Merge tag 'drm-misc-fixes-2018-12-20' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes

Fix spectre v1 vuln in drm_ioctl Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> From: Sean Paul <sean@poorly.run> Link: https://patchwork.freedesktop.org/patch/msgid/20181220165740.GA42344@art_vandelay

Merge tag 'drm-misc-fixes-2018-12-20' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes
Fix spectre v1 vuln in drm_ioctl Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> From: Sean Paul <sean@poorly.run> Link: https://patchwork.freedesktop.org/patch/msgid/20181220165740.GA42344@art_vandelay
b6aac625 · Daniel Vetter · 7566ec39 · 505b5240 · b6aac625
Commit b6aac625 authored Dec 20, 2018 by Daniel Vetter
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 2 deletions

drivers/gpu/drm/drm_ioctl.c drivers/gpu/drm/drm_ioctl.c +8 -2

No files found.
--- a/drivers/gpu/drm/drm_ioctl.c
+++ b/drivers/gpu/drm/drm_ioctl.c
@@ -37,6 +37,7 @@
 #include <linux/pci.h>
 #include <linux/export.h>
+#include <linux/nospec.h>
 /**
 * DOC: getunique and setversion story
@@ -800,13 +801,17 @@ long drm_ioctl(struct file *filp,
 	if (is_driver_ioctl) {
 		/* driver ioctl */
-		if (nr - DRM_COMMAND_BASE >= dev->driver->num_ioctls)
+		unsigned int index = nr - DRM_COMMAND_BASE;
+		if (index >= dev->driver->num_ioctls)
 			goto err_i1;
-		ioctl = &dev->driver->ioctls[nr - DRM_COMMAND_BASE];
+		index = array_index_nospec(index, dev->driver->num_ioctls);
+		ioctl = &dev->driver->ioctls[index];
 	} else {
 		/* core ioctl */
 		if (nr >= DRM_CORE_IOCTL_COUNT)
 			goto err_i1;
+		nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT);
 		ioctl = &drm_ioctls[nr];
 	}
@@ -888,6 +893,7 @@ bool drm_ioctl_flags(unsigned int nr, unsigned int *flags)
 	if (nr >= DRM_CORE_IOCTL_COUNT)
 		return false;
+	nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT);
 	*flags = drm_ioctls[nr].flags;
 	return true;