Patch "nvme: prevent potential spectre v1 gadget" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Tue, 16 Jan 2024 05:52:51 -0500

This is a note to let you know that I've just added the patch titled

    nvme: prevent potential spectre v1 gadget

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     nvme-prevent-potential-spectre-v1-gadget.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit c6d53a1cad59b2e764dd47f8fcb20426198cc4ad
Author: Nitesh Shetty <nj.shetty@xxxxxxxxxxx>
Date:   Tue Nov 28 17:59:57 2023 +0530

    nvme: prevent potential spectre v1 gadget
    
    [ Upstream commit 20dc66f2d76b4a410df14e4675e373b718babc34 ]
    
    This patch fixes the smatch warning, "nvmet_ns_ana_grpid_store() warn:
    potential spectre issue 'nvmet_ana_group_enabled' [w] (local cap)"
    Prevent the contents of kernel memory from being leaked to  user space
    via speculative execution by using array_index_nospec.
    
    Signed-off-by: Nitesh Shetty <nj.shetty@xxxxxxxxxxx>
    Reviewed-by: Christoph Hellwig <hch@xxxxxx>
    Reviewed-by: Sagi Grimberg <sagi@xxxxxxxxxxx>
    Signed-off-by: Keith Busch <kbusch@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
index 6a2816f3b4e8..73ae16059a1c 100644
--- a/drivers/nvme/target/configfs.c
+++ b/drivers/nvme/target/configfs.c
@@ -16,6 +16,7 @@
 #endif
 #include <crypto/hash.h>
 #include <crypto/kpp.h>
+#include <linux/nospec.h>
 
 #include "nvmet.h"
 
@@ -508,6 +509,7 @@ static ssize_t nvmet_ns_ana_grpid_store(struct config_item *item,
 
 	down_write(&nvmet_ana_sem);
 	oldgrpid = ns->anagrpid;
+	newgrpid = array_index_nospec(newgrpid, NVMET_MAX_ANAGRPS);
 	nvmet_ana_group_enabled[newgrpid]++;
 	ns->anagrpid = newgrpid;
 	nvmet_ana_group_enabled[oldgrpid]--;
@@ -1580,6 +1582,7 @@ static struct config_group *nvmet_ana_groups_make_group(
 	grp->grpid = grpid;
 
 	down_write(&nvmet_ana_sem);
+	grpid = array_index_nospec(grpid, NVMET_MAX_ANAGRPS);
 	nvmet_ana_group_enabled[grpid]++;
 	up_write(&nvmet_ana_sem);
 







