From 4da005561a65a997f7b4959b61b5923cbe1bd545 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 29 Apr 2018 13:07:45 +0200
Subject: [PATCH] 4.14-stable patches

added patches:
	alsa-opl3-hardening-for-potential-spectre-v1.patch
---
 ...3-hardening-for-potential-spectre-v1.patch | 55 +++++++++++++++++++
 queue-4.14/series                             |  1 +
 2 files changed, 56 insertions(+)
 create mode 100644 queue-4.14/alsa-opl3-hardening-for-potential-spectre-v1.patch

diff --git a/queue-4.14/alsa-opl3-hardening-for-potential-spectre-v1.patch b/queue-4.14/alsa-opl3-hardening-for-potential-spectre-v1.patch
new file mode 100644
index 00000000000..fe64365edbf
--- /dev/null
+++ b/queue-4.14/alsa-opl3-hardening-for-potential-spectre-v1.patch
@@ -0,0 +1,55 @@
+From 7f054a5bee0987f1e2d4e59daea462421c76f2cb Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 24 Apr 2018 07:56:07 +0200
+Subject: ALSA: opl3: Hardening for potential Spectre v1
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 7f054a5bee0987f1e2d4e59daea462421c76f2cb upstream.
+
+As recently Smatch suggested, one place in OPL3 driver may expand the
+array directly from the user-space value with speculation:
+  sound/drivers/opl3/opl3_synth.c:476 snd_opl3_set_voice() warn: potential spectre issue 'snd_opl3_regmap'
+
+This patch puts array_index_nospec() for hardening against it.
+
+BugLink: https://marc.info/?l=linux-kernel&m=152411496503418&w=2
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/drivers/opl3/opl3_synth.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/sound/drivers/opl3/opl3_synth.c
++++ b/sound/drivers/opl3/opl3_synth.c
+@@ -21,6 +21,7 @@
+ 
+ #include <linux/slab.h>
+ #include <linux/export.h>
++#include <linux/nospec.h>
+ #include <sound/opl3.h>
+ #include <sound/asound_fm.h>
+ 
+@@ -448,7 +449,7 @@ static int snd_opl3_set_voice(struct snd
+ {
+ 	unsigned short reg_side;
+ 	unsigned char op_offset;
+-	unsigned char voice_offset;
++	unsigned char voice_offset, voice_op;
+ 
+ 	unsigned short opl3_reg;
+ 	unsigned char reg_val;
+@@ -473,7 +474,9 @@ static int snd_opl3_set_voice(struct snd
+ 		voice_offset = voice->voice - MAX_OPL2_VOICES;
+ 	}
+ 	/* Get register offset of operator */
+-	op_offset = snd_opl3_regmap[voice_offset][voice->op];
++	voice_offset = array_index_nospec(voice_offset, MAX_OPL2_VOICES);
++	voice_op = array_index_nospec(voice->op, 4);
++	op_offset = snd_opl3_regmap[voice_offset][voice_op];
+ 
+ 	reg_val = 0x00;
+ 	/* Set amplitude modulation (tremolo) effect */
diff --git a/queue-4.14/series b/queue-4.14/series
index 593dca03b8e..0914770dec7 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -34,3 +34,4 @@ tty-use-__gfp_nofail-for-tty_ldisc_get.patch
 alsa-dice-fix-oui-for-tc-group.patch
 alsa-dice-fix-error-path-to-destroy-initialized-stream-data.patch
 alsa-hda-skip-jack-and-others-for-non-existing-pcm-streams.patch
+alsa-opl3-hardening-for-potential-spectre-v1.patch
-- 
2.47.3