4.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mauro Carvalho Chehab mchehab+samsung@kernel.org
[ Upstream commit a3d71f256c8a8b5d51ea0dfd09cd85ce3a09d9e1 ]
The current logic makes Smatch to false-detect a Spectre variant 1 vulnerability. The problem is that it initializes an u32 indirectly from user space input.
After trying to write a fixup, after a while I realized that, in practice, this shouldn't be a problem, as an u32 is initialized from u8, but it took some time to discover it.
So, do some code cleanup to make it clearer for both humans and machines about the valid range for "op".
Fix this warning: drivers/media/cec/cec-pin-error-inj.c:170 cec_pin_error_inj_parse_line() warn: potential spectre issue 'pin->error_inj_args'
Signed-off-by: Mauro Carvalho Chehab mchehab+samsung@kernel.org Signed-off-by: Hans Verkuil hans.verkuil@cisco.com Signed-off-by: Mauro Carvalho Chehab mchehab+samsung@kernel.org Signed-off-by: Sasha Levin alexander.levin@microsoft.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/media/cec/cec-pin-error-inj.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-)
--- a/drivers/media/cec/cec-pin-error-inj.c +++ b/drivers/media/cec/cec-pin-error-inj.c @@ -81,10 +81,9 @@ bool cec_pin_error_inj_parse_line(struct u64 *error; u8 *args; bool has_op; - u32 op; + u8 op; u8 mode; u8 pos; - u8 v;
p = skip_spaces(p); token = strsep(&p, delims); @@ -146,12 +145,18 @@ bool cec_pin_error_inj_parse_line(struct comma = strchr(token, ','); if (comma) *comma++ = '\0'; - if (!strcmp(token, "any")) - op = CEC_ERROR_INJ_OP_ANY; - else if (!kstrtou8(token, 0, &v)) - op = v; - else + if (!strcmp(token, "any")) { + has_op = false; + error = pin->error_inj + CEC_ERROR_INJ_OP_ANY; + args = pin->error_inj_args[CEC_ERROR_INJ_OP_ANY]; + } else if (!kstrtou8(token, 0, &op)) { + has_op = true; + error = pin->error_inj + op; + args = pin->error_inj_args[op]; + } else { return false; + } + mode = CEC_ERROR_INJ_MODE_ONCE; if (comma) { if (!strcmp(comma, "off")) @@ -166,10 +171,6 @@ bool cec_pin_error_inj_parse_line(struct return false; }
- error = pin->error_inj + op; - args = pin->error_inj_args[op]; - has_op = op <= 0xff; - token = strsep(&p, delims); if (p) { p = skip_spaces(p);