media: dvb_ca_en50221: prevent using slot_info for Spectre attacs

slot can be controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability,
as warned by smatch:
	drivers/media/dvb-core/dvb_ca_en50221.c:1479 dvb_ca_en50221_io_write() warn: potential spectre issue 'ca->slot_info' (local cap)
Acked-by: "Jasmin J." <jasmin@anw.at>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>

CVE-2017-5753

(backported from commit 4f5ab5d7)
[juergh:
 - Adjusted context.
 - Folded in a24e6348 ("media: dvb_ca_en50221: sanity check slot number from userspace").]
Signed-off-by: Juerg Haefliger <juergh@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

drivers/media/dvb-core/dvb_ca_en50221.c

@@ -32,6 +32,7 @@
 #include <linux/slab.h>
 #include <linux/list.h>
 #include <linux/module.h>
+#include <linux/nospec.h>
 #include <linux/vmalloc.h>
 #include <linux/delay.h>
 #include <linux/spinlock.h>
@@ -1333,6 +1334,10 @@ static ssize_t dvb_ca_en50221_io_write(struct file *file,
 	buf += 2;
 	count -= 2;
 
+	if (slot >= ca->slot_count)
+		return -EINVAL;
+	slot = array_index_nospec(slot, ca->slot_count);
+
 	/* check if the slot is actually running */
 	if (ca->slot_info[slot].slot_state != DVB_CA_SLOTSTATE_RUNNING)
 		return -EINVAL;