Re: [PATCH 9/9] media: pci: mgb4: fix potential spectre vulnerability

Martin Tůma <tumic@xxxxxxxxxx> · Tue, 10 Oct 2023 12:31:07 +0200

On 06. 10. 23 12:08, Hans Verkuil wrote:
Fix smatch warnings:

drivers/media/pci/mgb4/mgb4_sysfs_out.c:118 video_source_store() warn: potential spectre issue 'mgbdev->vin' [r] (local cap)
drivers/media/pci/mgb4/mgb4_sysfs_out.c:122 video_source_store() warn: possible spectre second half.  'loopin_new'

Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>
CC: Martin Tuma <martin.tuma@xxxxxxxxxxxxxxxxxxxxx>
---
  drivers/media/pci/mgb4/mgb4_sysfs_out.c | 5 ++++-
  1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/media/pci/mgb4/mgb4_sysfs_out.c b/drivers/media/pci/mgb4/mgb4_sysfs_out.c
index 23a9aabf3915..9f6e81c57726 100644
--- a/drivers/media/pci/mgb4/mgb4_sysfs_out.c
+++ b/drivers/media/pci/mgb4/mgb4_sysfs_out.c
@@ -8,6 +8,7 @@
   */
  
  #include <linux/device.h>
+#include <linux/nospec.h>
  #include "mgb4_core.h"
  #include "mgb4_i2c.h"
  #include "mgb4_vout.h"
@@ -114,8 +115,10 @@ static ssize_t video_source_store(struct device *dev,
  
  	if (((config & 0xc) >> 2) < MGB4_VIN_DEVICES)
  		loopin_old = mgbdev->vin[(config & 0xc) >> 2];
-	if (val < MGB4_VIN_DEVICES)
+	if (val < MGB4_VIN_DEVICES) {
+		val = array_index_nospec(val, MGB4_VIN_DEVICES);
  		loopin_new = mgbdev->vin[val];
+	}
  	if (loopin_old && loopin_cnt(loopin_old) == 1)
  		mgb4_mask_reg(&mgbdev->video, loopin_old->config->regs.config,
  			      0x2, 0x0);

Hi,
I had investigated the warning when it appeared here on the mailing 
list, but IMHO it is a false-positive, so I didn't react to it. 
MGB4_VIN_DEVICES in the condition is not a check for array bounds but a 
check whether the input source (val) is one of the inputs. Valid "val" 
values are <0,3> and only if the value is <0,1> it is used as an array 
index for the input devices (vin) array. So this is IMHO a different 
situation than desribed in the speculation document 
(https://www.kernel.org/doc/html/latest/staging/speculation.html). But I 
may be wrong and array_index_nospec() is still required here.

If the goal was just to silence smatch, than I'm ok with that, It 
shouldn't harm any performance here. Except that it will look like there 
is a possible spectre issue in the code where it in fact isn't, it 
should not change anything.

M.






