Merge branch 'dev-5.10' into dev-5.10-inteldev-5.10.46-intel

This is the 5.10.46 stable release. Signed-off-by: Jae Hyun Yoo <jae.hyun.yoo@intel.com>
author: Jae Hyun Yoo <jae.hyun.yoo@intel.com> 2021-07-01 21:49:45 +0300
committer: Jae Hyun Yoo <jae.hyun.yoo@intel.com> 2021-07-01 21:50:09 +0300
commit: 9ec121d97a292628e01462df8f13b017add3b034 (patch)
tree: f1abf6f81c13ce58bf04abf70e75fcbaf96935c3 /include/linux/kvm_host.h
parent: ab0d43fcc078edf3123887f9bff1e8ef7d87e641 (diff)
parent: dd1e9367157f900616f0eae3cef897c23d4e7452 (diff)
download: linux-dev-5.10.46-intel.tar.xz
1 files changed, 9 insertions, 1 deletions
diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
index a2278b9ff57d..c66c702a4f07 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -1104,7 +1104,15 @@ __gfn_to_memslot(struct kvm_memslots *slots, gfn_t gfn)
 static inline unsigned long
 __gfn_to_hva_memslot(struct kvm_memory_slot *slot, gfn_t gfn)
 {
-	return slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE;
+	/*
+	 * The index was checked originally in search_memslots.  To avoid
+	 * that a malicious guest builds a Spectre gadget out of e.g. page
+	 * table walks, do not let the processor speculate loads outside
+	 * the guest's registered memslots.
+	 */
+	unsigned long offset = gfn - slot->base_gfn;
+	offset = array_index_nospec(offset, slot->npages);
+	return slot->userspace_addr + offset * PAGE_SIZE;
 }
 
 static inline int memslot_id(struct kvm *kvm, gfn_t gfn)
author	Jae Hyun Yoo <jae.hyun.yoo@intel.com>	2021-07-01 21:49:45 +0300
committer	Jae Hyun Yoo <jae.hyun.yoo@intel.com>	2021-07-01 21:50:09 +0300
commit	9ec121d97a292628e01462df8f13b017add3b034 (patch)
tree	f1abf6f81c13ce58bf04abf70e75fcbaf96935c3 /include/linux/kvm_host.h
parent	ab0d43fcc078edf3123887f9bff1e8ef7d87e641 (diff)
parent	dd1e9367157f900616f0eae3cef897c23d4e7452 (diff)
download	linux-dev-5.10.46-intel.tar.xz