[PATCH] accel/ivpu: Fix potential Spectre issue in debugfs

[PATCH] accel/ivpu: Fix potential Spectre issue in debugfs

[Jacek Lawrynowicz]

Fix potential Spectre vulnerability in repoted by smatch:
warn: potential spectre issue 'vdev->hw->hws.grace_period' [w] (local cap)
warn: potential spectre issue 'vdev->hw->hws.process_grace_period' [w] (local cap)
warn: potential spectre issue 'vdev->hw->hws.process_quantum' [w] (local cap)

The priority_bands_fops_write() function in ivpu_debugfs.c uses an
index 'band' derived from user input. This index is used to write to
the vdev->hw->hws.grace_period, vdev->hw->hws.process_grace_period,
and vdev->hw->hws.process_quantum arrays.

This pattern presented a potential Spectre Variant 1 (Bounds Check
Bypass) vulnerability. An attacker-controlled 'band' value could
theoretically lead to speculative out-of-bounds array writes if the
CPU speculatively executed these assignments before the bounds check
on 'band' was fully resolved.

This commit mitigates this potential vulnerability by sanitizing the
'band' index using array_index_nospec() before it is used in the
array assignments. The array_index_nospec() function ensures that
'band' is constrained to the valid range
[0, VPU_JOB_SCHEDULING_PRIORITY_BAND_COUNT - 1], even during
speculative execution.

Fixes: 320323d2e545 ("accel/ivpu: Add debugfs interface for setting HWS priority bands")
Cc: <stable@vger.kernel.org> # v6.15+
Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
---
 drivers/accel/ivpu/ivpu_debugfs.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/accel/ivpu/ivpu_debugfs.c b/drivers/accel/ivpu/ivpu_debugfs.c
index cd24ccd20ba6c..2ffe5bf8f1fab 100644
--- a/drivers/accel/ivpu/ivpu_debugfs.c
+++ b/drivers/accel/ivpu/ivpu_debugfs.c
@@ -5,6 +5,7 @@
 
 #include <linux/debugfs.h>
 #include <linux/fault-inject.h>
+#include <linux/nospec.h>
 
 #include <drm/drm_debugfs.h>
 #include <drm/drm_file.h>
@@ -464,6 +465,7 @@ priority_bands_fops_write(struct file *file, const char __user *user_buf, size_t
 	if (band >= VPU_JOB_SCHEDULING_PRIORITY_BAND_COUNT)
 		return -EINVAL;
 
+	band = array_index_nospec(band, VPU_JOB_SCHEDULING_PRIORITY_BAND_COUNT);
 	vdev->hw->hws.grace_period[band] = grace_period;
 	vdev->hw->hws.process_grace_period[band] = process_grace_period;
 	vdev->hw->hws.process_quantum[band] = process_quantum;
-- 
2.45.1

Re: [PATCH] accel/ivpu: Fix potential Spectre issue in debugfs

[Greg KH]

On Fri, Aug 08, 2025 at 01:11:20PM +0200, Jacek Lawrynowicz wrote:
> Fix potential Spectre vulnerability in repoted by smatch:
> warn: potential spectre issue 'vdev->hw->hws.grace_period' [w] (local cap)
> warn: potential spectre issue 'vdev->hw->hws.process_grace_period' [w] (local cap)
> warn: potential spectre issue 'vdev->hw->hws.process_quantum' [w] (local cap)
> 
> The priority_bands_fops_write() function in ivpu_debugfs.c uses an
> index 'band' derived from user input. This index is used to write to
> the vdev->hw->hws.grace_period, vdev->hw->hws.process_grace_period,
> and vdev->hw->hws.process_quantum arrays.
> 
> This pattern presented a potential Spectre Variant 1 (Bounds Check
> Bypass) vulnerability. An attacker-controlled 'band' value could
> theoretically lead to speculative out-of-bounds array writes if the
> CPU speculatively executed these assignments before the bounds check
> on 'band' was fully resolved.

You do know that debugfs access is restricted to root access only, so
spectre issues are the least of your worries if you have root :)

That being said, no real objection from me for this, but there's
probably a metric-ton of these in other debugfs files if you want to
start whacking away at them...

thanks,

greg k-h