From 616abca9e7f1add8e8f26cf6d33992b76412bcec Mon Sep 17 00:00:00 2001
From: Tim Chen <tim.c.chen@linux.intel.com>
Date: Fri, 15 Dec 2017 02:29:09 -0800
Subject: [PATCH 155/194] userns: prevent speculative execution

From: Elena Reshetova <elena.reshetova@intel.com>

Since the pos value in function m_start()
seems to be controllable by userspace and later on
conditionally (upon bound check) used to resolve
map->extent, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
---
 kernel/user_namespace.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index c490f1e..2240f36 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -543,8 +543,10 @@ static void *m_start(struct seq_file *seq, loff_t *ppos,
 	struct uid_gid_extent *extent = NULL;
 	loff_t pos = *ppos;
 
-	if (pos < map->nr_extents)
+	if (pos < map->nr_extents) {
+		osb();
 		extent = &map->extent[pos];
+	}
 
 	return extent;
 }
-- 
2.9.5