nvme: prevent potential spectre v1 gadget

This patch fixes the smatch warning, "nvmet_ns_ana_grpid_store() warn:
potential spectre issue 'nvmet_ana_group_enabled' [w] (local cap)"
Prevent the contents of kernel memory from being leaked to  user space
via speculative execution by using array_index_nospec.

Signed-off-by: Nitesh Shetty <nj.shetty@samsung.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Keith Busch <kbusch@kernel.org>

diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
index e307a04..d937fe0 100644 (file)
--- a/drivers/nvme/target/configfs.c
+++ b/drivers/nvme/target/configfs.c
@@ -18,6 +18,7 @@
 #include <linux/nvme-keyring.h>
 #include <crypto/hash.h>
 #include <crypto/kpp.h>
+#include <linux/nospec.h>
 
 #include "nvmet.h"
 
@@ -621,6 +622,7 @@ static ssize_t nvmet_ns_ana_grpid_store(struct config_item *item,
 
        down_write(&nvmet_ana_sem);
        oldgrpid = ns->anagrpid;
+       newgrpid = array_index_nospec(newgrpid, NVMET_MAX_ANAGRPS);
        nvmet_ana_group_enabled[newgrpid]++;
        ns->anagrpid = newgrpid;
        nvmet_ana_group_enabled[oldgrpid]--;
@@ -1812,6 +1814,7 @@ static struct config_group *nvmet_ana_groups_make_group(
        grp->grpid = grpid;
 
        down_write(&nvmet_ana_sem);
+       grpid = array_index_nospec(grpid, NVMET_MAX_ANAGRPS);
        nvmet_ana_group_enabled[grpid]++;
        up_write(&nvmet_ana_sem);