From c808dae1446d50f26c9708d6bd44747c1526b69b Mon Sep 17 00:00:00 2001
From: Elena Reshetova <elena.reshetova@intel.com>
Date: Fri, 15 Dec 2017 02:29:09 -0800
Subject: [PATCH 092/104] userns: prevent speculative execution

CVE-2017-5753 (Spectre v1 Intel)

Since the pos value in function m_start()
seems to be controllable by userspace and later on
conditionally (upon bound check) used to resolve
map->extent, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 kernel/user_namespace.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 4eacf186f5bc..da3fefe632e2 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -549,8 +549,10 @@ static void *m_start(struct seq_file *seq, loff_t *ppos,
 	struct uid_gid_extent *extent = NULL;
 	loff_t pos = *ppos;
 
-	if (pos < map->nr_extents)
+	if (pos < map->nr_extents) {
+		osb();
 		extent = &map->extent[pos];
+	}
 
 	return extent;
 }
-- 
2.15.1