Merge tag 'v5.13-rc6' into usb-next

We want the usb fixes in here as well, and this resolves some merge issues with: drivers/usb/dwc3/debugfs.c drivers/usb/dwc3/gadget.c Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-06-14 09:18:07 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-06-14 09:18:07 +0200
commit: 37fdb7c90f8cc2f41bdf2190ccc44a37bbf1a295 (patch)
tree: 2f0c6fdba85b29cf3981053f87e504163aabb270 /include/linux/kvm_host.h
parent: 12f739798470288c8c1053484fe0281fe4cc5ea4 (diff)
parent: 009c9aa5be652675a06d5211e1640e02bbb1c33d (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
index 76102efbf079..8583ed3ff344 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -1185,7 +1185,15 @@ __gfn_to_memslot(struct kvm_memslots *slots, gfn_t gfn)
 static inline unsigned long
 __gfn_to_hva_memslot(const struct kvm_memory_slot *slot, gfn_t gfn)
 {
-	return slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE;
+	/*
+	 * The index was checked originally in search_memslots.  To avoid
+	 * that a malicious guest builds a Spectre gadget out of e.g. page
+	 * table walks, do not let the processor speculate loads outside
+	 * the guest's registered memslots.
+	 */
+	unsigned long offset = gfn - slot->base_gfn;
+	offset = array_index_nospec(offset, slot->npages);
+	return slot->userspace_addr + offset * PAGE_SIZE;
 }
 
 static inline int memslot_id(struct kvm *kvm, gfn_t gfn)
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-06-14 09:18:07 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-06-14 09:18:07 +0200
commit	37fdb7c90f8cc2f41bdf2190ccc44a37bbf1a295 (patch)
tree	2f0c6fdba85b29cf3981053f87e504163aabb270 /include/linux/kvm_host.h
parent	12f739798470288c8c1053484fe0281fe4cc5ea4 (diff)
parent	009c9aa5be652675a06d5211e1640e02bbb1c33d (diff)