ip6mr: Fix potential Spectre v1 vulnerability

[mirror_ubuntu-bionic-kernel.git] / net / ipv6 / ip6mr.c

diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index a2e1a864eb4695ee4323ce2f85f2a560efd73ee4..64619932d39f438175ecc474133d7f7f8b5c2211 100644 (file)
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -53,6 +53,7 @@
 #include <linux/export.h>
 #include <net/ip6_checksum.h>
 #include <linux/netconf.h>
+#include <linux/nospec.h>
 
 struct mr6_table {
        struct list_head        list;
@@ -495,6 +496,7 @@ static void *ipmr_mfc_seq_start(struct seq_file *seq, loff_t *pos)
                return ERR_PTR(-ENOENT);
 
        it->mrt = mrt;
+       it->cache = NULL;
        return *pos ? ipmr_mfc_seq_idx(net, seq->private, *pos - 1)
                : SEQ_START_TOKEN;
 }
@@ -1798,7 +1800,8 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
                ret = 0;
                if (!ip6mr_new_table(net, v))
                        ret = -ENOMEM;
-               raw6_sk(sk)->ip6mr_table = v;
+               else
+                       raw6_sk(sk)->ip6mr_table = v;
                rtnl_unlock();
                return ret;
        }
@@ -1885,6 +1888,7 @@ int ip6mr_ioctl(struct sock *sk, int cmd, void __user *arg)
                        return -EFAULT;
                if (vr.mifi >= mrt->maxvif)
                        return -EINVAL;
+               vr.mifi = array_index_nospec(vr.mifi, mrt->maxvif);
                read_lock(&mrt_lock);
                vif = &mrt->vif6_table[vr.mifi];
                if (MIF_EXISTS(mrt, vr.mifi)) {
@@ -1959,6 +1963,7 @@ int ip6mr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
                        return -EFAULT;
                if (vr.mifi >= mrt->maxvif)
                        return -EINVAL;
+               vr.mifi = array_index_nospec(vr.mifi, mrt->maxvif);
                read_lock(&mrt_lock);
                vif = &mrt->vif6_table[vr.mifi];
                if (MIF_EXISTS(mrt, vr.mifi)) {