[PATCH 4.4 15/23] ALSA: timer: Fix master timer notification

From: Greg Kroah-Hartman
Date: Tue Jun 08 2021 - 14:28:50 EST


From: Takashi Iwai <tiwai@xxxxxxx>

commit 9c1fe96bded935369f8340c2ac2e9e189f697d5d upstream.

snd_timer_notify1() calls the notification to each slave for a master
event, but it passes a wrong event number. It should be +10 offset,
corresponding to SNDRV_TIMER_EVENT_MXXX, but it's incorrectly with
+100 offset. Casually this was spotted by UBSAN check via syzkaller.

Reported-by: syzbot+d102fa5b35335a7e544e@xxxxxxxxxxxxxxxxxxxxxxxxx
Reviewed-by: Jaroslav Kysela <perex@xxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx>
Link: https://lore.kernel.org/r/000000000000e5560e05c3bd1d63@xxxxxxxxxx
Link: https://lore.kernel.org/r/20210602113823.23777-1-tiwai@xxxxxxx
Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
sound/core/timer.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -432,9 +432,10 @@ static void snd_timer_notify1(struct snd
return;
if (timer->hw.flags & SNDRV_TIMER_HW_SLAVE)
return;
+ event += 10; /* convert to SNDRV_TIMER_EVENT_MXXX */
list_for_each_entry(ts, &ti->slave_active_head, active_list)
if (ts->ccallback)
- ts->ccallback(ts, event + 100, &tstamp, resolution);
+ ts->ccallback(ts, event, &tstamp, resolution);
}

/* start/continue a master timer */