In 'lpphy_start_tx_tone()', 'CORDIC_FLOAT((sample.i * max) & 0xFF)' is invalid because it is (<32-bit> & 0xff) shifted right by 15 bits and so always evaluates to zero. Looking through brcmsmac's 'wlc_lcnphy_start_tx_tone()', the result should be masked instead, i. e. 'CORDIC_FLOAT(sample[i].max) & 0xFF'.
Fixes: 6f98e62a9f1b ("b43: update cordic code to match current specs")
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Cc: stable@vger.kernel.org Suggested-by: Jonas Gorski jonas.gorski@gmail.com Signed-off-by: Dmitry Antipov dmantipov@yandex.ru --- v2: add Cc: stable and Fixes: (Larry Finger) --- drivers/net/wireless/broadcom/b43/phy_lp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/broadcom/b43/phy_lp.c b/drivers/net/wireless/broadcom/b43/phy_lp.c index 0e5c076e7544..e8ef04e509aa 100644 --- a/drivers/net/wireless/broadcom/b43/phy_lp.c +++ b/drivers/net/wireless/broadcom/b43/phy_lp.c @@ -1788,8 +1788,8 @@ static void lpphy_start_tx_tone(struct b43_wldev *dev, s32 freq, u16 max) for (i = 0; i < samples; i++) { sample = cordic_calc_iq(CORDIC_FIXED(theta)); theta += rotation; - buf[i] = CORDIC_FLOAT((sample.i * max) & 0xFF) << 8; - buf[i] |= CORDIC_FLOAT((sample.q * max) & 0xFF); + buf[i] = (u16)((CORDIC_FLOAT(sample.i * max) & 0xFF) << 8); + buf[i] |= (u16)(CORDIC_FLOAT(sample.q * max) & 0xFF); }
b43_lptab_write_bulk(dev, B43_LPTAB16(5, 0), samples, buf);
From: Dmitry Antipov
Sent: 27 June 2023 16:14
In 'lpphy_start_tx_tone()', 'CORDIC_FLOAT((sample.i * max) & 0xFF)' is invalid because it is (<32-bit> & 0xff) shifted right by 15 bits and so always evaluates to zero. Looking through brcmsmac's 'wlc_lcnphy_start_tx_tone()', the result should be masked instead, i. e. 'CORDIC_FLOAT(sample[i].max) & 0xFF'.
Fixes: 6f98e62a9f1b ("b43: update cordic code to match current specs")
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Cc: stable@vger.kernel.org Suggested-by: Jonas Gorski jonas.gorski@gmail.com Signed-off-by: Dmitry Antipov dmantipov@yandex.ru
v2: add Cc: stable and Fixes: (Larry Finger)
drivers/net/wireless/broadcom/b43/phy_lp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/broadcom/b43/phy_lp.c b/drivers/net/wireless/broadcom/b43/phy_lp.c index 0e5c076e7544..e8ef04e509aa 100644 --- a/drivers/net/wireless/broadcom/b43/phy_lp.c +++ b/drivers/net/wireless/broadcom/b43/phy_lp.c @@ -1788,8 +1788,8 @@ static void lpphy_start_tx_tone(struct b43_wldev *dev, s32 freq, u16 max) for (i = 0; i < samples; i++) { sample = cordic_calc_iq(CORDIC_FIXED(theta)); theta += rotation;
buf[i] = CORDIC_FLOAT((sample.i * max) & 0xFF) << 8;buf[i] |= CORDIC_FLOAT((sample.q * max) & 0xFF);
buf[i] = (u16)((CORDIC_FLOAT(sample.i * max) & 0xFF) << 8);buf[i] |= (u16)(CORDIC_FLOAT(sample.q * max) & 0xFF);
What are the (u16) casts for? This code is actually called exactly once with max == 100. The .i and .q are the sine and cosine << 16 (signed). The CORDIC_FLOAT() is basically >> 16 (not 15) so the result should be between -100 and +100. The & 0xFF is there to strip the sign. The sin+cos are then packed into a short[] then unpacked to be written to the hardware later.
}
b43_lptab_write_bulk(dev, B43_LPTAB16(5, 0), samples, buf);
Don't open the bag of worms that contains the above :-)
David
-- 2.41.0
- Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
From: Dmitry Antipov
Sent: 28 June 2023 11:45
On 6/28/23 11:24, David Laight wrote:
What are the (u16) casts for?
Well, this is a kind of a C language purism intended to silence warning: conversion from ‘int’ to ‘u16’ {aka ‘short unsigned int’} may change value [-Wconversion] observed with W=123.
The problem is that the casts can hide more than just a value being truncated. In this case the compiler even knows the values don't overflow.
FWIW I've seen generated code for: *cp++ = (unsigned char)(value & 0xff); that masked the value with 0xff once for the & a second time for the cast and then stored the low byte. I don't think modern gcc will do that, but a dumb compiler will.
If -Wconversion bleats about these sort of assignments it just needs permanently disabling (or deleting from the compiler!).
David
- Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
linux-stable-mirror@lists.linaro.org
-
David Laight -
Dmitry Antipov