Commit 48b8814e authored Mar 24, 2026 by Greg Kroah-Hartman Committed by Vasily Gorbik Mar 28, 2026

s390/syscalls: Add spectre boundary for syscall dispatch table



The s390 syscall number is directly controlled by userspace, but does
not have an array_index_nospec() boundary to prevent access past the
syscall function pointer tables.

Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Alexander Gordeev <agordeev@linux.ibm.com>
Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Fixes: 56e62a73 ("s390: convert to generic entry")
Cc: stable@kernel.org
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
Link: https://lore.kernel.org/r/2026032404-sterling-swoosh-43e6@gregkh


Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>

parent c5c0a268

arch/s390/kernel/syscall.c

+4 −1

Original line number	Diff line number	Diff line
		@@ -13,6 +13,7 @@
		*/

		#include <linux/cpufeature.h>
		#include <linux/nospec.h>
		#include <linux/errno.h>
		#include <linux/sched.h>
		#include <linux/mm.h>
		@@ -131,8 +132,10 @@ void noinstr __do_syscall(struct pt_regs *regs, int per_trap)
		if (unlikely(test_and_clear_pt_regs_flag(regs, PIF_SYSCALL_RET_SET)))
		goto out;
		regs->gprs[2] = -ENOSYS;
		if (likely(nr < NR_syscalls))
		if (likely(nr < NR_syscalls)) {
		nr = array_index_nospec(nr, NR_syscalls);
		regs->gprs[2] = sys_call_table[nr](regs);
		}
		out:
		syscall_exit_to_user_mode(regs);
		}