4.4-stable review patch. If anyone has any objections, please let me know.
------------------ From: Takashi Iwai <ti...@suse.de> commit f526afcd8f71945c23ce581d7864ace93de8a4f7 upstream. As recently Smatch suggested, one place in RME9652 driver may expand the array directly from the user-space value with speculation: sound/pci/rme9652/rme9652.c:2074 snd_rme9652_channel_info() warn: potential spectre issue 'rme9652->channel_map' (local cap) This patch puts array_index_nospec() for hardening against it. BugLink: https://marc.info/?l=linux-kernel&m=152411496503418&w=2 Reported-by: Dan Carpenter <dan.carpen...@oracle.com> Cc: <sta...@vger.kernel.org> Signed-off-by: Takashi Iwai <ti...@suse.de> Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org> --- sound/pci/rme9652/rme9652.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/sound/pci/rme9652/rme9652.c +++ b/sound/pci/rme9652/rme9652.c @@ -26,6 +26,7 @@ #include <linux/pci.h> #include <linux/module.h> #include <linux/io.h> +#include <linux/nospec.h> #include <sound/core.h> #include <sound/control.h> @@ -2036,9 +2037,10 @@ static int snd_rme9652_channel_info(stru if (snd_BUG_ON(info->channel >= RME9652_NCHANNELS)) return -EINVAL; - if ((chn = rme9652->channel_map[info->channel]) < 0) { + chn = rme9652->channel_map[array_index_nospec(info->channel, + RME9652_NCHANNELS)]; + if (chn < 0) return -EINVAL; - } info->offset = chn * RME9652_CHANNEL_BUFFER_BYTES; info->first = 0;
