cw1200: prevent speculative execution

Since the queue value in function cw1200_conf_tx()
seems to be controllable by userspace and later on
conditionally (upon bound check) used in
WSM_TX_QUEUE_SET, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Orabug: 27340445
CVE: CVE-2017-5753

Signed-off-by: Chuck Anderson <chuck.anderson@oracle.com>
Conflicts:
        patch refers to drivers/net/wireless/st/cw1200/sta.c
        code base has drivers/net/wireless/cw1200/sta.c

Reviewed-by: John Haxby <john.haxby@oracle.com>
Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>

diff --git a/drivers/net/wireless/cw1200/sta.c b/drivers/net/wireless/cw1200/sta.c
index b0f65fa094287868f21802c89f395d99996a4f11..d1626f56c6eeaa3408062f39ae8cabb776611403 100644 (file)
--- a/drivers/net/wireless/cw1200/sta.c
+++ b/drivers/net/wireless/cw1200/sta.c
@@ -623,6 +623,7 @@ int cw1200_conf_tx(struct ieee80211_hw *dev, struct ieee80211_vif *vif,
        mutex_lock(&priv->conf_mutex);
 
        if (queue < dev->queues) {
+               osb();
                old_uapsd_flags = le16_to_cpu(priv->uapsd_info.uapsd_flags);
 
                WSM_TX_QUEUE_SET(&priv->tx_queue_params, queue, 0, 0, 0);