Commit 0fad94cf authored by Gustavo A. R. Silva's avatar Gustavo A. R. Silva Committed by Greg Kroah-Hartman

switchtec: Fix Spectre v1 vulnerability

commit 46feb6b4 upstream.

p.port can is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

  drivers/pci/switch/switchtec.c:912 ioctl_port_to_pff() warn: potential spectre issue 'pcfg->dsp_pff_inst_id' [r]

Fix this by sanitizing p.port before using it to index

Notice that given that speculation windows are large, the policy is to kill
the speculation on the first load and not worry if it can be completed with
a dependent load/store [1].

[1] default avatarGustavo A. R. Silva <>
Signed-off-by: default avatarBjorn Helgaas <>
Acked-by: default avatarLogan Gunthorpe <>
Signed-off-by: default avatarGreg Kroah-Hartman <>
parent ff225750
......@@ -24,6 +24,8 @@
#include <linux/cdev.h>
#include <linux/wait.h>
#include <linux/nospec.h>
MODULE_DESCRIPTION("Microsemi Switchtec(tm) PCIe Management Driver");
......@@ -1173,6 +1175,8 @@ static int ioctl_port_to_pff(struct switchtec_dev *stdev,
if (p.port > ARRAY_SIZE(pcfg->dsp_pff_inst_id))
return -EINVAL;
p.port = array_index_nospec(p.port,
ARRAY_SIZE(pcfg->dsp_pff_inst_id) + 1);
p.pff = ioread32(&pcfg->dsp_pff_inst_id[p.port - 1]);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment