On 6/27/23 08:00, Dmitry Antipov wrote:
In 'lpphy_start_tx_tone()', 'CORDIC_FLOAT((sample.i * max) & 0xFF)'
is invalid because it is (<32-bit> & 0xff) shifted right by 15 bits
and so always evaluates to zero. Looking through brcmsmac's
'wlc_lcnphy_start_tx_tone()', the result should be masked instead,
i. e. 'CORDIC_FLOAT(sample[i].max) & 0xFF'.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Suggested-by: Jonas Gorski <jonas.gorski@xxxxxxxxx>
Signed-off-by: Dmitry Antipov <dmantipov@xxxxxxxxx>
---
drivers/net/wireless/broadcom/b43/phy_lp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/broadcom/b43/phy_lp.c b/drivers/net/wireless/broadcom/b43/phy_lp.c
index 0e5c076e7544..e8ef04e509aa 100644
--- a/drivers/net/wireless/broadcom/b43/phy_lp.c
+++ b/drivers/net/wireless/broadcom/b43/phy_lp.c
@@ -1788,8 +1788,8 @@ static void lpphy_start_tx_tone(struct b43_wldev *dev, s32 freq, u16 max)
for (i = 0; i < samples; i++) {
sample = cordic_calc_iq(CORDIC_FIXED(theta));
theta += rotation;
- buf[i] = CORDIC_FLOAT((sample.i * max) & 0xFF) << 8;
- buf[i] |= CORDIC_FLOAT((sample.q * max) & 0xFF);
+ buf[i] = (u16)((CORDIC_FLOAT(sample.i * max) & 0xFF) << 8);
+ buf[i] |= (u16)(CORDIC_FLOAT(sample.q * max) & 0xFF);
}
b43_lptab_write_bulk(dev, B43_LPTAB16(5, 0), samples, buf);
This has not yet been tested, but it does need a "Fixes:" tag, and a Cc for stable.
Larry
