From: Alok Tiwari alok.a.tiwari@oracle.com
[ Upstream commit 87aafc8580acf87fcaf1a7e30ed858d8c8d37d81 ]
code mistakenly used a hardcoded index (codec[1]) instead of iterating, over the codec array using the loop variable i. Use codec[i] instead of codec[1] to match the loop iteration.
Signed-off-by: Alok Tiwari alok.a.tiwari@oracle.com Link: https://patch.msgid.link/20250621185233.4081094-1-alok.a.tiwari@oracle.com Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
**YES**
This commit should be backported to stable kernel trees. Here's the extensive explanation:
## Bug Analysis
The bug is a clear coding error in the ICH4 codec configuration code within the ALSA intel8x0 driver. Looking at the code change:
```c - tmp |= chip->ac97_sdin[pcm->r[0].codec[1]->num] << ICH_DI2L_SHIFT; + tmp |= chip->ac97_sdin[pcm->r[0].codec[i]->num] << ICH_DI2L_SHIFT; ```
The issue is in a loop that iterates from `i = 1` to `i < 4` (lines 2250-2255), checking each codec slot. However, the original code hardcoded `codec[1]` instead of using the loop variable `codec[i]`. This means:
1. **The loop was pointless** - it would always use codec[1] regardless of which iteration found a valid codec 2. **Incorrect codec configuration** - If codec[2] or codec[3] were the valid codec (and codec[1] was NULL), the code would still try to access codec[1], potentially causing: - Null pointer dereference if codec[1] is NULL - Wrong codec configuration if codec[1] exists but isn't the intended one
## Impact Assessment
This bug affects: - **Hardware**: Intel ICH4 (Intel I/O Controller Hub 4) chipsets only - **Functionality**: AC'97 codec configuration for multiple SDIN (Serial Data In) paths - **When triggered**: When using ICH4 with multiple codecs where the second valid codec is not in slot 1
## Backport Suitability
This commit meets all criteria for stable backporting:
1. **Fixes a real bug**: Clear array indexing error that can cause incorrect hardware configuration or crashes 2. **Small and contained**: Single line change, exactly 1 insertion and 1 deletion 3. **No side effects**: The fix simply corrects the loop to work as originally intended 4. **No architectural changes**: Pure bug fix with no API/ABI changes 5. **Critical subsystem**: ALSA sound drivers are important for user experience 6. **Long-standing bug**: The code has been incorrect since the initial git import (2005), making it important to fix in all maintained kernels 7. **Clear fix**: The correction is obvious - using the loop variable instead of a hardcoded index
The bug has existed since the kernel's initial git import in 2005 (commit 1da177e4c3f4), meaning it affects all kernel versions and should be backported to all stable trees that still receive updates.
sound/pci/intel8x0.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/pci/intel8x0.c b/sound/pci/intel8x0.c index 51e7f1f1a48e..b521cec20333 100644 --- a/sound/pci/intel8x0.c +++ b/sound/pci/intel8x0.c @@ -2249,7 +2249,7 @@ static int snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock, tmp |= chip->ac97_sdin[0] << ICH_DI1L_SHIFT; for (i = 1; i < 4; i++) { if (pcm->r[0].codec[i]) { - tmp |= chip->ac97_sdin[pcm->r[0].codec[1]->num] << ICH_DI2L_SHIFT; + tmp |= chip->ac97_sdin[pcm->r[0].codec[i]->num] << ICH_DI2L_SHIFT; break; } }