diff mbox series

[5.4,391/475] dm ioctl: prevent potential spectre v1 gadget

Message ID	20220414110906.014386562@linuxfoundation.org
State	Superseded
Headers	show Return-Path: <stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Jordy Zomer <jordy@pwning.systems>, Mike Snitzer <snitzer@redhat.com>, Sasha Levin <sashal@kernel.org> Subject: [PATCH 5.4 391/475] dm ioctl: prevent potential spectre v1 gadget Date: Thu, 14 Apr 2022 15:12:56 +0200 Message-Id: <20220414110906.014386562@linuxfoundation.org> In-Reply-To: <20220414110855.141582785@linuxfoundation.org> References: <20220414110855.141582785@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	None \| expand [5.4,002/475] USB: serial: pl2303: add IBM device IDs [5.4,003/475] USB: serial: simple: add Nokia phone driver [5.4,004/475] hv: utils: add PTP_1588_CLOCK to Kconfig to fix build [5.4,005/475] netdevice: add the case if dev is NULL [5.4,006/475] HID: logitech-dj: add new lightspeed receiver id [5.4,007/475] xfrm: fix tunnel model fragmentation behavior [5.4,008/475] virtio_console: break out of buf poll on remove [5.4,009/475] ethernet: sun: Free the coherent when failing in probing [5.4,010/475] spi: Fix invalid sgs value [5.4,011/475] net:mcf8390: Use platform_get_irq() to get the interrupt [5.4,012/475] spi: Fix erroneous sgs value with min_t() [5.4,013/475] af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register [5.4,014/475] net: dsa: microchip: add spi_device_id tables [5.4,015/475] iommu/iova: Improve 32-bit free space estimate [5.4,016/475] tpm: fix reference counting for struct tpm_chip [5.4,017/475] block: Add a helper to validate the block size [5.4,018/475] virtio-blk: Use blk_validate_block_size() to validate block size [5.4,019/475] USB: usb-storage: Fix use of bitfields for hardware data in ene_ub6250.c [5.4,020/475] xhci: fix runtime PM imbalance in USB2 resume [5.4,021/475] xhci: make xhci_handshake timeout for xhci_reset() adjustable [5.4,022/475] xhci: fix uninitialized string returned by xhci_decode_ctrl_ctx() [5.4,023/475] coresight: Fix TRCCONFIGR.QE sysfs interface [5.4,024/475] iio: afe: rescale: use s64 for temporary scale calculations [5.4,025/475] iio: inkern: apply consumer scale on IIO_VAL_INT cases [5.4,026/475] iio: inkern: apply consumer scale when no channel scale is available [5.4,027/475] iio: inkern: make a best effort on offset calculation [5.4,028/475] greybus: svc: fix an error handling bug in gb_svc_hello() [5.4,029/475] clk: uniphier: Fix fixed-rate initialization [5.4,030/475] ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE [5.4,031/475] KEYS: fix length validation in keyctl_pkey_params_get_2() [5.4,032/475] Documentation: add link to stable release candidate tree [5.4,033/475] Documentation: update stable tree link [5.4,034/475] HID: intel-ish-hid: Use dma_alloc_coherent for firmware update [5.4,035/475] SUNRPC: avoid race between mod_timer() and del_timer_sync() [5.4,036/475] NFSD: prevent underflow in nfssvc_decode_writeargs() [5.4,037/475] NFSD: prevent integer overflow on 32 bit systems [5.4,038/475] f2fs: fix to unlock page correctly in error path of is_alive() [5.4,039/475] f2fs: quota: fix loop condition at f2fs_quota_sync() [5.4,040/475] f2fs: fix to do sanity check on .cp_pack_total_block_count [5.4,041/475] pinctrl: samsung: drop pin banks references on error paths [5.4,042/475] spi: mxic: Fix the transmit path [5.4,043/475] can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path [5.4,044/475] jffs2: fix use-after-free in jffs2_clear_xattr_subsystem [5.4,045/475] jffs2: fix memory leak in jffs2_do_mount_fs [5.4,046/475] jffs2: fix memory leak in jffs2_scan_medium [5.4,047/475] mm/pages_alloc.c: dont create ZONE_MOVABLE beyond the end of a node [5.4,048/475] mm: invalidate hwpoison page cache page in fault path [5.4,049/475] mempolicy: mbind_range() set_policy() after vma_merge() [5.4,050/475] scsi: libsas: Fix sas_ata_qc_issue() handling of NCQ NON DATA commands [5.4,051/475] qed: display VF trust config [5.4,052/475] qed: validate and restrict untrusted VFs vlan promisc mode [5.4,053/475] riscv: Fix fill_callchain return value [5.4,054/475] Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads" [5.4,055/475] ALSA: cs4236: fix an incorrect NULL check on list iterator [5.4,056/475] ALSA: hda/realtek: Fix audio regression on Mi Notebook Pro 2020 [5.4,057/475] mm,hwpoison: unmap poisoned page before invalidation [5.4,058/475] mm/kmemleak: reset tag when compare object pointer [5.4,059/475] drbd: fix potential silent data corruption [5.4,060/475] powerpc/kvm: Fix kvm_use_magic_page [5.4,061/475] udp: call udp_encap_enable for v6 sockets when enabling encap [5.4,062/475] ACPI: properties: Consistently return -ENOENT if there are no more references [5.4,063/475] drivers: hamradio: 6pack: fix UAF bug caused by mod_timer() [5.4,064/475] mailbox: tegra-hsp: Flush whole channel [5.4,065/475] block: dont merge across cgroup boundaries if blkcg is enabled [5.4,066/475] drm/edid: check basic audio support on CEA extension block [5.4,067/475] video: fbdev: sm712fb: Fix crash in smtcfb_read() [5.4,068/475] video: fbdev: atari: Atari 2 bpp (STe) palette bugfix [5.4,069/475] ARM: dts: at91: sama5d2: Fix PMERRLOC resource size [5.4,070/475] ARM: dts: exynos: fix UART3 pins configuration in Exynos5250 [5.4,071/475] ARM: dts: exynos: add missing HDMI supplies on SMDK5250 [5.4,072/475] ARM: dts: exynos: add missing HDMI supplies on SMDK5420 [5.4,073/475] carl9170: fix missing bit-wise or operator for tx_params [5.4,074/475] thermal: int340x: Increase bitmap size [5.4,075/475] lib/raid6/test: fix multiple definition linking error [5.4,076/475] crypto: rsa-pkcs1pad - correctly get hash from source scatterlist [5.4,077/475] crypto: rsa-pkcs1pad - restore signature length check [5.4,078/475] crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete() [5.4,079/475] DEC: Limit PMAX memory probing to R3k systems [5.4,080/475] media: davinci: vpif: fix unbalanced runtime PM get [5.4,081/475] xtensa: fix stop_machine_cpuslocked call in patch_text [5.4,082/475] xtensa: fix xtensa_wsr always writing 0 [5.4,083/475] brcmfmac: firmware: Allocate space for default boardrev in nvram [5.4,084/475] brcmfmac: pcie: Release firmwares in the brcmf_pcie_setup error path [5.4,085/475] brcmfmac: pcie: Replace brcmf_pcie_copy_mem_todev with memcpy_toio [5.4,086/475] brcmfmac: pcie: Fix crashes due to early IRQs [5.4,087/475] PCI: pciehp: Clear cmd_busy bit in polling mode [5.4,088/475] regulator: qcom_smd: fix for_each_child.cocci warnings [5.4,089/475] crypto: authenc - Fix sleep in atomic context in decrypt_tail [5.4,090/475] crypto: mxs-dcp - Fix scatterlist processing [5.4,091/475] spi: tegra114: Add missing IRQ check in tegra_spi_probe [5.4,092/475] selftests/x86: Add validity check and allow field splitting [5.4,093/475] audit: log AUDIT_TIME_* records only from rules [5.4,094/475] crypto: ccree - dont attempt 0 len DMA mappings [5.4,095/475] spi: pxa2xx-pci: Balance reference count for PCI DMA device [5.4,096/475] hwmon: (pmbus) Add mutex to regulator ops [5.4,097/475] hwmon: (sch56xx-common) Replace WDOG_ACTIVE with WDOG_HW_RUNNING [5.4,098/475] block: dont delete queue kobject before its children [5.4,099/475] PM: hibernate: fix __setup handler error handling [5.4,100/475] PM: suspend: fix return value of __setup handler [5.4,101/475] hwrng: atmel - disable trng on failure path [5.4,102/475] crypto: vmx - add missing dependencies [5.4,103/475] clocksource/drivers/timer-of: Check return value of of_iomap in timer_of_base_init() [5.4,104/475] ACPI: APEI: fix return value of __setup handlers [5.4,105/475] crypto: ccp - ccp_dmaengine_unregister release dma channels [5.4,106/475] hwmon: (pmbus) Add Vin unit off handling [5.4,107/475] clocksource: acpi_pm: fix return value of __setup handler [5.4,108/475] sched/debug: Remove mpol_get/put and task_lock/unlock from sched_show_numa [5.4,109/475] perf/core: Fix address filter parser for multiple filters [5.4,110/475] perf/x86/intel/pt: Fix address filter config for 32-bit kernel [5.4,111/475] f2fs: fix missing free nid in f2fs_handle_failed_inode [5.4,112/475] f2fs: fix to avoid potential deadlock [5.4,113/475] media: bttv: fix WARNING regression on tunerless devices [5.4,114/475] media: coda: Fix missing put_device() call in coda_get_vdoa_data [5.4,115/475] media: hantro: Fix overfill bottom register field name [5.4,116/475] media: aspeed: Correct value for h-total-pixels [5.4,117/475] video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe() [5.4,118/475] video: fbdev: atmel_lcdfb: fix an error code in atmel_lcdfb_probe() [5.4,119/475] video: fbdev: fbcvt.c: fix printing in fb_cvt_print_name() [5.4,120/475] ARM: dts: qcom: ipq4019: fix sleep clock [5.4,121/475] soc: qcom: rpmpd: Check for null return of devm_kcalloc [5.4,122/475] soc: qcom: aoss: remove spurious IRQF_ONESHOT flags [5.4,123/475] arm64: dts: qcom: sm8150: Correct TCS configuration for apps rsc [5.4,124/475] soc: ti: wkup_m3_ipc: Fix IRQ check in wkup_m3_ipc_probe [5.4,125/475] ARM: dts: imx: Add missing LVDS decoder on M53Menlo [5.4,126/475] media: video/hdmi: handle short reads of hdmi info frame. [5.4,127/475] media: em28xx: initialize refcount before kref_get [5.4,128/475] media: usb: go7007: s2250-board: fix leak in probe() [5.4,129/475] uaccess: fix nios2 and microblaze get_user_8() [5.4,130/475] ASoC: rt5663: check the return value of devm_kzalloc() in rt5663_parse_dp() [5.4,131/475] ASoC: ti: davinci-i2s: Add check for clk_enable() [5.4,132/475] ALSA: spi: Add check for clk_enable() [5.4,133/475] arm64: dts: ns2: Fix spi-cpol and spi-cpha property [5.4,134/475] arm64: dts: broadcom: Fix sata nodename [5.4,135/475] printk: fix return value of printk.devkmsg __setup handler [5.4,136/475] ASoC: mxs-saif: Handle errors for clk_enable [5.4,137/475] ASoC: atmel_ssc_dai: Handle errors for clk_enable [5.4,138/475] ASoC: soc-compress: prevent the potentially use of null pointer [5.4,139/475] memory: emif: Add check for setup_interrupts [5.4,140/475] memory: emif: check the pointer temp in get_device_details() [5.4,141/475] ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction [5.4,142/475] arm64: dts: rockchip: Fix SDIO regulator supply properties on rk3399-firefly [5.4,143/475] media: stk1160: If start stream fails, return buffers with VB2_BUF_STATE_QUEUED [5.4,144/475] ASoC: atmel: Add missing of_node_put() in at91sam9g20ek_audio_probe [5.4,145/475] ASoC: wm8350: Handle error for wm8350_register_irq [5.4,146/475] ASoC: fsi: Add check for clk_enable [5.4,147/475] video: fbdev: omapfb: Add missing of_node_put() in dvic_probe_of [5.4,148/475] ivtv: fix incorrect device_caps for ivtvfb [5.4,149/475] ASoC: dmaengine: do not use a NULL prepare_slave_config() callback [5.4,150/475] ASoC: mxs: Fix error handling in mxs_sgtl5000_probe [5.4,151/475] ASoC: imx-es8328: Fix error return code in imx_es8328_probe() [5.4,152/475] ASoC: msm8916-wcd-digital: Fix missing clk_disable_unprepare() in msm8916_wcd_digit... [5.4,153/475] mmc: davinci_mmc: Handle error for clk_enable [5.4,154/475] ASoC: msm8916-wcd-analog: Fix error handling in pm8916_wcd_analog_spmi_probe [5.4,155/475] drm/bridge: Fix free wrong object in sii8620_init_rcp_input_dev [5.4,156/475] drm/bridge: Add missing pm_runtime_disable() in __dw_mipi_dsi_probe [5.4,157/475] ath10k: fix memory overwrite of the WoWLAN wakeup packet pattern [5.4,158/475] udmabuf: validate ubuf->pagecount [5.4,159/475] Bluetooth: hci_serdev: call init_rwsem() before p->open() [5.4,160/475] mtd: onenand: Check for error irq [5.4,161/475] mtd: rawnand: gpmi: fix controller timings setting [5.4,162/475] drm/edid: Dont clear formats if using deep color [5.4,163/475] drm/amd/display: Fix a NULL pointer dereference in amdgpu_dm_connector_add_common_m... [5.4,164/475] ath9k_htc: fix uninit value bugs [5.4,165/475] KVM: PPC: Fix vmx/vsx mixup in mmio emulation [5.4,166/475] i40e: dont reserve excessive XDP_PACKET_HEADROOM on XSK Rx to skb [5.4,167/475] power: reset: gemini-poweroff: Fix IRQ check in gemini_poweroff_probe [5.4,168/475] ray_cs: Check ioremap return value [5.4,169/475] powerpc/perf: Dont use perf_hw_context for trace IMC PMU [5.4,170/475] mt76: mt7603: check sta_rates pointer in mt7603_sta_rate_tbl_update [5.4,171/475] mt76: mt7615: check sta_rates pointer in mt7615_sta_rate_tbl_update [5.4,172/475] net: dsa: mv88e6xxx: Enable port policy support on 6097 [5.4,173/475] PCI: aardvark: Fix reading PCI_EXP_RTSTA_PME bit on emulated bridge [5.4,174/475] power: supply: ab8500: Fix memory leak in ab8500_fg_sysfs_init [5.4,175/475] HID: i2c-hid: fix GET/SET_REPORT for unnumbered reports [5.4,176/475] iommu/ipmmu-vmsa: Check for error num after setting mask [5.4,177/475] drm/amd/display: Add affected crtcs to atomic state for dsc mst unplug [5.4,178/475] IB/cma: Allow XRC INI QPs to set their local ACK timeout [5.4,179/475] dax: make sure inodes are flushed before destroy cache [5.4,180/475] iwlwifi: Fix -EIO error code that is never returned [5.4,181/475] iwlwifi: mvm: Fix an error code in iwl_mvm_up() [5.4,182/475] dm crypt: fix get_key_size compiler warning if !CONFIG_KEYS [5.4,183/475] scsi: pm8001: Fix command initialization in pm80XX_send_read_log() [5.4,184/475] scsi: pm8001: Fix command initialization in pm8001_chip_ssp_tm_req() [5.4,185/475] scsi: pm8001: Fix payload initialization in pm80xx_set_thermal_config() [5.4,186/475] scsi: pm8001: Fix abort all task initialization [5.4,187/475] drm/amd/display: Remove vupdate_int_entry definition [5.4,188/475] TOMOYO: fix __setup handlers return values [5.4,189/475] ext2: correct max file size computing [5.4,190/475] drm/tegra: Fix reference leak in tegra_dsi_ganged_probe [5.4,191/475] power: supply: bq24190_charger: Fix bq24190_vbus_is_enabled() wrong false return [5.4,192/475] scsi: hisi_sas: Change permission of parameter prot_mask [5.4,193/475] drm/bridge: cdns-dsi: Make sure to to create proper aliases for dt [5.4,194/475] bpf, arm64: Call build_prologue() first in first JIT pass [5.4,195/475] bpf, arm64: Feed byte-offset into bpf line info [5.4,196/475] libbpf: Skip forward declaration when counting duplicated type names [5.4,197/475] powerpc/Makefile: Dont pass -mcpu=powerpc64 when building 32-bit [5.4,198/475] KVM: x86: Fix emulation in writing cr8 [5.4,199/475] KVM: x86/emulator: Defer not-present segment check in __load_segment_descriptor() [5.4,200/475] hv_balloon: rate-limit "Unhandled message" warning [5.4,201/475] i2c: xiic: Make bus names unique [5.4,202/475] power: supply: wm8350-power: Handle error for wm8350_register_irq [5.4,203/475] power: supply: wm8350-power: Add missing free in free_charger_irq [5.4,204/475] PCI: Reduce warnings on possible RW1C corruption [5.4,205/475] mips: DEC: honor CONFIG_MIPS_FP_SUPPORT=n [5.4,206/475] powerpc/sysdev: fix incorrect use to determine if list is empty [5.4,207/475] mfd: mc13xxx: Add check for mc13xxx_irq_request [5.4,208/475] selftests/bpf: Make test_lwt_ip_encap more stable and faster [5.4,209/475] powerpc: 8xx: fix a return value error in mpc8xx_pic_init [5.4,210/475] vxcan: enable local echo for sent CAN frames [5.4,211/475] MIPS: RB532: fix return value of __setup handler [5.4,212/475] mtd: rawnand: atmel: fix refcount issue in atmel_nand_controller_init [5.4,213/475] RDMA/mlx5: Fix memory leak in error flow for subscribe event routine [5.4,214/475] bpf, sockmap: Fix memleak in tcp_bpf_sendmsg while sk msg is full [5.4,215/475] bpf, sockmap: Fix more uncharged while msg has more_data [5.4,216/475] bpf, sockmap: Fix double uncharge the mem of sk_msg [5.4,217/475] USB: storage: ums-realtek: fix error code in rts51x_read_mem() [5.4,218/475] Bluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt [5.4,219/475] af_netlink: Fix shift out of bounds in group mask calculation [5.4,220/475] i2c: mux: demux-pinctrl: do not deactivate a master that is not active [5.4,221/475] selftests/bpf/test_lirc_mode2.sh: Exit with proper code [5.4,222/475] net: bcmgenet: Use stronger register read/writes to assure ordering [5.4,223/475] tcp: ensure PMTU updates are processed during fastopen [5.4,224/475] openvswitch: always update flow key after nat [5.4,225/475] tipc: fix the timer expires after interval 100ms [5.4,226/475] mfd: asic3: Add missing iounmap() on error asic3_mfd_probe [5.4,227/475] mxser: fix xmit_buf leak in activate when LSR == 0xff [5.4,228/475] pwm: lpc18xx-sct: Initialize driver data and hardware before pwmchip_add() [5.4,229/475] misc: alcor_pci: Fix an error handling path [5.4,230/475] staging:iio:adc:ad7280a: Fix handing of device address bit reversing. [5.4,231/475] pinctrl: renesas: r8a77470: Reduce size for narrow VIN1 channel [5.4,232/475] clk: qcom: ipq8074: Use floor ops for SDCC1 clock [5.4,233/475] phy: dphy: Correct lpx parameter and its derivatives(ta_{get,go,sure}) [5.4,234/475] serial: 8250_mid: Balance reference count for PCI DMA device [5.4,235/475] serial: 8250: Fix race condition in RTS-after-send handling [5.4,236/475] iio: adc: Add check for devm_request_threaded_irq [5.4,237/475] NFS: Return valid errors from nfs2/3_decode_dirent() [5.4,238/475] dma-debug: fix return value of __setup handlers [5.4,239/475] clk: imx7d: Remove audio_mclk_root_clk [5.4,240/475] clk: qcom: clk-rcg2: Update logic to calculate D value for RCG [5.4,241/475] clk: qcom: clk-rcg2: Update the frac table for pixel clock [5.4,242/475] remoteproc: qcom: Fix missing of_node_put in adsp_alloc_memory_region [5.4,243/475] remoteproc: qcom_wcnss: Add missing of_node_put() in wcnss_alloc_memory_region [5.4,244/475] clk: actions: Terminate clk_div_table with sentinel element [5.4,245/475] clk: loongson1: Terminate clk_div_table with sentinel element [5.4,246/475] clk: clps711x: Terminate clk_div_table with sentinel element [5.4,247/475] clk: tegra: tegra124-emc: Fix missing put_device() call in emc_ensure_emc_driver [5.4,248/475] NFS: remove unneeded check in decode_devicenotify_args() [5.4,249/475] staging: mt7621-dts: fix LEDs and pinctrl on GB-PC1 devicetree [5.4,250/475] pinctrl: mediatek: Fix missing of_node_put() in mtk_pctrl_init [5.4,251/475] pinctrl: mediatek: paris: Fix "argument" argument type for mtk_pinconf_get() [5.4,252/475] pinctrl: mediatek: paris: Fix pingroup pin config state readback [5.4,253/475] pinctrl: nomadik: Add missing of_node_put() in nmk_pinctrl_probe [5.4,254/475] pinctrl/rockchip: Add missing of_node_put() in rockchip_pinctrl_probe [5.4,255/475] tty: hvc: fix return value of __setup handler [5.4,256/475] kgdboc: fix return value of __setup handler [5.4,257/475] kgdbts: fix return value of __setup handler [5.4,258/475] firmware: google: Properly state IOMEM dependency [5.4,259/475] driver core: dd: fix return value of __setup handler [5.4,260/475] jfs: fix divide error in dbNextAG [5.4,261/475] netfilter: nf_conntrack_tcp: preserve liberal flag in tcp options [5.4,262/475] NFSv4.1: dont retry BIND_CONN_TO_SESSION on session error [5.4,263/475] clk: qcom: gcc-msm8994: Fix gpll4 width [5.4,264/475] clk: Initialize orphan req_rate [5.4,265/475] xen: fix is_xen_pmu() [5.4,266/475] net: phy: broadcom: Fix brcm_fet_config_init() [5.4,267/475] selftests: test_vxlan_under_vrf: Fix broken test case [5.4,268/475] qlcnic: dcb: default to returning -EOPNOTSUPP [5.4,269/475] net/x25: Fix null-ptr-deref caused by x25_disconnect [5.4,270/475] NFSv4/pNFS: Fix another issue with a list iterator pointing to the head [5.4,271/475] net: dsa: bcm_sf2_cfp: fix an incorrect NULL check on list iterator [5.4,272/475] lib/test: use after free in register_test_dev_kmod() [5.4,273/475] LSM: general protection fault in legacy_parse_param [5.4,274/475] gcc-plugins/stackleak: Exactly match strings instead of prefixes [5.4,275/475] pinctrl: npcm: Fix broken references to chip->parent_device [5.4,276/475] block, bfq: dont move oom_bfqq [5.4,277/475] selinux: use correct type for context length [5.4,278/475] loop: use sysfs_emit() in the sysfs xxx show() [5.4,279/475] Fix incorrect type in assignment of ipv6 port for audit [5.4,280/475] irqchip/qcom-pdc: Fix broken locking [5.4,281/475] irqchip/nvic: Release nvic_base upon failure [5.4,282/475] bfq: fix use-after-free in bfq_dispatch_request [5.4,283/475] ACPICA: Avoid walking the ACPI Namespace if it is not there [5.4,284/475] lib/raid6/test/Makefile: Use $(pound) instead of \# for Make 4.3 [5.4,285/475] Revert "Revert "block, bfq: honor already-setup queue merges"" [5.4,286/475] ACPI/APEI: Limit printable size of BERT table data [5.4,287/475] PM: core: keep irq flags in device_pm_check_callbacks() [5.4,288/475] spi: tegra20: Use of_device_get_match_data() [5.4,289/475] ext4: dont BUG if someone dirty pages without asking ext4 first [5.4,290/475] ntfs: add sanity check on allocation size [5.4,291/475] video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow [5.4,292/475] video: fbdev: w100fb: Reset global state [5.4,293/475] video: fbdev: cirrusfb: check pixclock to avoid divide by zero [5.4,294/475] video: fbdev: omapfb: acx565akm: replace snprintf with sysfs_emit [5.4,295/475] ARM: dts: qcom: fix gic_irq_domain_translate warnings for msm8960 [5.4,296/475] ARM: dts: bcm2837: Add the missing L1/L2 cache information [5.4,297/475] ASoC: madera: Add dependencies on MFD [5.4,298/475] ARM: ftrace: avoid redundant loads or clobbering IP [5.4,299/475] video: fbdev: omapfb: panel-dsi-cm: Use sysfs_emit() instead of snprintf() [5.4,300/475] video: fbdev: omapfb: panel-tpo-td043mtea1: Use sysfs_emit() instead of snprintf() [5.4,301/475] video: fbdev: udlfb: replace snprintf in show functions with sysfs_emit [5.4,302/475] ASoC: soc-core: skip zero num_dai component in searching dai name [5.4,303/475] media: cx88-mpeg: clear interrupt status register before streaming video [5.4,304/475] ARM: tegra: tamonten: Fix I2C3 pad setting [5.4,305/475] ARM: mmp: Fix failure to remove sram device [5.4,306/475] video: fbdev: sm712fb: Fix crash in smtcfb_write() [5.4,307/475] media: Revert "media: em28xx: add missing em28xx_close_extension" [5.4,308/475] media: hdpvr: initialize dev->worker at hdpvr_register_videodev [5.4,309/475] mmc: host: Return an error when ->enable_sdio_irq() ops is missing [5.4,310/475] ALSA: hda/realtek: Add alc256-samsung-headphone fixup [5.4,311/475] powerpc/lib/sstep: Fix sthcx instruction [5.4,312/475] powerpc/lib/sstep: Fix build errors with newer binutils [5.4,313/475] powerpc: Fix build errors with newer binutils [5.4,314/475] scsi: qla2xxx: Fix stuck session in gpdb [5.4,315/475] scsi: qla2xxx: Fix wrong FDMI data for 64G adapter [5.4,316/475] scsi: qla2xxx: Fix warning for missing error code [5.4,317/475] scsi: qla2xxx: Fix device reconnect in loop topology [5.4,318/475] scsi: qla2xxx: Add devids and conditionals for 28xx [5.4,319/475] scsi: qla2xxx: Check for firmware dump already collected [5.4,320/475] scsi: qla2xxx: Suppress a kernel complaint in qla_create_qpair() [5.4,321/475] scsi: qla2xxx: Fix disk failure to rediscover [5.4,322/475] scsi: qla2xxx: Fix incorrect reporting of task management failure [5.4,323/475] scsi: qla2xxx: Fix hang due to session stuck [5.4,324/475] scsi: qla2xxx: Fix missed DMA unmap for NVMe ls requests [5.4,325/475] scsi: qla2xxx: Fix N2N inconsistent PLOGI [5.4,326/475] scsi: qla2xxx: Reduce false trigger to login [5.4,327/475] scsi: qla2xxx: Use correct feature type field during RFF_ID processing [5.4,328/475] KVM: Prevent module exit until all VMs are freed [5.4,329/475] KVM: x86: fix sending PV IPI [5.4,330/475] ASoC: SOF: Intel: Fix NULL ptr dereference when ENOMEM [5.4,331/475] ubifs: rename_whiteout: Fix double free for whiteout_ui->data [5.4,332/475] ubifs: Fix deadlock in concurrent rename whiteout and inode writeback [5.4,333/475] ubifs: Add missing iput if do_tmpfile() failed in rename whiteout [5.4,334/475] ubifs: setflags: Make dirtied_ino_d 8 bytes aligned [5.4,335/475] ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock() [5.4,336/475] ubifs: rename_whiteout: correct old_dir size computing [5.4,337/475] XArray: Fix xas_create_range() when multi-order entry present [5.4,338/475] can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb in error path [5.4,339/475] can: mcba_usb: properly check endpoint type [5.4,340/475] XArray: Update the LRU list in xas_split() [5.4,341/475] rtc: check if __rtc_read_time was successful [5.4,342/475] gfs2: Make sure FITRIM minlen is rounded up to fs block size [5.4,343/475] net: hns3: fix software vlan talbe of vlan 0 inconsistent with hardware [5.4,344/475] pinctrl: pinconf-generic: Print arguments for bias-pull-* [5.4,345/475] pinctrl: nuvoton: npcm7xx: Rename DS() macro to DSTR() [5.4,346/475] pinctrl: nuvoton: npcm7xx: Use %zu printk format for ARRAY_SIZE() [5.4,347/475] ASoC: mediatek: mt6358: add missing EXPORT_SYMBOLs [5.4,348/475] ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl [5.4,349/475] ARM: iop32x: offset IRQ numbers by 1 [5.4,350/475] ACPI: CPPC: Avoid out of bounds access when parsing _CPC data [5.4,351/475] powerpc/kasan: Fix early region not updated correctly [5.4,352/475] ASoC: soc-compress: Change the check for codec_dai [5.4,353/475] mm/mmap: return 1 from stack_guard_gap __setup() handler [5.4,354/475] mm/memcontrol: return 1 from cgroup.memory __setup() handler [5.4,355/475] mm/usercopy: return 1 from hardened_usercopy __setup() handler [5.4,356/475] bpf: Fix comment for helper bpf_current_task_under_cgroup() [5.4,357/475] dt-bindings: mtd: nand-controller: Fix the reg property description [5.4,358/475] dt-bindings: mtd: nand-controller: Fix a comment in the examples [5.4,359/475] dt-bindings: spi: mxic: The interrupt property is not mandatory [5.4,360/475] ubi: fastmap: Return error code if memory allocation fails in add_aeb() [5.4,361/475] ASoC: topology: Allow TLV control to be either read or write [5.4,362/475] ARM: dts: spear1340: Update serial node properties [5.4,363/475] ARM: dts: spear13xx: Update SPI dma properties [5.4,364/475] um: Fix uml_mconsole stop/go [5.4,365/475] openvswitch: Fixed nd target mask field in the flow dump. [5.4,366/475] KVM: x86/mmu: do compare-and-exchange of gPTE via the user address [5.4,367/475] KVM: x86: Forbid VMM to set SYNIC/STIMER MSRs when SynIC wasnt activated [5.4,368/475] ubifs: Rectify space amount budget for mkdir/tmpfile operations [5.4,369/475] rtc: wm8350: Handle error for wm8350_register_irq [5.4,370/475] riscv module: remove (NOLOAD) [5.4,371/475] ARM: 9187/1: JIVE: fix return value of __setup handler [5.4,372/475] KVM: x86/svm: Clear reserved bits written to PerfEvtSeln MSRs [5.4,373/475] drm: Add orientation quirk for GPD Win Max [5.4,374/475] ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111 [5.4,375/475] drm/amd/amdgpu/amdgpu_cs: fix refcount leak of a dma_fence obj [5.4,376/475] ptp: replace snprintf with sysfs_emit [5.4,377/475] powerpc: dts: t104xrdb: fix phy type for FMAN 4/5 [5.4,378/475] bpf: Make dst_port field in struct bpf_sock 16-bit wide [5.4,379/475] scsi: mvsas: Replace snprintf() with sysfs_emit() [5.4,380/475] scsi: bfa: Replace snprintf() with sysfs_emit() [5.4,381/475] power: supply: axp20x_battery: properly report current when discharging [5.4,382/475] ipv6: make mc_forwarding atomic [5.4,383/475] powerpc: Set crashkernel offset to mid of RMA region [5.4,384/475] drm/amdgpu: Fix recursive locking warning [5.4,385/475] PCI: aardvark: Fix support for MSI interrupts [5.4,386/475] iommu/arm-smmu-v3: fix event handling soft lockup [5.4,387/475] usb: ehci: add pci device support for Aspeed platforms [5.4,388/475] PCI: pciehp: Add Qualcomm quirk for Command Completed erratum [5.4,389/475] power: supply: axp288-charger: Set Vhold to 4.4V [5.4,390/475] ipv4: Invalidate neighbour for broadcast address upon address addition [5.4,391/475] dm ioctl: prevent potential spectre v1 gadget [5.4,392/475] drm/amdkfd: make CRAT table missing message informational only [5.4,393/475] scsi: pm8001: Fix pm8001_mpi_task_abort_resp() [5.4,394/475] scsi: aha152x: Fix aha152x_setup() __setup handler return value [5.4,395/475] net/smc: correct settings of RMB window update limit [5.4,396/475] mips: ralink: fix a refcount leak in ill_acc_of_setup() [5.4,397/475] macvtap: advertise link netns via netlink [5.4,398/475] tuntap: add sanity checks about msg_controllen in sendmsg [5.4,399/475] bnxt_en: Eliminate unintended link toggle during FW reset [5.4,400/475] MIPS: fix fortify panic when copying asm exception handlers [5.4,401/475] scsi: libfc: Fix use after free in fc_exch_abts_resp() [5.4,402/475] usb: dwc3: omap: fix "unbalanced disables for smps10_out1" on omap5evm [5.4,403/475] xtensa: fix DTC warning unit_address_format [5.4,404/475] Bluetooth: Fix use after free in hci_send_acl [5.4,405/475] netlabel: fix out-of-bounds memory accesses [5.4,406/475] init/main.c: return 1 from handled __setup() functions [5.4,407/475] minix: fix bug when opening a file with O_DIRECT [5.4,408/475] clk: si5341: fix reported clk_rate when output divider is 2 [5.4,409/475] w1: w1_therm: fixes w1_seq for ds28ea00 sensors [5.4,410/475] NFSv4: Protect the state recovery thread against direct reclaim [5.4,411/475] xen: delay xen_hvm_init_time_ops() if kdump is boot on vcpu>=32 [5.4,412/475] clk: Enforce that disjoints limits are invalid [5.4,413/475] SUNRPC/call_alloc: async tasks mustnt block waiting for memory [5.4,414/475] NFS: swap IO handling is slightly different for O_DIRECT IO [5.4,415/475] NFS: swap-out must always use STABLE writes. [5.4,416/475] serial: samsung_tty: do not unlock port->lock for uart_write_wakeup() [5.4,417/475] virtio_console: eliminate anonymous module_init & module_exit [5.4,418/475] jfs: prevent NULL deref in diFree [5.4,419/475] SUNRPC: Fix socket waits for write buffer space [5.4,420/475] parisc: Fix CPU affinity for Lasi, WAX and Dino chips [5.4,421/475] parisc: Fix patch code locking and flushing [5.4,422/475] mm: fix race between MADV_FREE reclaim and blkdev direct IO read [5.4,423/475] KVM: arm64: Check arm64_get_bp_hardening_data() didnt return NULL [5.4,424/475] drm/amdgpu: fix off by one in amdgpu_gfx_kiq_acquire() [5.4,425/475] Drivers: hv: vmbus: Fix potential crash on module unload [5.4,426/475] scsi: zorro7xx: Fix a resource leak in zorro7xx_remove_one() [5.4,427/475] net/tls: fix slab-out-of-bounds bug in decrypt_internal [5.4,428/475] net: ipv4: fix route with nexthop object delete warning [5.4,429/475] net: stmmac: Fix unset max_speed difference between DT and non-DT platforms [5.4,430/475] drm/imx: Fix memory leak in imx_pd_connector_get_modes [5.4,431/475] bnxt_en: reserve space inside receive page for skb_shared_info [5.4,432/475] IB/rdmavt: add lock to call to rvt_error_qp to prevent a race condition [5.4,433/475] dpaa2-ptp: Fix refcount leak in dpaa2_ptp_probe [5.4,434/475] ipv6: Fix stats accounting in ip6_pkt_drop [5.4,435/475] net: openvswitch: dont send internal clone attribute to the userspace. [5.4,436/475] rxrpc: fix a race in rxrpc_exit_net() [5.4,437/475] qede: confirm skb is allocated before using [5.4,438/475] spi: bcm-qspi: fix MSPI only access with bcm_qspi_exec_mem_op() [5.4,439/475] bpf: Support dual-stack sockets in bpf_tcp_check_syncookie [5.4,440/475] drbd: Fix five use after free bugs in get_initial_state [5.4,441/475] SUNRPC: Handle ENOMEM in call_transmit_status() [5.4,442/475] SUNRPC: Handle low memory situations in call_status() [5.4,443/475] perf tools: Fix perfs libperf_print callback [5.4,444/475] perf session: Remap buf if there is no space for event [5.4,445/475] Revert "mmc: sdhci-xenon: fix annoying 1.8V regulator warning" [5.4,446/475] mmc: renesas_sdhi: dont overwrite TAP settings when HS400 tuning is complete [5.4,447/475] lz4: fix LZ4_decompress_safe_partial read out of bound [5.4,448/475] mmmremap.c: avoid pointless invalidate_range_start/end on mremap(old_size=0) [5.4,449/475] mm/mempolicy: fix mpol_new leak in shared_policy_replace [5.4,450/475] x86/pm: Save the MSR validity status at context setup [5.4,451/475] x86/speculation: Restore speculation related MSRs during S3 resume [5.4,452/475] btrfs: fix qgroup reserve overflow the qgroup limit [5.4,453/475] arm64: patch_text: Fixup last cpu should be master [5.4,454/475] ata: sata_dwc_460ex: Fix crash due to OOB write [5.4,455/475] perf: qcom_l2_pmu: fix an incorrect NULL check on list iterator [5.4,456/475] irqchip/gic-v3: Fix GICR_CTLR.RWP polling [5.4,457/475] tools build: Filter out options and warnings not supported by clang [5.4,458/475] tools build: Use $(shell ) instead of `` to get embedded libperls ccopts [5.4,459/475] dmaengine: Revert "dmaengine: shdma: Fix runtime PM imbalance on error" [5.4,460/475] mmc: mmci_sdmmc: Replace sg_dma_xxx macros [5.4,461/475] mmc: mmci: stm32: correctly check all elements of sg list [5.4,462/475] mm: dont skip swap entry even if zap_details specified [5.4,463/475] arm64: module: remove (NOLOAD) from linker script [5.4,464/475] mm/sparsemem: fix mem_section will never be NULL gcc 12 warning [5.4,465/475] drm/amdkfd: add missing void argument to function kgd2kfd_init [5.4,466/475] drm/amdkfd: Fix -Wstrict-prototypes from amdgpu_amdkfd_gfx_10_0_get_functions() [5.4,467/475] io_uring: fix fs->users overflow [5.4,468/475] cgroup: Use open-time credentials for process migraton perm checks [5.4,469/475] cgroup: Allocate cgroup_file_ctx for kernfs_open_file->priv [5.4,470/475] cgroup: Use open-time cgroup namespace for process migration perm checks [5.4,471/475] selftests: cgroup: Make cg_create() use 0755 for permission instead of 0644 [5.4,472/475] selftests: cgroup: Test open-time credential usage for migration checks [5.4,473/475] selftests: cgroup: Test open-time cgroup namespace usage for migration checks [5.4,474/475] cpuidle: PSCI: Move the `has_lpi` check to the beginning of the function [5.4,475/475] ACPI: processor idle: Check for architectural support for LPI

Commit Message

Greg Kroah-Hartman April 14, 2022, 1:12 p.m. UTC

From: Jordy Zomer <jordy@jordyzomer.github.io>

[ Upstream commit cd9c88da171a62c4b0f1c70e50c75845969fbc18 ]

It appears like cmd could be a Spectre v1 gadget as it's supplied by a
user and used as an array index. Prevent the contents of kernel memory
from being leaked to userspace via speculative execution by using
array_index_nospec.

Signed-off-by: Jordy Zomer <jordy@pwning.systems>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/md/dm-ioctl.c | 2 ++
 1 file changed, 2 insertions(+)

diff mbox series

Patch

diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index 3f15d8dc2b71..7a73f2fa0ad7 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -17,6 +17,7 @@ 
 #include <linux/dm-ioctl.h>
 #include <linux/hdreg.h>
 #include <linux/compat.h>
+#include <linux/nospec.h>
 
 #include <linux/uaccess.h>
 
@@ -1696,6 +1697,7 @@  static ioctl_fn lookup_ioctl(unsigned int cmd, int *ioctl_flags)
 	if (unlikely(cmd >= ARRAY_SIZE(_ioctls)))
 		return NULL;
 
+	cmd = array_index_nospec(cmd, ARRAY_SIZE(_ioctls));
 	*ioctl_flags = _ioctls[cmd].flags;
 	return _ioctls[cmd].fn;
 }