ALSA: rawmidi: Fix potential Spectre v1 vulnerability

[mirror_ubuntu-bionic-kernel.git] / sound / core / rawmidi.c
diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c

index f055ca10bbc1d33c9c1cee1fd913b7c930984ac1..d22472ba211eb3972314865f7219c2f025651627 100644 (file)
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -29,6 +29,7 @@
  #include <linux/mutex.h>
  #include <linux/module.h>
  #include <linux/delay.h>
+#include <linux/nospec.h>
  #include <sound/rawmidi.h>
  #include <sound/info.h>
  #include <sound/control.h>
@@ -591,6 +592,7 @@ static int __snd_rawmidi_info_select(struct snd_card *card,
                 return -ENXIO;
         if (info->stream < 0 || info->stream > 1)
                 return -EINVAL;
+       info->stream = array_index_nospec(info->stream, 2);
         pstr = &rmidi->streams[info->stream];
         if (pstr->substream_count == 0)
                 return -ENOENT;
@@ -635,7 +637,7 @@ static int snd_rawmidi_info_select_user(struct snd_card *card,
  int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream,
                               struct snd_rawmidi_params * params)
  {
-       char *newbuf;
+       char *newbuf, *oldbuf;
         struct snd_rawmidi_runtime *runtime = substream->runtime;
         
         if (substream->append && substream->use_count > 1)
@@ -648,13 +650,17 @@ int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream,
                 return -EINVAL;
         }
         if (params->buffer_size != runtime->buffer_size) {
-               newbuf = krealloc(runtime->buffer, params->buffer_size,
-                                 GFP_KERNEL);
+               newbuf = kmalloc(params->buffer_size, GFP_KERNEL);
                 if (!newbuf)
                         return -ENOMEM;
+               spin_lock_irq(&runtime->lock);
+               oldbuf = runtime->buffer;
                 runtime->buffer = newbuf;
                 runtime->buffer_size = params->buffer_size;
                 runtime->avail = runtime->buffer_size;
+               runtime->appl_ptr = runtime->hw_ptr = 0;
+               spin_unlock_irq(&runtime->lock);
+               kfree(oldbuf);
         }
         runtime->avail_min = params->avail_min;
         substream->active_sensing = !params->no_active_sensing;
@@ -665,7 +671,7 @@ EXPORT_SYMBOL(snd_rawmidi_output_params);
  int snd_rawmidi_input_params(struct snd_rawmidi_substream *substream,
                              struct snd_rawmidi_params * params)
  {
-       char *newbuf;
+       char *newbuf, *oldbuf;
         struct snd_rawmidi_runtime *runtime = substream->runtime;
  
         snd_rawmidi_drain_input(substream);
@@ -676,12 +682,16 @@ int snd_rawmidi_input_params(struct snd_rawmidi_substream *substream,
                 return -EINVAL;
         }
         if (params->buffer_size != runtime->buffer_size) {
-               newbuf = krealloc(runtime->buffer, params->buffer_size,
-                                 GFP_KERNEL);
+               newbuf = kmalloc(params->buffer_size, GFP_KERNEL);
                 if (!newbuf)
                         return -ENOMEM;
+               spin_lock_irq(&runtime->lock);
+               oldbuf = runtime->buffer;
                 runtime->buffer = newbuf;
                 runtime->buffer_size = params->buffer_size;
+               runtime->appl_ptr = runtime->hw_ptr = 0;
+               spin_unlock_irq(&runtime->lock);
+               kfree(oldbuf);
         }
         runtime->avail_min = params->avail_min;
         return 0;