tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

iov_iter: Add missing speculation barrier to copy_from_user_iter()

The results of "access_ok()" can be mis-speculated. The result is that
the CPU can end speculatively:

if (access_ok(from, size))
// Right here

For the same reason as done in copy_from_user() in commit 74e19ef0ff80
("uaccess: Add speculation barrier to copy_from_user()"), add a speculation
barrier to copy_from_user_iter().

Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://patch.msgid.link/6b73e69cc7168c89df4eab0a216e3ed4cca36b0a.1763396724.git.christophe.leroy@csgroup.eu

authored by

Christophe Leroy and committed by
Thomas Gleixner 803abedb 4db1df7a

+11 -3
+11 -3
lib/iov_iter.c
··· 49 49 50 50 if (should_fail_usercopy()) 51 51 return len; 52 - if (can_do_masked_user_access()) 52 + if (can_do_masked_user_access()) { 53 53 iter_from = mask_user_address(iter_from); 54 - else if (!access_ok(iter_from, len)) 55 - return res; 54 + } else { 55 + if (!access_ok(iter_from, len)) 56 + return res; 56 57 58 + /* 59 + * Ensure that bad access_ok() speculation will not 60 + * lead to nasty side effects *after* the copy is 61 + * finished: 62 + */ 63 + barrier_nospec(); 64 + } 57 65 to += progress; 58 66 instrument_copy_from_user_before(to, iter_from, len); 59 67 res = raw_copy_from_user(to, iter_from, len);