Commit 46feb6b4 authored by Gustavo A. R. Silva's avatar Gustavo A. R. Silva Committed by Bjorn Helgaas

switchtec: Fix Spectre v1 vulnerability

p.port can is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

  drivers/pci/switch/switchtec.c:912 ioctl_port_to_pff() warn: potential spectre issue 'pcfg->dsp_pff_inst_id' [r]

Fix this by sanitizing p.port before using it to index

Notice that given that speculation windows are large, the policy is to kill
the speculation on the first load and not worry if it can be completed with
a dependent load/store [1].

[1] default avatarGustavo A. R. Silva <>
Signed-off-by: default avatarBjorn Helgaas <>
Acked-by: default avatarLogan Gunthorpe <>
parent 50ca031b
......@@ -14,6 +14,8 @@
#include <linux/poll.h>
#include <linux/wait.h>
#include <linux/nospec.h>
MODULE_DESCRIPTION("Microsemi Switchtec(tm) PCIe Management Driver");
......@@ -909,6 +911,8 @@ static int ioctl_port_to_pff(struct switchtec_dev *stdev,
if (p.port > ARRAY_SIZE(pcfg->dsp_pff_inst_id))
return -EINVAL;
p.port = array_index_nospec(p.port,
ARRAY_SIZE(pcfg->dsp_pff_inst_id) + 1);
p.pff = ioread32(&pcfg->dsp_pff_inst_id[p.port - 1]);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment