* [PATCH AUTOSEL 5.15 02/16] ASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds
[not found] <20230322200121.1997157-1-sashal@kernel.org>
@ 2023-03-22 20:01 ` Sasha Levin
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 06/16] ALSA: asihpi: check pao in control_message() Sasha Levin
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 07/16] ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() Sasha Levin
2 siblings, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2023-03-22 20:01 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Ravulapati Vishnu Vardhan Rao, Mark Brown, Sasha Levin,
srinivas.kandagatla, bgoswami, lgirdwood, tiwai, alsa-devel
From: Ravulapati Vishnu Vardhan Rao <quic_visr@quicinc.com>
[ Upstream commit e5e7e398f6bb7918dab0612eb6991f7bae95520d ]
When we run syzkaller we get below Out of Bound.
"KASAN: slab-out-of-bounds Read in regcache_flat_read"
Below is the backtrace of the issue:
dump_backtrace+0x0/0x4c8
show_stack+0x34/0x44
dump_stack_lvl+0xd8/0x118
print_address_description+0x30/0x2d8
kasan_report+0x158/0x198
__asan_report_load4_noabort+0x44/0x50
regcache_flat_read+0x10c/0x110
regcache_read+0xf4/0x180
_regmap_read+0xc4/0x278
_regmap_update_bits+0x130/0x290
regmap_update_bits_base+0xc0/0x15c
snd_soc_component_update_bits+0xa8/0x22c
snd_soc_component_write_field+0x68/0xd4
tx_macro_digital_mute+0xec/0x140
Actually There is no need to have decimator with 32 bits.
By limiting the variable with short type u8 issue is resolved.
Signed-off-by: Ravulapati Vishnu Vardhan Rao <quic_visr@quicinc.com>
Link: https://lore.kernel.org/r/20230304080702.609-1-quic_visr@quicinc.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/lpass-tx-macro.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c
index 2b7ba78551fab..35d148e60c334 100644
--- a/sound/soc/codecs/lpass-tx-macro.c
+++ b/sound/soc/codecs/lpass-tx-macro.c
@@ -239,7 +239,7 @@ enum {
struct tx_mute_work {
struct tx_macro *tx;
- u32 decimator;
+ u8 decimator;
struct delayed_work dwork;
};
@@ -632,7 +632,7 @@ static int tx_macro_mclk_enable(struct tx_macro *tx,
return 0;
}
-static bool is_amic_enabled(struct snd_soc_component *component, int decimator)
+static bool is_amic_enabled(struct snd_soc_component *component, u8 decimator)
{
u16 adc_mux_reg, adc_reg, adc_n;
@@ -843,7 +843,7 @@ static int tx_macro_enable_dec(struct snd_soc_dapm_widget *w,
struct snd_kcontrol *kcontrol, int event)
{
struct snd_soc_component *component = snd_soc_dapm_to_component(w->dapm);
- unsigned int decimator;
+ u8 decimator;
u16 tx_vol_ctl_reg, dec_cfg_reg, hpf_gate_reg, tx_gain_ctl_reg;
u8 hpf_cut_off_freq;
int hpf_delay = TX_MACRO_DMIC_HPF_DELAY_MS;
@@ -1058,7 +1058,8 @@ static int tx_macro_hw_params(struct snd_pcm_substream *substream,
struct snd_soc_dai *dai)
{
struct snd_soc_component *component = dai->component;
- u32 decimator, sample_rate;
+ u32 sample_rate;
+ u8 decimator;
int tx_fs_rate;
struct tx_macro *tx = snd_soc_component_get_drvdata(component);
@@ -1122,7 +1123,7 @@ static int tx_macro_digital_mute(struct snd_soc_dai *dai, int mute, int stream)
{
struct snd_soc_component *component = dai->component;
struct tx_macro *tx = snd_soc_component_get_drvdata(component);
- u16 decimator;
+ u8 decimator;
decimator = tx->active_decimator[dai->id];
--
2.39.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH AUTOSEL 5.15 06/16] ALSA: asihpi: check pao in control_message()
[not found] <20230322200121.1997157-1-sashal@kernel.org>
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 02/16] ASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds Sasha Levin
@ 2023-03-22 20:01 ` Sasha Levin
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 07/16] ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() Sasha Levin
2 siblings, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2023-03-22 20:01 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Kuninori Morimoto, Takashi Iwai, Sasha Levin, tiwai, dengshaomin,
alsa-devel
From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
[ Upstream commit 9026c0bf233db53b86f74f4c620715e94eb32a09 ]
control_message() might be called with pao = NULL.
Here indicates control_message() as sample.
(B) static void control_message(struct hpi_adapter_obj *pao, ...)
{ ^^^
struct hpi_hw_obj *phw = pao->priv;
... ^^^
}
(A) void _HPI_6205(struct hpi_adapter_obj *pao, ...)
{ ^^^
...
case HPI_OBJ_CONTROL:
(B) control_message(pao, phm, phr);
break; ^^^
...
}
void HPI_6205(...)
{
...
(A) _HPI_6205(NULL, phm, phr);
... ^^^^
}
Therefore, We will get too many warning via cppcheck, like below
sound/pci/asihpi/hpi6205.c:238:27: warning: Possible null pointer dereference: pao [nullPointer]
struct hpi_hw_obj *phw = pao->priv;
^
sound/pci/asihpi/hpi6205.c:433:13: note: Calling function '_HPI_6205', 1st argument 'NULL' value is 0
_HPI_6205(NULL, phm, phr);
^
sound/pci/asihpi/hpi6205.c:401:20: note: Calling function 'control_message', 1st argument 'pao' value is 0
control_message(pao, phm, phr);
^
Set phr->error like many functions doing, and don't call _HPI_6205()
with NULL.
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://lore.kernel.org/r/87ttypeaqz.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/asihpi/hpi6205.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/pci/asihpi/hpi6205.c b/sound/pci/asihpi/hpi6205.c
index 3d6914c64c4a8..4cdaeefeb6885 100644
--- a/sound/pci/asihpi/hpi6205.c
+++ b/sound/pci/asihpi/hpi6205.c
@@ -430,7 +430,7 @@ void HPI_6205(struct hpi_message *phm, struct hpi_response *phr)
pao = hpi_find_adapter(phm->adapter_index);
} else {
/* subsys messages don't address an adapter */
- _HPI_6205(NULL, phm, phr);
+ phr->error = HPI_ERROR_INVALID_OBJ_INDEX;
return;
}
--
2.39.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH AUTOSEL 5.15 07/16] ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()
[not found] <20230322200121.1997157-1-sashal@kernel.org>
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 02/16] ASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds Sasha Levin
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 06/16] ALSA: asihpi: check pao in control_message() Sasha Levin
@ 2023-03-22 20:01 ` Sasha Levin
2 siblings, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2023-03-22 20:01 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Kuninori Morimoto, Takashi Iwai, Sasha Levin, tiwai, dev,
gremlin, ye.xingchen, alsa-devel
From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
[ Upstream commit 98e5eb110095ec77cb6d775051d181edbf9cd3cf ]
tuning_ctl_set() might have buffer overrun at (X) if it didn't break
from loop by matching (A).
static int tuning_ctl_set(...)
{
for (i = 0; i < TUNING_CTLS_COUNT; i++)
(A) if (nid == ca0132_tuning_ctls[i].nid)
break;
snd_hda_power_up(...);
(X) dspio_set_param(..., ca0132_tuning_ctls[i].mid, ...);
snd_hda_power_down(...); ^
return 1;
}
We will get below error by cppcheck
sound/pci/hda/patch_ca0132.c:4229:2: note: After for loop, i has value 12
for (i = 0; i < TUNING_CTLS_COUNT; i++)
^
sound/pci/hda/patch_ca0132.c:4234:43: note: Array index out of bounds
dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20,
^
This patch cares non match case.
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://lore.kernel.org/r/87sfe9eap7.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_ca0132.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
index c0cb6e49a9b65..2646663e03426 100644
--- a/sound/pci/hda/patch_ca0132.c
+++ b/sound/pci/hda/patch_ca0132.c
@@ -4231,8 +4231,10 @@ static int tuning_ctl_set(struct hda_codec *codec, hda_nid_t nid,
for (i = 0; i < TUNING_CTLS_COUNT; i++)
if (nid == ca0132_tuning_ctls[i].nid)
- break;
+ goto found;
+ return -EINVAL;
+found:
snd_hda_power_up(codec);
dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20,
ca0132_tuning_ctls[i].req,
--
2.39.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-03-22 20:06 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20230322200121.1997157-1-sashal@kernel.org>
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 02/16] ASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds Sasha Levin
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 06/16] ALSA: asihpi: check pao in control_message() Sasha Levin
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 07/16] ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).