tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

x86/fred: Correct speculative safety in fred_extint()

array_index_nospec() is no use if the result gets spilled to the stack, as
it makes the believed safe-under-speculation value subject to memory
predictions.

For all practical purposes, this means array_index_nospec() must be used in
the expression that accesses the array.

As the code currently stands, it's the wrong side of irqentry_enter(), and
'index' is put into %ebp across the function call.

Remove the index variable and reposition array_index_nospec(), so it's
calculated immediately before the array access.

Fixes: 14619d912b65 ("x86/fred: FRED entry/exit and dispatch code")
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://patch.msgid.link/20260106131504.679932-1-andrew.cooper3@citrix.com

authored by

Andrew Cooper and committed by
Peter Zijlstra aa280a08 6de23f81

+2 -3
+2 -3
arch/x86/entry/entry_fred.c
··· 160 160 static noinstr void fred_extint(struct pt_regs *regs) 161 161 { 162 162 unsigned int vector = regs->fred_ss.vector; 163 - unsigned int index = array_index_nospec(vector - FIRST_SYSTEM_VECTOR, 164 - NR_SYSTEM_VECTORS); 165 163 166 164 if (WARN_ON_ONCE(vector < FIRST_EXTERNAL_VECTOR)) 167 165 return; ··· 168 170 irqentry_state_t state = irqentry_enter(regs); 169 171 170 172 instrumentation_begin(); 171 - sysvec_table[index](regs); 173 + sysvec_table[array_index_nospec(vector - FIRST_SYSTEM_VECTOR, 174 + NR_SYSTEM_VECTORS)](regs); 172 175 instrumentation_end(); 173 176 irqentry_exit(regs, state); 174 177 } else {