From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qt1-f199.google.com (mail-qt1-f199.google.com [209.85.160.199]) by kanga.kvack.org (Postfix) with ESMTP id 6A7A16B7CB3 for ; Thu, 6 Dec 2018 17:26:37 -0500 (EST) Received: by mail-qt1-f199.google.com with SMTP id w15so1879568qtk.19 for ; Thu, 06 Dec 2018 14:26:37 -0800 (PST) From: Jeff Moyer Subject: Re: [PATCH] aio: Convert ioctx_table to XArray References: <20181128183531.5139-1-willy@infradead.org> Date: Thu, 06 Dec 2018 17:26:33 -0500 In-Reply-To: (Jeff Moyer's message of "Thu, 06 Dec 2018 17:21:31 -0500") Message-ID: MIME-Version: 1.0 Content-Type: text/plain Sender: owner-linux-mm@kvack.org List-ID: To: Matthew Wilcox Cc: Alexander Viro , Benjamin LaHaise , Andrew Morton , Kees Cook , linux-fsdevel@vger.kernel.org, linux-aio@kvack.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Dan Carpenter Jeff Moyer writes: > Matthew Wilcox writes: > >> This custom resizing array was vulnerable to a Spectre attack (speculating >> off the end of an array to a user-controlled offset). The XArray is >> not vulnerable to Spectre as it always masks its lookups to be within >> the bounds of the array. > > I'm not a big fan of completely re-writing the code to fix this. Isn't > the below patch sufficient? Too quick on the draw. Here's a patch that compiles. ;-) Cheers, Jeff diff --git a/fs/aio.c b/fs/aio.c index 97f983592925..aac9659381d2 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -45,6 +45,7 @@ #include #include +#include #include "internal.h" @@ -1038,6 +1039,7 @@ static struct kioctx *lookup_ioctx(unsigned long ctx_id) if (!table || id >= table->nr) goto out; + id = array_index_nospec(id, table->nr); ctx = rcu_dereference(table->table[id]); if (ctx && ctx->user_id == ctx_id) { if (percpu_ref_tryget_live(&ctx->users))