[PATCH] accel/ivpu: Fix potential Spectre issue in debugfs

Fri, 08 Aug 2025 04:11:45 -0700 

Fix potential Spectre vulnerability in repoted by smatch:
warn: potential spectre issue 'vdev->hw->hws.grace_period' [w] (local cap)
warn: potential spectre issue 'vdev->hw->hws.process_grace_period' [w] (local 
cap)
warn: potential spectre issue 'vdev->hw->hws.process_quantum' [w] (local cap)

The priority_bands_fops_write() function in ivpu_debugfs.c uses an
index 'band' derived from user input. This index is used to write to
the vdev->hw->hws.grace_period, vdev->hw->hws.process_grace_period,
and vdev->hw->hws.process_quantum arrays.

This pattern presented a potential Spectre Variant 1 (Bounds Check
Bypass) vulnerability. An attacker-controlled 'band' value could
theoretically lead to speculative out-of-bounds array writes if the
CPU speculatively executed these assignments before the bounds check
on 'band' was fully resolved.

This commit mitigates this potential vulnerability by sanitizing the
'band' index using array_index_nospec() before it is used in the
array assignments. The array_index_nospec() function ensures that
'band' is constrained to the valid range
[0, VPU_JOB_SCHEDULING_PRIORITY_BAND_COUNT - 1], even during
speculative execution.

Fixes: 320323d2e545 ("accel/ivpu: Add debugfs interface for setting HWS 
priority bands")
Cc: <sta...@vger.kernel.org> # v6.15+
Signed-off-by: Jacek Lawrynowicz <jacek.lawrynow...@linux.intel.com>
---
 drivers/accel/ivpu/ivpu_debugfs.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/accel/ivpu/ivpu_debugfs.c 
b/drivers/accel/ivpu/ivpu_debugfs.c
index cd24ccd20ba6c..2ffe5bf8f1fab 100644
--- a/drivers/accel/ivpu/ivpu_debugfs.c
+++ b/drivers/accel/ivpu/ivpu_debugfs.c
@@ -5,6 +5,7 @@
 
 #include <linux/debugfs.h>
 #include <linux/fault-inject.h>
+#include <linux/nospec.h>
 
 #include <drm/drm_debugfs.h>
 #include <drm/drm_file.h>
@@ -464,6 +465,7 @@ priority_bands_fops_write(struct file *file, const char 
__user *user_buf, size_t
        if (band >= VPU_JOB_SCHEDULING_PRIORITY_BAND_COUNT)
                return -EINVAL;
 
+       band = array_index_nospec(band, VPU_JOB_SCHEDULING_PRIORITY_BAND_COUNT);
        vdev->hw->hws.grace_period[band] = grace_period;
        vdev->hw->hws.process_grace_period[band] = process_grace_period;
        vdev->hw->hws.process_quantum[band] = process_quantum;
-- 
2.45.1

Reply via email to