| From 7194eda1ba0872d917faf3b322540b4f57f11ba5 Mon Sep 17 00:00:00 2001 |
| From: Takashi Iwai <tiwai@suse.de> |
| Date: Fri, 23 Nov 2018 15:44:00 +0100 |
| Subject: ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write |
| |
| From: Takashi Iwai <tiwai@suse.de> |
| |
| commit 7194eda1ba0872d917faf3b322540b4f57f11ba5 upstream. |
| |
| The function snd_ac97_put_spsa() gets the bit shift value from the |
| associated private_value, but it extracts too much; the current code |
| extracts 8 bit values in bits 8-15, but this is a combination of two |
| nibbles (bits 8-11 and bits 12-15) for left and right shifts. |
| Due to the incorrect bits extraction, the actual shift may go beyond |
| the 32bit value, as spotted recently by UBSAN check: |
| UBSAN: Undefined behaviour in sound/pci/ac97/ac97_codec.c:836:7 |
| shift exponent 68 is too large for 32-bit type 'int' |
| |
| This patch fixes the shift value extraction by masking the properly |
| with 0x0f instead of 0xff. |
| |
| Reported-and-tested-by: Meelis Roos <mroos@linux.ee> |
| Cc: <stable@vger.kernel.org> |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| sound/pci/ac97/ac97_codec.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/sound/pci/ac97/ac97_codec.c |
| +++ b/sound/pci/ac97/ac97_codec.c |
| @@ -829,7 +829,7 @@ static int snd_ac97_put_spsa(struct snd_ |
| { |
| struct snd_ac97 *ac97 = snd_kcontrol_chip(kcontrol); |
| int reg = kcontrol->private_value & 0xff; |
| - int shift = (kcontrol->private_value >> 8) & 0xff; |
| + int shift = (kcontrol->private_value >> 8) & 0x0f; |
| int mask = (kcontrol->private_value >> 16) & 0xff; |
| // int invert = (kcontrol->private_value >> 24) & 0xff; |
| unsigned short value, old, new; |
