[thirdparty/kernel/stable-queue.git] / releases / 4.19.7 / alsa-ac97-fix-incorrect-bit-shift-at-ac97-spsa-control-write.patch

From 7194eda1ba0872d917faf3b322540b4f57f11ba5 Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.de>
Date: Fri, 23 Nov 2018 15:44:00 +0100
Subject: ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write

From: Takashi Iwai <tiwai@suse.de>

commit 7194eda1ba0872d917faf3b322540b4f57f11ba5 upstream.

The function snd_ac97_put_spsa() gets the bit shift value from the
associated private_value, but it extracts too much; the current code
extracts 8 bit values in bits 8-15, but this is a combination of two
nibbles (bits 8-11 and bits 12-15) for left and right shifts.
Due to the incorrect bits extraction, the actual shift may go beyond
the 32bit value, as spotted recently by UBSAN check:
 UBSAN: Undefined behaviour in sound/pci/ac97/ac97_codec.c:836:7
 shift exponent 68 is too large for 32-bit type 'int'

This patch fixes the shift value extraction by masking the properly
with 0x0f instead of 0xff.

Reported-and-tested-by: Meelis Roos <mroos@linux.ee>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/ac97/ac97_codec.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/pci/ac97/ac97_codec.c
+++ b/sound/pci/ac97/ac97_codec.c
@@ -824,7 +824,7 @@ static int snd_ac97_put_spsa(struct snd_
 {
 	struct snd_ac97 *ac97 = snd_kcontrol_chip(kcontrol);
 	int reg = kcontrol->private_value & 0xff;
-	int shift = (kcontrol->private_value >> 8) & 0xff;
+	int shift = (kcontrol->private_value >> 8) & 0x0f;
 	int mask = (kcontrol->private_value >> 16) & 0xff;
 	// int invert = (kcontrol->private_value >> 24) & 0xff;
 	unsigned short value, old, new;
Commit	Line	Data
f570a3f8 GKH	1	From 7194eda1ba0872d917faf3b322540b4f57f11ba5 Mon Sep 17 00:00:00 2001
	2	From: Takashi Iwai <tiwai@suse.de>
	3	Date: Fri, 23 Nov 2018 15:44:00 +0100
	4	Subject: ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write
	5
	6	From: Takashi Iwai <tiwai@suse.de>
	7
	8	commit 7194eda1ba0872d917faf3b322540b4f57f11ba5 upstream.
	9
	10	The function snd_ac97_put_spsa() gets the bit shift value from the
	11	associated private_value, but it extracts too much; the current code
	12	extracts 8 bit values in bits 8-15, but this is a combination of two
	13	nibbles (bits 8-11 and bits 12-15) for left and right shifts.
	14	Due to the incorrect bits extraction, the actual shift may go beyond
	15	the 32bit value, as spotted recently by UBSAN check:
	16	UBSAN: Undefined behaviour in sound/pci/ac97/ac97_codec.c:836:7
	17	shift exponent 68 is too large for 32-bit type 'int'
	18
	19	This patch fixes the shift value extraction by masking the properly
	20	with 0x0f instead of 0xff.
	21
	22	Reported-and-tested-by: Meelis Roos <mroos@linux.ee>
	23	Cc: <stable@vger.kernel.org>
	24	Signed-off-by: Takashi Iwai <tiwai@suse.de>
	25	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	26
	27	---
	28	sound/pci/ac97/ac97_codec.c \| 2 +-
	29	1 file changed, 1 insertion(+), 1 deletion(-)
	30
	31	--- a/sound/pci/ac97/ac97_codec.c
	32	+++ b/sound/pci/ac97/ac97_codec.c
	33	@@ -824,7 +824,7 @@ static int snd_ac97_put_spsa(struct snd_
	34	{
	35	struct snd_ac97 *ac97 = snd_kcontrol_chip(kcontrol);
	36	int reg = kcontrol->private_value & 0xff;
	37	- int shift = (kcontrol->private_value >> 8) & 0xff;
	38	+ int shift = (kcontrol->private_value >> 8) & 0x0f;
	39	int mask = (kcontrol->private_value >> 16) & 0xff;
	40	// int invert = (kcontrol->private_value >> 24) & 0xff;
	41	unsigned short value, old, new;