From: Elena Reshetova <elena.reshetova@intel.com>
Date: Thu, 4 Jan 2018 09:38:52 +0000 (-0800)
Subject: p54: prevent speculative execution
X-Git-Tag: v4.1.12-124.31.3~1379
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=faa08e2706619837cfb4d7abf7162a3ae1b7cc5f;p=users%2Fjedix%2Flinux-maple.git

p54: prevent speculative execution

Since the queue value in function p54_conf_tx()
seems to be controllable by userspace and later on
conditionally (upon bound check) used to resolve
priv->qos_params, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

Orabug: 27340445
CVE: CVE-2017-5753

Signed-off-by: Chuck Anderson <chuck.anderson@oracle.com>
Conflicts:
	patch refers to drivers/net/wireless/intersil/p54/main.c
	code base has drivers/net/wireless/p54/main.c

Reviewed-by: John Haxby <john.haxby@oracle.com>
Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>
---

diff --git a/drivers/net/wireless/p54/main.c b/drivers/net/wireless/p54/main.c
index e79674f73dc5..b79bb7238892 100644
--- a/drivers/net/wireless/p54/main.c
+++ b/drivers/net/wireless/p54/main.c
@@ -417,6 +417,7 @@ static int p54_conf_tx(struct ieee80211_hw *dev,
 
 	mutex_lock(&priv->conf_mutex);
 	if (queue < dev->queues) {
+		osb();
 		P54_SET_QUEUE(priv->qos_params[queue], params->aifs,
 			params->cw_min, params->cw_max, params->txop);
 		ret = p54_set_edcf(priv);