IB/hfi1: Fix Spectre v1 vulnerability [Linux 4.14.137]

This Linux kernel change "IB/hfi1: Fix Spectre v1 vulnerability" is included in the Linux 4.14.137 release. This change is authored by Gustavo A. R. Silva <gustavo [at] embeddedor.com> on Wed Jul 31 12:54:28 2019 -0500. The commit for this change in Linux stable tree is 683dbbe (patch) which is from upstream commit 6497d0a. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream 6497d0a.

IB/hfi1: Fix Spectre v1 vulnerability

commit 6497d0a9c53df6e98b25e2b79f2295d7caa47b6e upstream.

sl is controlled by user-space, hence leading to a potential
exploitation of the Spectre variant 1 vulnerability.

Fix this by sanitizing sl before using it to index ibp->sl_to_sc.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/

Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Link: https://lore.kernel.org/r/20190731175428.GA16736@embeddedor
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

There are 2 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 drivers/infiniband/hw/hfi1/verbs.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/infiniband/hw/hfi1/verbs.c b/drivers/infiniband/hw/hfi1/verbs.c
index f4372af..ad78b47 100644
--- a/drivers/infiniband/hw/hfi1/verbs.c
+++ b/drivers/infiniband/hw/hfi1/verbs.c
@@ -54,6 +54,7 @@
 #include <linux/mm.h>
 #include <linux/vmalloc.h>
 #include <rdma/opa_addr.h>
+#include <linux/nospec.h>

 #include "hfi.h"
 #include "common.h"
@@ -1587,6 +1588,7 @@ static int hfi1_check_ah(struct ib_device *ibdev, struct rdma_ah_attr *ah_attr)
    sl = rdma_ah_get_sl(ah_attr);
    if (sl >= ARRAY_SIZE(ibp->sl_to_sc))
        return -EINVAL;
+   sl = array_index_nospec(sl, ARRAY_SIZE(ibp->sl_to_sc));

    sc5 = ibp->sl_to_sc[sl];
    if (sc_to_vlt(dd, sc5) > num_vls && sc_to_vlt(dd, sc5) != 0xf)

Leave a Reply

Your email address will not be published. Required fields are marked *