diff options
| author | Greg Kroah-Hartman <gregkh@google.com> | 2021-06-16 12:05:35 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@google.com> | 2021-06-16 12:05:35 +0200 |
| commit | 28a3d5b101b3adfe4eef230ead62d824a103199e (patch) | |
| tree | 27c1a50aa74d3a3c65a7e4c2dfc383d693a48f30 /include | |
| parent | 8e20329c9797fabc6c2cade73b4371509b58e18b (diff) | |
| parent | 78fba0641f54c8dc3624eba7cbc1252be35fa18e (diff) | |
Merge 4.4.273 into android-4.4-p
Changes in 4.4.273
proc: Track /proc/$pid/attr/ opener mm_struct
net/nfc/rawsock.c: fix a permission check bug
ASoC: sti-sas: add missing MODULE_DEVICE_TABLE
isdn: mISDN: netjet: Fix crash in nj_probe:
bonding: init notify_work earlier to avoid uninitialized use
netlink: disable IRQs for netlink_lock_table()
net: mdiobus: get rid of a BUG_ON()
net/qla3xxx: fix schedule while atomic in ql_sem_spinlock
scsi: vmw_pvscsi: Set correct residual data length
scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal
net: macb: ensure the device is available before accessing GEMGXL control registers
net: appletalk: cops: Fix data race in cops_probe1
MIPS: Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER
bnx2x: Fix missing error code in bnx2x_iov_init_one()
powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P2041 i2c controllers
powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P1010 i2c controllers
i2c: mpc: Make use of i2c_recover_bus()
i2c: mpc: implement erratum A-004447 workaround
kvm: avoid speculation-based attacks from out-of-range memslot accesses
btrfs: return value from btrfs_mark_extent_written() in case of error
cgroup1: don't allow '\n' in renaming
USB: f_ncm: ncm_bitrate (speed) is unsigned
usb: dwc3: ep0: fix NULL pointer exception
USB: serial: ftdi_sio: add NovaTech OrionMX product ID
USB: serial: omninet: add device id for Zyxel Omni 56K Plus
USB: serial: quatech2: fix control-request directions
usb: gadget: eem: fix wrong eem header operation
perf: Fix data race between pin_count increment/decrement
NFS: Fix a potential NULL dereference in nfs_get_client()
perf session: Correct buffer copying when peeking events
kvm: fix previous commit for 32-bit builds
NFSv4: nfs4_proc_set_acl needs to restore NFS_CAP_UIDGID_NOMAP on error.
scsi: core: Only put parent device if host state differs from SHOST_CREATED
ftrace: Do not blindly read the ip address in ftrace_bug()
proc: only require mm_struct for writing
Linux 4.4.273
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I97fdaeb60b62a57bf34ecceabda8be5cee23a0e7
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/kvm_host.h | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h index 19291f86d16c..1e62865821d9 100644 --- a/include/linux/kvm_host.h +++ b/include/linux/kvm_host.h @@ -25,6 +25,7 @@ #include <linux/irqflags.h> #include <linux/context_tracking.h> #include <linux/irqbypass.h> +#include <linux/nospec.h> #include <asm/signal.h> #include <linux/kvm.h> @@ -952,7 +953,15 @@ __gfn_to_memslot(struct kvm_memslots *slots, gfn_t gfn) static inline unsigned long __gfn_to_hva_memslot(struct kvm_memory_slot *slot, gfn_t gfn) { - return slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE; + /* + * The index was checked originally in search_memslots. To avoid + * that a malicious guest builds a Spectre gadget out of e.g. page + * table walks, do not let the processor speculate loads outside + * the guest's registered memslots. + */ + unsigned long offset = gfn - slot->base_gfn; + offset = array_index_nospec(offset, slot->npages); + return slot->userspace_addr + offset * PAGE_SIZE; } static inline int memslot_id(struct kvm *kvm, gfn_t gfn) |