From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id DF64C3FA5EE
	for <linux-kernel@vger.kernel.org>; Tue, 24 Mar 2026 16:39:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774370373; cv=none; b=jP6ONJcLnO+aX8lz085grp4wqFIhVU16suZYTDLeM7ZoOPIilN+WnuVwaGzOJQXGx/fCXNWRLSHsr7dD/hWUc6WT6t2Emu6BSzUIeBdSzcKcM+F2yd1Q9M2KuK4GUrJUpAr+LD5SgD9qMsPV3sNb1cYLcS8GWVa1VrWgK+MCwGY=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774370373; c=relaxed/simple;
	bh=SucaKA0NzyZJdhS9+9yt3dqHcXk76x3cifX9yRYxzWQ=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=GV6mDVUrIEpiQY8iFVY5r+k1I+n6ai3wWZCbVnEoBFoxn8zYn2PFMRG208YJHiZdnlesqgIAhtdrPPHHbAtKkrf1URi2lEcyHfLRJAEqNB+yqh4KpIV3Tf0Jp4eha67rfUyl4WRokfNO/iDC6gMle1lO46frPxcOL4f7VbW1VCk=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=rvVER+so; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="rvVER+so"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 025E3C19424;
	Tue, 24 Mar 2026 16:39:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
	s=korg; t=1774370373;
	bh=SucaKA0NzyZJdhS9+9yt3dqHcXk76x3cifX9yRYxzWQ=;
	h=From:To:Cc:Subject:Date:From;
	b=rvVER+sodacBOuAVjTL/y1npPJvWbZdgWOpXhtIDcutqxMeFL5R6lcHudJBfyydmO
	 tX0HuOv5Cl4e8LQ/qJmoBXtjfxY3qGFK/GzvyeCBFDQdfXRynveRdnIp+93u9bBols
	 vTHwtEqZ7kEjZdOnZtDVXEM5a7nCHl6RdIrd9tME=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: amd-gfx@lists.freedesktop.org
Cc: dri-devel@lists.freedesktop.org,
	linux-kernel@vger.kernel.org,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Felix Kuehling <Felix.Kuehling@amd.com>,
	Alex Deucher <alexander.deucher@amd.com>,
	=?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>,
	David Airlie <airlied@gmail.com>,
	Simona Vetter <simona@ffwll.ch>,
	stable <stable@kernel.org>
Subject: [PATCH] drm/amdkfd: stop speculation on the kfd_ioctl path
Date: Tue, 24 Mar 2026 17:39:09 +0100
Message-ID: <2026032408-divided-racing-fe78@gregkh>
X-Mailer: git-send-email 2.53.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-Developer-Signature: v=1; a=openpgp-sha256; l=1479; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=SucaKA0NzyZJdhS9+9yt3dqHcXk76x3cifX9yRYxzWQ=; b=owGbwMvMwCRo6H6F97bub03G02pJDJmH9ulc2zlhS4XwwX6Jm/4aZvueiunxJft5ZK812p7lk 7rB8uSijlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZiIQiLDgmudB4Muql3+vZ/1 mn1p6tuD8VoFExkW7FQ/9WxW7hzryKtPtx3TyD5/U34rFwA=
X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29
Content-Transfer-Encoding: 8bit

The kfd_ioctl takes a user controlled pointer, and then dereferences it
into a table of function pointers, the signature method of spectre
problems.  Fix this up by calling array_index_nospec() on the index to
the function pointer list.

Cc: Felix Kuehling <Felix.Kuehling@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: "Christian König" <christian.koenig@amd.com>
Cc: David Airlie <airlied@gmail.com>
Cc: Simona Vetter <simona@ffwll.ch>
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
index 09dabb3b3297..d2ef693c63da 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -35,6 +35,7 @@
 #include <linux/mman.h>
 #include <linux/ptrace.h>
 #include <linux/dma-buf.h>
+#include <linux/nospec.h>
 #include <linux/processor.h>
 #include "kfd_priv.h"
 #include "kfd_device_queue_manager.h"
@@ -3349,6 +3350,7 @@ static long kfd_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
 	if ((nr >= AMDKFD_COMMAND_START) && (nr < AMDKFD_COMMAND_END)) {
 		u32 amdkfd_size;
 
+		nr = array_index_nospec(nr, AMDKFD_CORE_IOCTL_COUNT);
 		ioctl = &amdkfd_ioctls[nr];
 
 		amdkfd_size = _IOC_SIZE(ioctl->cmd);
-- 
2.53.0