On Sat, Jan 29, 2022 at 7:06 AM Jordy Zomer <jordy@pwning.systems> wrote: > > It appears like nr could be a Spectre v1 gadget as it's supplied by a > user and used as an array index. Prevent the contents > of kernel memory from being leaked to userspace via speculative > execution by using array_index_nospec. > > Signed-off-by: Jordy Zomer <jordy@pwning.systems> > --- > drivers/dma-buf/dma-heap.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/dma-buf/dma-heap.c b/drivers/dma-buf/dma-heap.c > index 56bf5ad01ad5..8f5848aa144f 100644 > --- a/drivers/dma-buf/dma-heap.c > +++ b/drivers/dma-buf/dma-heap.c > @@ -14,6 +14,7 @@ > #include <linux/xarray.h> > #include <linux/list.h> > #include <linux/slab.h> > +#include <linux/nospec.h> > #include <linux/uaccess.h> > #include <linux/syscalls.h> > #include <linux/dma-heap.h> > @@ -135,6 +136,7 @@ static long dma_heap_ioctl(struct file *file, unsigned int ucmd, > if (nr >= ARRAY_SIZE(dma_heap_ioctl_cmds)) > return -EINVAL; > > + nr = array_index_nospec(nr, ARRAY_SIZE(dma_heap_ioctl_cmds)); > /* Get the kernel ioctl cmd that matches */ > kcmd = dma_heap_ioctl_cmds[nr]; Thanks for submitting this! It looks sane to me. Acked-by: John Stultz <john.stultz@xxxxxxxxxx> thanks -john