #include "vmwgfx_so.h"
 #include "vmwgfx_binding.h"
+#include <linux/nospec.h>
 
 #define VMW_RES_HT_ORDER 12
 
@@ -4370,6 +4371,7 @@ int vmw_execbuf_ioctl(struct drm_device
 	struct vmw_private *dev_priv = vmw_priv(dev);
 	struct drm_vmw_execbuf_arg arg;
 	int ret;
+	int index;
 	static const size_t copy_offset[] = {
 		offsetof(struct drm_vmw_execbuf_arg, context_handle),
 		sizeof(struct drm_vmw_execbuf_arg)};
@@ -4396,10 +4398,11 @@ int vmw_execbuf_ioctl(struct drm_device
 		return -EINVAL;
 	}
 
+	index = array_index_nospec(arg.version - 1, DRM_VMW_EXECBUF_VERSION);
 	if (arg.version > 1 &&
 	    copy_from_user(&arg.context_handle,
 			   (void __user *) (data + copy_offset[0]),
-			   copy_offset[arg.version - 1] -
+			   copy_offset[index] -
 			   copy_offset[0]) != 0)
 		return -EFAULT;