x86/fred: Correct speculative safety in fred_extint()

array_index_nospec() is no use if the result gets spilled to the stack, as
it makes the believed safe-under-speculation value subject to memory
predictions.

For all practical purposes, this means array_index_nospec() must be used in
the expression that accesses the array.

As the code currently stands, it's the wrong side of irqentry_enter(), and
'index' is put into %ebp across the function call.

Remove the index variable and reposition array_index_nospec(), so it's
calculated immediately before the array access.

Fixes: 14619d912b65 ("x86/fred: FRED entry/exit and dispatch code")
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://patch.msgid.link/20260106131504.679932-1-andrew.cooper3@citrix.com

diff --git a/arch/x86/entry/entry_fred.c b/arch/x86/entry/entry_fred.c
index a9b72997103d271a11dc511002fb3f73b5727d7d..88c757ac8ccd4897709e64f3e487f4e37a8b2933 100644 (file)
--- a/arch/x86/entry/entry_fred.c
+++ b/arch/x86/entry/entry_fred.c
@@ -160,8 +160,6 @@ void __init fred_complete_exception_setup(void)
 static noinstr void fred_extint(struct pt_regs *regs)
 {
        unsigned int vector = regs->fred_ss.vector;
-       unsigned int index = array_index_nospec(vector - FIRST_SYSTEM_VECTOR,
-                                               NR_SYSTEM_VECTORS);
 
        if (WARN_ON_ONCE(vector < FIRST_EXTERNAL_VECTOR))
                return;
@@ -170,7 +168,8 @@ static noinstr void fred_extint(struct pt_regs *regs)
                irqentry_state_t state = irqentry_enter(regs);
 
                instrumentation_begin();
-               sysvec_table[index](regs);
+               sysvec_table[array_index_nospec(vector - FIRST_SYSTEM_VECTOR,
+                                               NR_SYSTEM_VECTORS)](regs);
                instrumentation_end();
                irqentry_exit(regs, state);
        } else {