Received: by 10.192.165.148 with SMTP id m20csp4147760imm;
        Mon, 30 Apr 2018 12:39:34 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZoC6Dy4NWGXyDXqWzxBFdKqyVo1ODveI9oo+b0K7lxcHX5Zn46nCrg4fD7DQAzslv9OsEi+
X-Received: by 10.98.141.65 with SMTP id z62mr13153374pfd.144.1525117174142;
        Mon, 30 Apr 2018 12:39:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525117174; cv=none;
        d=google.com; s=arc-20160816;
        b=zPCAO2uFXT4Nz4mVEU0oAOYGK3Ddhi3PVyYugjCZ0IA1pzoqW5FJWuVo5p+pUiLzIK
         fTsj102oOQ32X5o7l2vzWLfK+daJxuXPLLmKjlas4JV9eBXVHw9NODKqLmSGSV+HLtJv
         f0dWhMN3KAupbRs5507fm07NzNY6ryUL0hK6usYkBqKPzo2ddmjkzyKMz+VE5X6j+jYx
         BEWW5Yhs2yzryYEf6I7eJ4D7y5cu9xf2L0lK67mAUgWGzDk+xlATNZS2+50n174XI1bY
         beJYqi1XPlvcGKSII7bZ8JHY0txiQACQHUrCp2nAmNSDEn73K2vEvIGGr3CEcbGjtIfx
         66qg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from:dmarc-filter
         :arc-authentication-results;
        bh=Dv6RS00eLbCVpOGQDotoLD1NiiJ9D77SHf3J+qS0LXI=;
        b=n0Cz1zBLoThf2hX0RcxehOEbIK+gyy992aDx31P2c83UV16hDpbpdIyZFyZ7fOCFti
         tVl2aHSZJwdR6NASZsYARuNz6t07Z4OyaObwTO98XXd+xHBe8B0aA5GrDr19KioHpfI3
         sIy39sq9bdkshSM7YEyQKS2FJbJ08r7wHHN2i3+mdXrxt8BVU6E58Ft0y34eZVJTwHiZ
         KAJjbkLqMMtMv47+LumYMds579rby0g9qr5gPoF4DCY5X1qX+9myv+rDc7PTsuWGfzhL
         U4B4Gy0vvdVh2U+8Cs3tmxPfTNtUez2AizzthgNG/3CBWyCNGj98Y5V3fNL/L7XYRBD3
         pYDw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t1-v6si7970203plb.90.2018.04.30.12.39.20;
        Mon, 30 Apr 2018 12:39:34 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932341AbeD3TjM (ORCPT <rfc822;chaneybenjamini@gmail.com>
        + 99 others); Mon, 30 Apr 2018 15:39:12 -0400
Received: from mail.kernel.org ([198.145.29.99]:36508 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1756354AbeD3T2g (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 30 Apr 2018 15:28:36 -0400
Received: from localhost (unknown [104.132.1.102])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 3026022DBF;
        Mon, 30 Apr 2018 19:28:36 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3026022DBF
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org
Authentication-Results: mail.kernel.org; spf=fail smtp.mailfrom=gregkh@linuxfoundation.org
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
        Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 4.16 043/113] ALSA: hdspm: Hardening for potential Spectre v1
Date:   Mon, 30 Apr 2018 12:24:14 -0700
Message-Id: <20180430184016.875135579@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180430184015.043892819@linuxfoundation.org>
References: <20180430184015.043892819@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.16-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 10513142a7114d251670361ad40cba2c61403406 upstream.

As recently Smatch suggested, a couple of places in HDSP MADI driver
may expand the array directly from the user-space value with
speculation:
  sound/pci/rme9652/hdspm.c:5717 snd_hdspm_channel_info() warn: potential spectre issue 'hdspm->channel_map_out' (local cap)
  sound/pci/rme9652/hdspm.c:5734 snd_hdspm_channel_info() warn: potential spectre issue 'hdspm->channel_map_in' (local cap)

This patch puts array_index_nospec() for hardening against them.

BugLink: https://marc.info/?l=linux-kernel&m=152411496503418&w=2
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/rme9652/hdspm.c |   24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

--- a/sound/pci/rme9652/hdspm.c
+++ b/sound/pci/rme9652/hdspm.c
@@ -137,6 +137,7 @@
 #include <linux/pci.h>
 #include <linux/math64.h>
 #include <linux/io.h>
+#include <linux/nospec.h>
 
 #include <sound/core.h>
 #include <sound/control.h>
@@ -5698,40 +5699,43 @@ static int snd_hdspm_channel_info(struct
 		struct snd_pcm_channel_info *info)
 {
 	struct hdspm *hdspm = snd_pcm_substream_chip(substream);
+	unsigned int channel = info->channel;
 
 	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
-		if (snd_BUG_ON(info->channel >= hdspm->max_channels_out)) {
+		if (snd_BUG_ON(channel >= hdspm->max_channels_out)) {
 			dev_info(hdspm->card->dev,
 				 "snd_hdspm_channel_info: output channel out of range (%d)\n",
-				 info->channel);
+				 channel);
 			return -EINVAL;
 		}
 
-		if (hdspm->channel_map_out[info->channel] < 0) {
+		channel = array_index_nospec(channel, hdspm->max_channels_out);
+		if (hdspm->channel_map_out[channel] < 0) {
 			dev_info(hdspm->card->dev,
 				 "snd_hdspm_channel_info: output channel %d mapped out\n",
-				 info->channel);
+				 channel);
 			return -EINVAL;
 		}
 
-		info->offset = hdspm->channel_map_out[info->channel] *
+		info->offset = hdspm->channel_map_out[channel] *
 			HDSPM_CHANNEL_BUFFER_BYTES;
 	} else {
-		if (snd_BUG_ON(info->channel >= hdspm->max_channels_in)) {
+		if (snd_BUG_ON(channel >= hdspm->max_channels_in)) {
 			dev_info(hdspm->card->dev,
 				 "snd_hdspm_channel_info: input channel out of range (%d)\n",
-				 info->channel);
+				 channel);
 			return -EINVAL;
 		}
 
-		if (hdspm->channel_map_in[info->channel] < 0) {
+		channel = array_index_nospec(channel, hdspm->max_channels_in);
+		if (hdspm->channel_map_in[channel] < 0) {
 			dev_info(hdspm->card->dev,
 				 "snd_hdspm_channel_info: input channel %d mapped out\n",
-				 info->channel);
+				 channel);
 			return -EINVAL;
 		}
 
-		info->offset = hdspm->channel_map_in[info->channel] *
+		info->offset = hdspm->channel_map_in[channel] *
 			HDSPM_CHANNEL_BUFFER_BYTES;
 	}