x86/tls: Fix possible spectre-v1 in do_get_thread_area() (993773d1) · Commits · 戴 / test

arch/x86/kernel/tls.c

+7 −2

Original line number	Original line	Diff line number	Diff line
	@@ -5,6 +5,7 @@
	#include <linux/user.h>		#include <linux/user.h>
	#include <linux/regset.h>		#include <linux/regset.h>
	#include <linux/syscalls.h>		#include <linux/syscalls.h>
			#include <linux/nospec.h>

	#include <linux/uaccess.h>		#include <linux/uaccess.h>
	#include <asm/desc.h>		#include <asm/desc.h>
	@@ -220,6 +221,7 @@ int do_get_thread_area(struct task_struct *p, int idx,
	struct user_desc __user *u_info)		struct user_desc __user *u_info)
	{		{
	struct user_desc info;		struct user_desc info;
			int index;

	if (idx == -1 && get_user(idx, &u_info->entry_number))		if (idx == -1 && get_user(idx, &u_info->entry_number))
	return -EFAULT;		return -EFAULT;
	@@ -227,8 +229,11 @@ int do_get_thread_area(struct task_struct *p, int idx,
	if (idx < GDT_ENTRY_TLS_MIN \|\| idx > GDT_ENTRY_TLS_MAX)		if (idx < GDT_ENTRY_TLS_MIN \|\| idx > GDT_ENTRY_TLS_MAX)
	return -EINVAL;		return -EINVAL;

	fill_user_desc(&info, idx,		index = idx - GDT_ENTRY_TLS_MIN;
	&p->thread.tls_array[idx - GDT_ENTRY_TLS_MIN]);		index = array_index_nospec(index,
			GDT_ENTRY_TLS_MAX - GDT_ENTRY_TLS_MIN + 1);

			fill_user_desc(&info, idx, &p->thread.tls_array[index]);

	if (copy_to_user(u_info, &info, sizeof(info)))		if (copy_to_user(u_info, &info, sizeof(info)))
	return -EFAULT;		return -EFAULT;