From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 29 Apr 2018 11:07:44 +0000 (+0200)
Subject: 3.18-stable patches
X-Git-Tag: v4.16.7~34
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d651a3da0e215f9df540025cf65cde30c93cb1c7;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	alsa-opl3-hardening-for-potential-spectre-v1.patch
---

diff --git a/queue-3.18/alsa-opl3-hardening-for-potential-spectre-v1.patch b/queue-3.18/alsa-opl3-hardening-for-potential-spectre-v1.patch
new file mode 100644
index 00000000000..fe64365edbf
--- /dev/null
+++ b/queue-3.18/alsa-opl3-hardening-for-potential-spectre-v1.patch
@@ -0,0 +1,55 @@
+From 7f054a5bee0987f1e2d4e59daea462421c76f2cb Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 24 Apr 2018 07:56:07 +0200
+Subject: ALSA: opl3: Hardening for potential Spectre v1
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 7f054a5bee0987f1e2d4e59daea462421c76f2cb upstream.
+
+As recently Smatch suggested, one place in OPL3 driver may expand the
+array directly from the user-space value with speculation:
+  sound/drivers/opl3/opl3_synth.c:476 snd_opl3_set_voice() warn: potential spectre issue 'snd_opl3_regmap'
+
+This patch puts array_index_nospec() for hardening against it.
+
+BugLink: https://marc.info/?l=linux-kernel&m=152411496503418&w=2
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/drivers/opl3/opl3_synth.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/sound/drivers/opl3/opl3_synth.c
++++ b/sound/drivers/opl3/opl3_synth.c
+@@ -21,6 +21,7 @@
+ 
+ #include <linux/slab.h>
+ #include <linux/export.h>
++#include <linux/nospec.h>
+ #include <sound/opl3.h>
+ #include <sound/asound_fm.h>
+ 
+@@ -448,7 +449,7 @@ static int snd_opl3_set_voice(struct snd
+ {
+ 	unsigned short reg_side;
+ 	unsigned char op_offset;
+-	unsigned char voice_offset;
++	unsigned char voice_offset, voice_op;
+ 
+ 	unsigned short opl3_reg;
+ 	unsigned char reg_val;
+@@ -473,7 +474,9 @@ static int snd_opl3_set_voice(struct snd
+ 		voice_offset = voice->voice - MAX_OPL2_VOICES;
+ 	}
+ 	/* Get register offset of operator */
+-	op_offset = snd_opl3_regmap[voice_offset][voice->op];
++	voice_offset = array_index_nospec(voice_offset, MAX_OPL2_VOICES);
++	voice_op = array_index_nospec(voice->op, 4);
++	op_offset = snd_opl3_regmap[voice_offset][voice_op];
+ 
+ 	reg_val = 0x00;
+ 	/* Set amplitude modulation (tremolo) effect */
diff --git a/queue-3.18/series b/queue-3.18/series
index 42c4252155a..caeb9b0b38e 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -13,3 +13,4 @@ virtio_console-free-buffers-after-reset.patch
 tty-n_gsm-fix-long-delays-with-control-frame-timeouts-in-adm-mode.patch
 tty-n_gsm-fix-dlci-handling-for-adm-mode-if-debug-2-is-not-set.patch
 tty-use-__gfp_nofail-for-tty_ldisc_get.patch
+alsa-opl3-hardening-for-potential-spectre-v1.patch