Message ID | 20210602113823.23777-1-tiwai@suse.de (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Series | ALSA: timer: Fix master timer notification | expand |
On 02. 06. 21 13:38, Takashi Iwai wrote: > snd_timer_notify1() calls the notification to each slave for a master > event, but it passes a wrong event number. It should be +10 offset, > corresponding to SNDRV_TIMER_EVENT_MXXX, but it's incorrectly with > +100 offset. Casually this was spotted by UBSAN check via syzkaller. > > Reported-by: syzbot+d102fa5b35335a7e544e@syzkaller.appspotmail.com > Cc: <stable@vger.kernel.org> > Link: https://lore.kernel.org/r/000000000000e5560e05c3bd1d63@google.com > Signed-off-by: Takashi Iwai <tiwai@suse.de> Reviewed-by: Jaroslav Kysela <perex@perex.cz> > --- > sound/core/timer.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/sound/core/timer.c b/sound/core/timer.c > index 6898b1ac0d7f..92b7008fcdb8 100644 > --- a/sound/core/timer.c > +++ b/sound/core/timer.c > @@ -520,9 +520,10 @@ static void snd_timer_notify1(struct snd_timer_instance *ti, int event) > return; > if (timer->hw.flags & SNDRV_TIMER_HW_SLAVE) > return; > + event += 10; /* convert to SNDRV_TIMER_EVENT_MXXX */ > list_for_each_entry(ts, &ti->slave_active_head, active_list) > if (ts->ccallback) > - ts->ccallback(ts, event + 100, &tstamp, resolution); > + ts->ccallback(ts, event, &tstamp, resolution); > } > > /* start/continue a master timer */ >
diff --git a/sound/core/timer.c b/sound/core/timer.c index 6898b1ac0d7f..92b7008fcdb8 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -520,9 +520,10 @@ static void snd_timer_notify1(struct snd_timer_instance *ti, int event) return; if (timer->hw.flags & SNDRV_TIMER_HW_SLAVE) return; + event += 10; /* convert to SNDRV_TIMER_EVENT_MXXX */ list_for_each_entry(ts, &ti->slave_active_head, active_list) if (ts->ccallback) - ts->ccallback(ts, event + 100, &tstamp, resolution); + ts->ccallback(ts, event, &tstamp, resolution); } /* start/continue a master timer */
snd_timer_notify1() calls the notification to each slave for a master event, but it passes a wrong event number. It should be +10 offset, corresponding to SNDRV_TIMER_EVENT_MXXX, but it's incorrectly with +100 offset. Casually this was spotted by UBSAN check via syzkaller. Reported-by: syzbot+d102fa5b35335a7e544e@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/000000000000e5560e05c3bd1d63@google.com Signed-off-by: Takashi Iwai <tiwai@suse.de> --- sound/core/timer.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)