diff options
| author | Peter Zijlstra <peterz@infradead.org> | 2018-04-20 08:06:29 -0400 |
|---|---|---|
| committer | Ingo Molnar <mingo@kernel.org> | 2018-05-05 02:37:28 -0400 |
| commit | ef9ee4ad38445a30909c48998624861716f2a994 (patch) | |
| tree | 58c3666c15a10c96fcd0191e2bf906bbc6ed3fba | |
| parent | 4411ec1d1993e8dbff2898390e3fed280d88e446 (diff) | |
perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_*
> arch/x86/events/core.c:319 set_ext_hw_attr() warn: potential spectre issue 'hw_cache_event_ids[cache_type]' (local cap)
> arch/x86/events/core.c:319 set_ext_hw_attr() warn: potential spectre issue 'hw_cache_event_ids' (local cap)
> arch/x86/events/core.c:328 set_ext_hw_attr() warn: potential spectre issue 'hw_cache_extra_regs[cache_type]' (local cap)
> arch/x86/events/core.c:328 set_ext_hw_attr() warn: potential spectre issue 'hw_cache_extra_regs' (local cap)
Userspace controls @config which contains 3 (byte) fields used for a 3
dimensional array deref.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: <stable@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
| -rw-r--r-- | arch/x86/events/core.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c index a6006e7bb729..b1be0ac51ce0 100644 --- a/arch/x86/events/core.c +++ b/arch/x86/events/core.c | |||
| @@ -304,17 +304,20 @@ set_ext_hw_attr(struct hw_perf_event *hwc, struct perf_event *event) | |||
| 304 | 304 | ||
| 305 | config = attr->config; | 305 | config = attr->config; |
| 306 | 306 | ||
| 307 | cache_type = (config >> 0) & 0xff; | 307 | cache_type = (config >> 0) & 0xff; |
| 308 | if (cache_type >= PERF_COUNT_HW_CACHE_MAX) | 308 | if (cache_type >= PERF_COUNT_HW_CACHE_MAX) |
| 309 | return -EINVAL; | 309 | return -EINVAL; |
| 310 | cache_type = array_index_nospec(cache_type, PERF_COUNT_HW_CACHE_MAX); | ||
| 310 | 311 | ||
| 311 | cache_op = (config >> 8) & 0xff; | 312 | cache_op = (config >> 8) & 0xff; |
| 312 | if (cache_op >= PERF_COUNT_HW_CACHE_OP_MAX) | 313 | if (cache_op >= PERF_COUNT_HW_CACHE_OP_MAX) |
| 313 | return -EINVAL; | 314 | return -EINVAL; |
| 315 | cache_op = array_index_nospec(cache_op, PERF_COUNT_HW_CACHE_OP_MAX); | ||
| 314 | 316 | ||
| 315 | cache_result = (config >> 16) & 0xff; | 317 | cache_result = (config >> 16) & 0xff; |
| 316 | if (cache_result >= PERF_COUNT_HW_CACHE_RESULT_MAX) | 318 | if (cache_result >= PERF_COUNT_HW_CACHE_RESULT_MAX) |
| 317 | return -EINVAL; | 319 | return -EINVAL; |
| 320 | cache_result = array_index_nospec(cache_result, PERF_COUNT_HW_CACHE_RESULT_MAX); | ||
| 318 | 321 | ||
| 319 | val = hw_cache_event_ids[cache_type][cache_op][cache_result]; | 322 | val = hw_cache_event_ids[cache_type][cache_op][cache_result]; |
| 320 | 323 | ||