4.14-stable review patch. If anyone has any objections, please let me know.
------------------ From: Jeff Moyer <[email protected]> commit a538e3ff9dabcdf6c3f477a373c629213d1c3066 upstream. Matthew pointed out that the ioctx_table is susceptible to spectre v1, because the index can be controlled by an attacker. The below patch should mitigate the attack for all of the aio system calls. Cc: [email protected] Reported-by: Matthew Wilcox <[email protected]> Reported-by: Dan Carpenter <[email protected]> Signed-off-by: Jeff Moyer <[email protected]> Signed-off-by: Jens Axboe <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> --- fs/aio.c | 2 ++ 1 file changed, 2 insertions(+) --- a/fs/aio.c +++ b/fs/aio.c @@ -43,6 +43,7 @@ #include <asm/kmap_types.h> #include <linux/uaccess.h> +#include <linux/nospec.h> #include "internal.h" @@ -1084,6 +1085,7 @@ static struct kioctx *lookup_ioctx(unsig if (!table || id >= table->nr) goto out; + id = array_index_nospec(id, table->nr); ctx = rcu_dereference(table->table[id]); if (ctx && ctx->user_id == ctx_id) { if (percpu_ref_tryget_live(&ctx->users))
