On 05/18/2018 07:47 AM, Greg Kroah-Hartman wrote: > On Thu, May 17, 2018 at 03:16:28PM -0500, Gustavo A. R. Silva wrote: >> pdev_nr and rhport can be controlled by user-space, hence leading to >> a potential exploitation of the Spectre variant 1 vulnerability. >> >> This issue was detected with the help of Smatch: >> drivers/usb/usbip/vhci_sysfs.c:238 detach_store() warn: potential spectre issue 'vhcis' >> drivers/usb/usbip/vhci_sysfs.c:328 attach_store() warn: potential spectre issue 'vhcis' >> drivers/usb/usbip/vhci_sysfs.c:338 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_ss->vdev' >> drivers/usb/usbip/vhci_sysfs.c:340 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_hs->vdev' >> >> Fix this by sanitizing pdev_nr and rhport before using them to index >> vhcis and vhci->vhci_hcd_ss->vdev respectively. >> >> Notice that given that speculation windows are large, the policy is >> to kill the speculation on the first load and not worry if it can be >> completed with a dependent load/store [1]. >> >> [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 >> >> Cc: stable@xxxxxxxxxxxxxxx >> Signed-off-by: Gustavo A. R. Silva <gustavo@xxxxxxxxxxxxxx> >> --- >> Changes in v2: >> - Place the barriers into valid_port. attach_store() doesn't call valid_port() - can you make the change to have attach_store() call valid_port() to protect that code path. > > Thanks for the change. I'll wait for Shuah's ack/review before queueing > this up just as she knows that codebase much better than anyone else. > > thanks, -- Shuah -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html