From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965168AbcKXLYo (ORCPT ); Thu, 24 Nov 2016 06:24:44 -0500 Received: from userp1040.oracle.com ([156.151.31.81]:28871 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S964981AbcKXLYn (ORCPT ); Thu, 24 Nov 2016 06:24:43 -0500 Date: Thu, 24 Nov 2016 14:23:33 +0300 From: Dan Carpenter To: Jaroslav Kysela Cc: Takashi Iwai , alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] ALSA: emu10k1: shift wrapping bug in snd_emu10k1_ptr_read() Message-ID: <20161124112333.GL17225@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.6.0 (2016-04-01) X-Source-IP: userv0022.oracle.com [156.151.31.74] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Static analysis says "size" is a number 0-63. So we really want to be doing the shift as a u64 and not a int type. Presumably "size" is never actually more than 31 otherwise the shift wrap would have been detected in testing. The "mask" is a u32 so we only care about the bottom 32 bits which also implies that "size" is less than 32. This code pre-dates git. I haven't tested this change, it's to fix a static analysis warning. I can't think that shift wrapping is the correct behavior so presumably this change is harmless but it definitely changes how the code works when size is larger than 32. Signed-off-by: Dan Carpenter diff --git a/sound/pci/emu10k1/io.c b/sound/pci/emu10k1/io.c index 706b4f0..fd204f3 100644 --- a/sound/pci/emu10k1/io.c +++ b/sound/pci/emu10k1/io.c @@ -46,7 +46,7 @@ unsigned int snd_emu10k1_ptr_read(struct snd_emu10k1 * emu, unsigned int reg, un size = (reg >> 24) & 0x3f; offset = (reg >> 16) & 0x1f; - mask = ((1 << size) - 1) << offset; + mask = ((1ULL << size) - 1) << offset; spin_lock_irqsave(&emu->emu_lock, flags); outl(regptr, emu->port + PTR); @@ -81,7 +81,7 @@ void snd_emu10k1_ptr_write(struct snd_emu10k1 *emu, unsigned int reg, unsigned i size = (reg >> 24) & 0x3f; offset = (reg >> 16) & 0x1f; - mask = ((1 << size) - 1) << offset; + mask = ((1ULL << size) - 1) << offset; data = (data << offset) & mask; spin_lock_irqsave(&emu->emu_lock, flags);