From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 16 Sep 2018 13:39:43 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v4.18.9~26
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=72f8926a6acc435969476f65c8393396e4a78a78;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	switchtec-fix-spectre-v1-vulnerability.patch
---

diff --git a/queue-4.14/series b/queue-4.14/series
index ca595cba4f0..f1995503a7f 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -15,3 +15,4 @@ cpu-hotplug-adjust-misplaced-smb-in-cpuhp_thread_fun.patch
 cpu-hotplug-prevent-state-corruption-on-error-rollback.patch
 x86-microcode-make-sure-boot_cpu_data.microcode-is-up-to-date.patch
 x86-microcode-update-the-new-microcode-revision-unconditionally.patch
+switchtec-fix-spectre-v1-vulnerability.patch
diff --git a/queue-4.14/switchtec-fix-spectre-v1-vulnerability.patch b/queue-4.14/switchtec-fix-spectre-v1-vulnerability.patch
new file mode 100644
index 00000000000..ccff798bf42
--- /dev/null
+++ b/queue-4.14/switchtec-fix-spectre-v1-vulnerability.patch
@@ -0,0 +1,55 @@
+From 46feb6b495f7628a6dbf36c4e6d80faf378372d4 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Thu, 16 Aug 2018 14:06:46 -0500
+Subject: switchtec: Fix Spectre v1 vulnerability
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 46feb6b495f7628a6dbf36c4e6d80faf378372d4 upstream.
+
+p.port can is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+  drivers/pci/switch/switchtec.c:912 ioctl_port_to_pff() warn: potential spectre issue 'pcfg->dsp_pff_inst_id' [r]
+
+Fix this by sanitizing p.port before using it to index
+pcfg->dsp_pff_inst_id
+
+Notice that given that speculation windows are large, the policy is to kill
+the speculation on the first load and not worry if it can be completed with
+a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Logan Gunthorpe <logang@deltatee.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/switch/switchtec.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/pci/switch/switchtec.c
++++ b/drivers/pci/switch/switchtec.c
+@@ -24,6 +24,8 @@
+ #include <linux/cdev.h>
+ #include <linux/wait.h>
+ 
++#include <linux/nospec.h>
++
+ MODULE_DESCRIPTION("Microsemi Switchtec(tm) PCIe Management Driver");
+ MODULE_VERSION("0.1");
+ MODULE_LICENSE("GPL");
+@@ -1173,6 +1175,8 @@ static int ioctl_port_to_pff(struct swit
+ 	default:
+ 		if (p.port > ARRAY_SIZE(pcfg->dsp_pff_inst_id))
+ 			return -EINVAL;
++		p.port = array_index_nospec(p.port,
++					ARRAY_SIZE(pcfg->dsp_pff_inst_id) + 1);
+ 		p.pff = ioread32(&pcfg->dsp_pff_inst_id[p.port - 1]);
+ 		break;
+ 	}