From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 29 Apr 2018 11:07:46 +0000 (+0200)
Subject: 4.16-stable patches
X-Git-Tag: v4.16.7~32
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d0d5fabc58ff5b75a4d92bf9c06f983d82094989;p=thirdparty%2Fkernel%2Fstable-queue.git

4.16-stable patches

added patches:
	alsa-opl3-hardening-for-potential-spectre-v1.patch
---

diff --git a/queue-4.16/alsa-opl3-hardening-for-potential-spectre-v1.patch b/queue-4.16/alsa-opl3-hardening-for-potential-spectre-v1.patch
new file mode 100644
index 00000000000..fe64365edbf
--- /dev/null
+++ b/queue-4.16/alsa-opl3-hardening-for-potential-spectre-v1.patch
@@ -0,0 +1,55 @@
+From 7f054a5bee0987f1e2d4e59daea462421c76f2cb Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 24 Apr 2018 07:56:07 +0200
+Subject: ALSA: opl3: Hardening for potential Spectre v1
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 7f054a5bee0987f1e2d4e59daea462421c76f2cb upstream.
+
+As recently Smatch suggested, one place in OPL3 driver may expand the
+array directly from the user-space value with speculation:
+  sound/drivers/opl3/opl3_synth.c:476 snd_opl3_set_voice() warn: potential spectre issue 'snd_opl3_regmap'
+
+This patch puts array_index_nospec() for hardening against it.
+
+BugLink: https://marc.info/?l=linux-kernel&m=152411496503418&w=2
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/drivers/opl3/opl3_synth.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/sound/drivers/opl3/opl3_synth.c
++++ b/sound/drivers/opl3/opl3_synth.c
+@@ -21,6 +21,7 @@
+ 
+ #include <linux/slab.h>
+ #include <linux/export.h>
++#include <linux/nospec.h>
+ #include <sound/opl3.h>
+ #include <sound/asound_fm.h>
+ 
+@@ -448,7 +449,7 @@ static int snd_opl3_set_voice(struct snd
+ {
+ 	unsigned short reg_side;
+ 	unsigned char op_offset;
+-	unsigned char voice_offset;
++	unsigned char voice_offset, voice_op;
+ 
+ 	unsigned short opl3_reg;
+ 	unsigned char reg_val;
+@@ -473,7 +474,9 @@ static int snd_opl3_set_voice(struct snd
+ 		voice_offset = voice->voice - MAX_OPL2_VOICES;
+ 	}
+ 	/* Get register offset of operator */
+-	op_offset = snd_opl3_regmap[voice_offset][voice->op];
++	voice_offset = array_index_nospec(voice_offset, MAX_OPL2_VOICES);
++	voice_op = array_index_nospec(voice->op, 4);
++	op_offset = snd_opl3_regmap[voice_offset][voice_op];
+ 
+ 	reg_val = 0x00;
+ 	/* Set amplitude modulation (tremolo) effect */
diff --git a/queue-4.16/series b/queue-4.16/series
index 771efb03792..47899881a3b 100644
--- a/queue-4.16/series
+++ b/queue-4.16/series
@@ -38,3 +38,4 @@ cifs-smbd-don-t-use-rdma-read-write-when-signing-is-used.patch
 alsa-dice-fix-oui-for-tc-group.patch
 alsa-dice-fix-error-path-to-destroy-initialized-stream-data.patch
 alsa-hda-skip-jack-and-others-for-non-existing-pcm-streams.patch
+alsa-opl3-hardening-for-potential-spectre-v1.patch