4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: "Gustavo A. R. Silva" <gustavo@xxxxxxxxxxxxxx> [ Upstream commit 50d5258634aee2e62832aa086d2fb0de00e72b91 ] flen is indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: net/core/filter.c:1101 bpf_check_classic() warn: potential spectre issue 'filter' [w] Fix this by sanitizing flen before using it to index filter at line 1101: switch (filter[flen - 1].code) { and through pc at line 1040: const struct sock_filter *ftest = &filter[pc]; Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Signed-off-by: Gustavo A. R. Silva <gustavo@xxxxxxxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/core/filter.c | 2 ++ 1 file changed, 2 insertions(+) --- a/net/core/filter.c +++ b/net/core/filter.c @@ -51,6 +51,7 @@ #include <net/dst_metadata.h> #include <net/dst.h> #include <net/sock_reuseport.h> +#include <linux/nospec.h> /** * sk_filter_trim_cap - run a packet through a socket filter @@ -786,6 +787,7 @@ static int bpf_check_classic(const struc bool anc_found; int pc; + flen = array_index_nospec(flen, BPF_MAXINSNS + 1); /* Check the filter code now */ for (pc = 0; pc < flen; pc++) { const struct sock_filter *ftest = &filter[pc];