Thanks both! I assumed array_index_mask_nospec was the same as array_index_nospec. I'll send a V2 your way soon :) On Sat, Jun 10, 2023 at 9:10 PM Phillip Potter <phil@xxxxxxxxxxxxxxxx> wrote: > > On Fri, Jun 09, 2023 at 01:13:55PM +0000, Jordy Zomer wrote: > > This patch fixes a spectre-v1 gadget in cdrom. > > The gadget could be triggered by, > > speculatviely bypassing the cdi->capacity check. > > > > Signed-off-by: Jordy Zomer <jordyzomer@xxxxxxxxxx> > > --- > > drivers/cdrom/cdrom.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c > > index 416f723a2dbb..3c349bc0a269 100644 > > --- a/drivers/cdrom/cdrom.c > > +++ b/drivers/cdrom/cdrom.c > > @@ -233,6 +233,7 @@ > > > > -------------------------------------------------------------------------*/ > > > > +#include "asm/barrier.h" > > #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt > > > > #define REVISION "Revision: 3.20" > > @@ -2329,6 +2330,8 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi, > > if (arg >= cdi->capacity) > > return -EINVAL; > > > > + arg = array_index_mask_nospec(arg, cdi->capacity); > > + > > info = kmalloc(sizeof(*info), GFP_KERNEL); > > if (!info) > > return -ENOMEM; > > -- > > 2.41.0.162.gfafddb0af9-goog > > > > Hi Jordy, > > Thanks for the patch, much appreciated. Sadly, as Pawan has already > pointed out, array_index_mask_nospec actually changes the behaviour of > this function, such that 'arg' would no longer be an array index. > > In addition, it seems to have triggered the kernel test robot with an > alpha build error. > > Regards, > Phil
