kernel / kernel-source

Clone
Source Code
GIT

Files

  1.   a07f7ac44cacae01a70ddaee4b6440c9e8a59054
  2.   patches.suse
  3.   mpt3sas-fix-spectre-issues.patch
Blob Blame History Raw 
From: Jiri Bohac <jbohac@suse.cz>
Patch-mainline: Never, problem no longer present in v5.14
References: bsc#1192802
Subject: mpt3sas: fix spectre issues

Found by Smatch:

	drivers/scsi/mpt3sas/mpt3sas_ctl.c _ctl_diag_unregister() warn: potential spectre issue 'ioc->diag_buffer' [r]
	drivers/scsi/mpt3sas/mpt3sas_ctl.c _ctl_diag_unregister() warn: possible spectre second half.  'request_data'
	drivers/scsi/mpt3sas/mpt3sas_ctl.c _ctl_diag_unregister() warn: potential spectre issue 'ioc->diag_buffer_sz' [r]
	drivers/scsi/mpt3sas/mpt3sas_ctl.c _ctl_diag_unregister() warn: potential spectre issue 'ioc->diag_buffer_dma' [r]
	drivers/scsi/mpt3sas/mpt3sas_ctl.c _ctl_diag_unregister() warn: possible spectre second half.  'request_data_sz'
	drivers/scsi/mpt3sas/mpt3sas_ctl.c _ctl_diag_unregister() warn: possible spectre second half.  'request_data_dma'
	drivers/scsi/mpt3sas/mpt3sas_ctl.c _ctl_diag_unregister() warn: potential spectre issue 'ioc->diag_buffer_status' [w]
	drivers/scsi/mpt3sas/mpt3sas_ctl.c _ctl_diag_query() warn: potential spectre issue 'ioc->diag_buffer' [r]
	drivers/scsi/mpt3sas/mpt3sas_ctl.c _ctl_diag_query() warn: possible spectre second half.  'request_data'
	drivers/scsi/mpt3sas/mpt3sas_ctl.c _ctl_diag_query() warn: potential spectre issue 'ioc->product_specific' [r]
	drivers/scsi/mpt3sas/mpt3sas_ctl.c _ctl_diag_query() warn: potential spectre issue 'ioc->diag_buffer_sz' [r]
	drivers/scsi/mpt3sas/mpt3sas_ctl.c _ctl_diag_query() warn: potential spectre issue 'ioc->unique_id' [r]
	drivers/scsi/mpt3sas/mpt3sas_ctl.c _ctl_diag_query() warn: potential spectre issue 'ioc->diagnostic_flags' [r]
	drivers/scsi/mpt3sas/mpt3sas_ctl.c _ctl_diag_release() warn: potential spectre issue 'ioc->diag_buffer' [r]
	drivers/scsi/mpt3sas/mpt3sas_ctl.c _ctl_diag_release() warn: possible spectre second half.  'request_data'
	drivers/scsi/mpt3sas/mpt3sas_ctl.c _ctl_diag_release() warn: potential spectre issue 'ioc->diag_buffer_status' [w]
	drivers/scsi/mpt3sas/mpt3sas_ctl.c _ctl_diag_read_buffer() warn: potential spectre issue 'ioc->diag_buffer' [r]
	drivers/scsi/mpt3sas/mpt3sas_ctl.c _ctl_diag_read_buffer() warn: possible spectre second half.  'request_data'
	drivers/scsi/mpt3sas/mpt3sas_ctl.c _ctl_diag_read_buffer() warn: potential spectre issue 'ioc->diag_buffer_sz' [r]
	drivers/scsi/mpt3sas/mpt3sas_ctl.c _ctl_diag_read_buffer() warn: possible spectre second half.  'request_size'
	drivers/scsi/mpt3sas/mpt3sas_ctl.c _ctl_diag_read_buffer() warn: potential spectre issue 'ioc->diag_buffer_dma' [r]
	drivers/scsi/mpt3sas/mpt3sas_ctl.c _ctl_diag_read_buffer() warn: potential spectre issue 'ioc->product_specific' [r]
---
 drivers/scsi/mpt3sas/mpt3sas_ctl.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
index 978a6ab836c2..2d8106ba911b 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
@@ -53,6 +53,7 @@
 #include <linux/delay.h>
 #include <linux/compat.h>
 #include <linux/poll.h>
+#include <linux/nospec.h>
 
 #include <linux/io.h>
 #include <linux/uaccess.h>
@@ -1724,6 +1725,7 @@ _ctl_diag_unregister(struct MPT3SAS_ADAPTER *ioc, void __user *arg)
 			__func__, buffer_type);
 		return -EPERM;
 	}
+	buffer_type = array_index_nospec(buffer_type, MPI2_DIAG_BUF_TYPE_COUNT);
 
 	if ((ioc->diag_buffer_status[buffer_type] &
 	    MPT3_DIAG_BUFFER_IS_REGISTERED) == 0) {
@@ -1794,6 +1796,7 @@ _ctl_diag_query(struct MPT3SAS_ADAPTER *ioc, void __user *arg)
 			__func__, buffer_type);
 		return -EPERM;
 	}
+	buffer_type = array_index_nospec(buffer_type, MPI2_DIAG_BUF_TYPE_COUNT);
 
 	if ((ioc->diag_buffer_status[buffer_type] &
 	    MPT3_DIAG_BUFFER_IS_REGISTERED) == 0) {
@@ -1974,6 +1977,7 @@ _ctl_diag_release(struct MPT3SAS_ADAPTER *ioc, void __user *arg)
 			__func__, buffer_type);
 		return -EPERM;
 	}
+	buffer_type = array_index_nospec(buffer_type, MPI2_DIAG_BUF_TYPE_COUNT);
 
 	if ((ioc->diag_buffer_status[buffer_type] &
 	    MPT3_DIAG_BUFFER_IS_REGISTERED) == 0) {
@@ -2058,6 +2062,7 @@ _ctl_diag_read_buffer(struct MPT3SAS_ADAPTER *ioc, void __user *arg)
 			__func__, buffer_type);
 		return -EPERM;
 	}
+	buffer_type = array_index_nospec(buffer_type, MPI2_DIAG_BUF_TYPE_COUNT);
 
 	if (karg.unique_id != ioc->unique_id[buffer_type]) {
 		ioc_err(ioc, "%s: unique_id(0x%08x) is not registered\n",
-- 
2.32.0
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.