[Patch 2/3] Problem with upstream SPECTRE mitigation found in sendmsg/recvmsg syscalls

[François Legal via Xenomai]

From: François LEGAL <de...@thom.fr.eu.org>

The RTNET sendmsg/recvmsg protocol handlers used to call copy_to/from_user on 
the struct user_msghdr argument. The syscall entry code already does this copy, 
so calling again the copy_to/from_user in handlers triggers SPECTRE mitigation 
protection. This patch removes the calls in the handlers

This patch has not been tested

Signed-off-by: François LEGAL <de...@thom.fr.eu.org>
---
 kernel/drivers/net/stack/ipv4/udp/udp.c     | 16 +++-------------
 1 file changed, 3 insertions(+), 13 deletions(-)

diff --git a/kernel/drivers/net/stack/ipv4/udp/udp.c 
b/kernel/drivers/net/stack/ipv4/udp/udp.c
index c26b4bd..546b358 100644
--- a/kernel/drivers/net/stack/ipv4/udp/udp.c
+++ b/kernel/drivers/net/stack/ipv4/udp/udp.c
@@ -386,7 +386,7 @@ int rt_udp_ioctl(struct rtdm_fd *fd, unsigned int request, 
void __user *arg)
 /***
  *  rt_udp_recvmsg
  */
-ssize_t rt_udp_recvmsg(struct rtdm_fd *fd, struct user_msghdr *u_msg,
+ssize_t rt_udp_recvmsg(struct rtdm_fd *fd, struct user_msghdr *msg,
                       int msg_flags)
 {
        struct rtsocket *sock = rtdm_fd_to_private(fd);
@@ -400,14 +400,9 @@ ssize_t rt_udp_recvmsg(struct rtdm_fd *fd, struct 
user_msghdr *u_msg,
        struct sockaddr_in sin;
        nanosecs_rel_t timeout = sock->timeout;
        int ret, flags;
-       struct user_msghdr _msg, *msg;
        socklen_t namelen;
        struct iovec iov_fast[RTDM_IOV_FASTMAX], *iov;

-       msg = rtnet_get_arg(fd, &_msg, u_msg, sizeof(_msg));
-       if (IS_ERR(msg))
-               return PTR_ERR(msg);
-
        if (msg->msg_iovlen < 0)
                return -EINVAL;

@@ -450,7 +445,7 @@ ssize_t rt_udp_recvmsg(struct rtdm_fd *fd, struct 
user_msghdr *u_msg,
                        goto fail;

                namelen = sizeof(sin);
-               ret = rtnet_put_arg(fd, &u_msg->msg_namelen, &namelen,
+               ret = rtnet_put_arg(fd, &msg->msg_namelen, &namelen,
                                    sizeof(namelen));
                if (ret)
                        goto fail;
@@ -494,7 +489,7 @@ ssize_t rt_udp_recvmsg(struct rtdm_fd *fd, struct 
user_msghdr *u_msg,
                flags |= MSG_TRUNC;

        if (flags != msg->msg_flags) {
-               ret = rtnet_put_arg(fd, &u_msg->msg_flags, &flags,
+               ret = rtnet_put_arg(fd, &msg->msg_flags, &flags,
                                    sizeof(flags));
                if (ret)
                        goto fail;
@@ -588,7 +583,6 @@ ssize_t rt_udp_sendmsg(struct rtdm_fd *fd, const struct 
user_msghdr *msg,
        u16 dport;
        int err;
        rtdm_lockctx_t context;
-       struct user_msghdr _msg;
        struct iovec iov_fast[RTDM_IOV_FASTMAX], *iov;

        if (msg_flags & MSG_OOB) /* Mirror BSD error message compatibility */
@@ -597,10 +591,6 @@ ssize_t rt_udp_sendmsg(struct rtdm_fd *fd, const struct 
user_msghdr *msg,
        if (msg_flags & ~(MSG_DONTROUTE | MSG_DONTWAIT))
                return -EINVAL;

-       msg = rtnet_get_arg(fd, &_msg, msg, sizeof(*msg));
-       if (IS_ERR(msg))
-               return PTR_ERR(msg);
-
        if (msg->msg_iovlen < 0)
                return -EINVAL;