From nobody Sun Feb 8 03:57:20 2026 Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5166D30F802 for ; Tue, 6 Jan 2026 13:15:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767705322; cv=none; b=buV6jbBLsOxEyecLGVRVnu/JI09WaBRV3wq5hO/J1oIjYHxYO9A6f5BoFBRDrf0VibVj1YWT8tjt14IPhYKubHFK3y3VY9a6Nsm71tF2Z9DocqHajfty6w4W8wyHLnnuLvozgIbC5xdTng+hHhApFTuxYUXL0TvFy8Kd8HHf+mY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767705322; c=relaxed/simple; bh=1AJQSrtJqMrRfV0ujSRwQgRJYY46glBw7eA3gBdr01Y=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=PXzwzvTkIRfwxRa9JLZT/Bk0yxmTKWvgeF/2sb38IXt89Oa8i0Rr6Nap4nfEZkeWHW53cqBHp38B9fCIXD41NQULykGJu9efKrAAnlTogd69HdkUjqZYzfM8YhGnmIccktKO7anDpQYAyq8Hqe7rccjavyswnydlmII7cTqppao= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=citrix.com; spf=pass smtp.mailfrom=citrix.com; dkim=pass (1024-bit key) header.d=citrix.com header.i=@citrix.com header.b=v9qUFIFN; arc=none smtp.client-ip=209.85.128.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=citrix.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=citrix.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=citrix.com header.i=@citrix.com header.b="v9qUFIFN" Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-47774d3536dso9071655e9.0 for ; Tue, 06 Jan 2026 05:15:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=citrix.com; s=google; t=1767705318; x=1768310118; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=jIZ2I+ujegl9QWq9AepGjf7dkaixrd/62WXS4UWdCAs=; b=v9qUFIFNr5rYV/JK983mUpb6TseDoGlYvsKNvLt/eLgC02x+t6Oy8T2leKFn3I6VNC 9auNgm/vCB4SvjYobo46xI27V06cJwZ470X14EOkj48EqsJv3bk7V8Ir7yUB7K0HPMA0 Qyw1lDEaF4VVCWtnMKpmtXcrDBeHpVTzxQjeg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767705318; x=1768310118; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=jIZ2I+ujegl9QWq9AepGjf7dkaixrd/62WXS4UWdCAs=; b=CD8jp0MgkbeIIbGKWERmHvjC6zygNNkKrILbHITuiDBqFuyPmLYmEHukmpAnf9zums zZM1f2pIxvfyd3cr2xJZ9smL7VnZUdawZevNB9ixLZnnJkjuIH9CWTAFw8MMGBxAplmn u1FKcYkYeehM/Zm/7uVttY9a5pgVN8YMqR22vqJyt9++wytcufJxP6nUi71OT2R2/a9i xBuRDIvmruUAmzE7Z7w0IePvZYuUl8HED37Z0DtbZhVarUoAGFiuwYv1KS9dGmOl94YX e9u9qZNKICCGNuX+VH6Y1GLQxfd0N6qDTtPBh2vVBvB8oc5wvfx1pXfAaniuff8PSl5q K1gg== X-Gm-Message-State: AOJu0YzGKqrOoE+ebaAzgQ4qcLYb8E0tr2d1eX4EVfsSA1K7kMJhkXmn aXeF09xh/9lG8FuxzzxFxNjQzV9ontsjzVUCWolfmBWdDQyfbQePdMDt+aLxErVVISHd6n0EVa9 yF/kT X-Gm-Gg: AY/fxX72dJ/WaM84NCXy4yFXExIz+DS4/hzj429IJOEZcGkSF7zuzpdBCdp7hLzc8Im wsphccKeWryH0IT0etyEDe8sBEZxedei9pfil0JgfW46okxbXbq5GVue1dIyvQ33wENhzJ3jgoD sXaFFJOTgaJ+Qp4DRVg27XILjmaA8IFEMDQfFJMbxbWYLSxne7m/l9WwDAyzHemhmmsFXlJhfdU jLXSc138p9JdvddVmOS9NrPpcRMIyLd+YaTt9XsUHnWP+E5R8D66jgChOAlqVR+Dsb4ggpLxN82 b/U3vGwY1e8mlJ/bD5NteRckFiVaRlCsiaVNXYqkIeJ1rUAPnyxPEao1SepwJqj2+GTz4WW4xoy RHA7T42lUCs/18mu/MeZ38xpla6qVA17ER6tlReS/DHBPbNrrgKFlJ0wZB6Y2Q3IGTqt07DGHlx qusZSPexgQe3edUXR6WXqm3w/VMTWXO9Ey9jfAfnjOZV7FPuGbMvLdUVKdWLMTmQ== X-Google-Smtp-Source: AGHT+IEI8gWFrm7G1qpH+eJsT5JQSxmR72PD3/VZcztdMjuJCn3KdXoDfdB/P2psxaiYOEsBaJ18Ww== X-Received: by 2002:a05:600c:46ce:b0:475:d9de:952e with SMTP id 5b1f17b1804b1-47d7f40a986mr33642475e9.1.1767705317701; Tue, 06 Jan 2026 05:15:17 -0800 (PST) Received: from localhost.localdomain (host-92-26-102-188.as13285.net. [92.26.102.188]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-432bd0e16f4sm4507779f8f.11.2026.01.06.05.15.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Jan 2026 05:15:17 -0800 (PST) From: Andrew Cooper To: LKML Cc: Andrew Cooper , Xin Li , "H. Peter Anvin" , Andy Lutomirski , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org Subject: [PATCH] x86/fred: Correct speculative safety in fred_extint() Date: Tue, 6 Jan 2026 13:15:04 +0000 Message-Id: <20260106131504.679932-1-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.39.5 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" array_index_nospec() is no use if the result gets spilled to the stack, as it makes the believed safe-under-speculation value subject to memory predictions. For all practical purposes, this means array_index_nospec() must be used in the expression that accesses the array. As the code currently stands, it's the wrong side of irqentry_enter(), and 'index' is put into %ebp across the function call. Remove the index variable and reposition array_index_nospec(), so it's calculated immediately before the array access. Fixes: 14619d912b65 ("x86/fred: FRED entry/exit and dispatch code") Signed-off-by: Andrew Cooper --- CC: Xin Li CC: "H. Peter Anvin" CC: Andy Lutomirski CC: Thomas Gleixner CC: Ingo Molnar CC: Borislav Petkov CC: Dave Hansen CC: x86@kernel.org CC: linux-kernel@vger.kernel.org This is why we have array_access_nospec() in Xen, so you can't separate the safety calculation from the array access. The observant reader might notice that the result of reading sysvec_table[]= is also subject to memory predictions. Aren't CPUs wonderful... In practice, even having array_index_nospec() part of the array access expression is no guarantee of avoiding spilling to the stack. KASAN is lia= ble to hide a function call behind the scenes, while UBSAN is very good at inserting it's own unsafe range checks around objects it knows the size of. Aren't compilers wonderful... --- arch/x86/entry/entry_fred.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/arch/x86/entry/entry_fred.c b/arch/x86/entry/entry_fred.c index 94e626cc6a07..4fc5b176d3ed 100644 --- a/arch/x86/entry/entry_fred.c +++ b/arch/x86/entry/entry_fred.c @@ -159,8 +159,6 @@ void __init fred_complete_exception_setup(void) static noinstr void fred_extint(struct pt_regs *regs) { unsigned int vector =3D regs->fred_ss.vector; - unsigned int index =3D array_index_nospec(vector - FIRST_SYSTEM_VECTOR, - NR_SYSTEM_VECTORS); =20 if (WARN_ON_ONCE(vector < FIRST_EXTERNAL_VECTOR)) return; @@ -169,7 +167,8 @@ static noinstr void fred_extint(struct pt_regs *regs) irqentry_state_t state =3D irqentry_enter(regs); =20 instrumentation_begin(); - sysvec_table[index](regs); + sysvec_table[array_index_nospec(vector - FIRST_SYSTEM_VECTOR, + NR_SYSTEM_VECTORS)](regs); instrumentation_end(); irqentry_exit(regs, state); } else { base-commit: 7f98ab9da046865d57c102fd3ca9669a29845f67 --=20 2.39.5