idx = array_index_nospec(idx, dma->buf_count) ĭRM_ERROR("Process %d freeing buffer not owned\n", Struct drm_local_map -1417,6 1419,7 int drm_legacy_freebufs(struct drm_device *dev, void *data, Static struct drm_map_list *drm_find_matching_map(struct drm_device *dev, ĭiff -git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c To kill the speculation on the first load and not worry if it can beĬompleted with a dependent load/store. Notice that given that speculation windows are large, the policy is Spectre issue 'dma->buflist' (local cap)įix this by sanitizing idx before using it to index dma->buflist This issue was detected with the help of Smatch:ĭrivers/gpu/drm/drm_bufs.c:1420 drm_legacy_freebufs() warn: potential Potential exploitation of the Spectre variant 1 vulnerability. Idx can be indirectly controlled by user-space, hence leading to a ` (302 more replies) 0 siblings, 303 replies 317 messages in thread 15:38 ` drm/v3d: Fix a use-after-free race accessing the scheduler's fences Sasha Levin Drm/bufs: Fix Spectre v1 vulnerability LKML Archive on help / color / mirror / Atom feed * drm/bufs: Fix Spectre v1 vulnerability 15:38 Sasha Levin
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |