perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver

> arch/x86/events/msr.c:178 msr_event_init() warn: potential spectre issue 'msr' (local cap)

Userspace controls @attr, sanitize cfg (attr->config) before using it
to index an array.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: <stable@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Ingo Molnar <mingo@kernel.org>

1 files changed, 6 insertions, 3 deletions

diff --git a/arch/x86/events/msr.c b/arch/x86/events/msr.c
index e7edf19e64c2..b4771a6ddbc1 100644
--- a/arch/x86/events/msr.c
+++ b/arch/x86/events/msr.c
@@ -1,5 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0
 #include <linux/perf_event.h>
+#include <linux/nospec.h>
 #include <asm/intel-family.h>
 
 enum perf_msr_id {
@@ -158,9 +159,6 @@ static int msr_event_init(struct perf_event *event)
         if (event->attr.type != event->pmu->type)
                 return -ENOENT;
 
-        if (cfg >= PERF_MSR_EVENT_MAX)
-                return -EINVAL;
-
         /* unsupported modes and filters */
         if (event->attr.exclude_user   ||
             event->attr.exclude_kernel ||
@@ -171,6 +169,11 @@ static int msr_event_init(struct perf_event *event)
             event->attr.sample_period) /* no sampling */
                 return -EINVAL;
 
+        if (cfg >= PERF_MSR_EVENT_MAX)
+                return -EINVAL;
+
+        cfg = array_index_nospec((unsigned long)cfg, PERF_MSR_EVENT_MAX);
+
         if (!msr[cfg].attr)
                 return -EINVAL;