From: Ravulapati Vishnu Vardhan Rao <quic_visr@quicinc.com>
To: unlisted-recipients:; (no To-header on input)
Cc: <quic_visr@quicinc.com>,
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>,
Banajit Goswami <bgoswami@quicinc.com>,
Liam Girdwood <lgirdwood@gmail.com>,
Mark Brown <broonie@kernel.org>, Jaroslav Kysela <perex@perex.cz>,
Takashi Iwai <tiwai@suse.com>,
"moderated list:QCOM AUDIO (ASoC) DRIVERS"
<alsa-devel@alsa-project.org>,
open list <linux-kernel@vger.kernel.org>
Subject: [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds
Date: Tue, 9 May 2023 11:43:21 +0530 [thread overview]
Message-ID: <20230509061321.10218-1-quic_visr@quicinc.com> (raw)
When we run syzkaller we get below Out of Bounds error.
"KASAN: slab-out-of-bounds Read in regcache_flat_read"
Below is the backtrace of the issue:
BUG: KASAN: slab-out-of-bounds in regcache_flat_read+0x10c/0x110
Read of size 4 at addr ffffff8088fbf714 by task syz-executor.4/14144
CPU: 6 PID: 14144 Comm: syz-executor.4 Tainted: G W
Hardware name: Qualcomm Technologies, Inc. sc7280 CRD platform (rev5+) (DT)
Call trace:
dump_backtrace+0x0/0x4ec
show_stack+0x34/0x50
dump_stack_lvl+0xdc/0x11c
print_address_description+0x30/0x2d8
kasan_report+0x178/0x1e4
__asan_report_load4_noabort+0x44/0x50
regcache_flat_read+0x10c/0x110
regcache_read+0xf8/0x5a0
_regmap_read+0x45c/0x86c
_regmap_update_bits+0x128/0x290
regmap_update_bits_base+0xc0/0x15c
snd_soc_component_update_bits+0xa8/0x22c
snd_soc_component_write_field+0x68/0xd4
tx_macro_put_dec_enum+0x1d0/0x268
snd_ctl_elem_write+0x288/0x474
By Error checking and checking valid values issue gets rectifies.
Signed-off-by: Ravulapati Vishnu Vardhan Rao <quic_visr@quicinc.com>
---
sound/soc/codecs/lpass-tx-macro.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c
index da6fcf7f0991..6575b0bb6a47 100644
--- a/sound/soc/codecs/lpass-tx-macro.c
+++ b/sound/soc/codecs/lpass-tx-macro.c
@@ -746,6 +746,10 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
struct tx_macro *tx = snd_soc_component_get_drvdata(component);
val = ucontrol->value.enumerated.item[0];
+ if (val < 0 && val > 15) {
+ dev_err(component->dev, "Wrong value for DMIC configuration");
+ return -EINVAL;
+ }
switch (e->reg) {
case CDC_TX_INP_MUX_ADC_MUX0_CFG0:
@@ -772,6 +776,9 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
case CDC_TX_INP_MUX_ADC_MUX7_CFG0:
mic_sel_reg = CDC_TX7_TX_PATH_CFG0;
break;
+ default:
+ dev_err(component->dev, "Error in configuration!!\n");
+ return -EINVAL;
}
if (val != 0) {
@@ -785,13 +792,19 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
snd_soc_component_write_field(component, mic_sel_reg,
CDC_TXn_ADC_DMIC_SEL_MASK, 1);
dmic = TX_ADC_TO_DMIC(val);
- dmic_clk_reg = CDC_TX_TOP_CSR_SWR_DMICn_CTL(dmic);
- snd_soc_component_write_field(component, dmic_clk_reg,
- CDC_TX_SWR_DMIC_CLK_SEL_MASK,
- tx->dmic_clk_div);
+ if (dmic < 4) {
+ dmic_clk_reg = CDC_TX_TOP_CSR_SWR_DMICn_CTL(dmic);
+ snd_soc_component_write_field(component, dmic_clk_reg,
+ CDC_TX_SWR_DMIC_CLK_SEL_MASK,
+ tx->dmic_clk_div);
+ } else {
+ dev_err(component->dev, "dmic for clk sel is wrong,
+ expected less than 4 but received %d\n", dmic);
+ return -EINVAL;
+ }
+
}
}
-
return snd_soc_dapm_put_enum_double(kcontrol, ucontrol);
}
--
2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: Ravulapati Vishnu Vardhan Rao <quic_visr@quicinc.com>
Cc: quic_visr@quicinc.com,
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>,
Banajit Goswami <bgoswami@quicinc.com>,
Liam Girdwood <lgirdwood@gmail.com>,
Mark Brown <broonie@kernel.org>, Takashi Iwai <tiwai@suse.com>,
"moderated list:QCOM AUDIO (ASoC) DRIVERS"
<alsa-devel@alsa-project.org>,
open list <linux-kernel@vger.kernel.org>
Subject: [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds
Date: Tue, 9 May 2023 11:43:21 +0530 [thread overview]
Message-ID: <20230509061321.10218-1-quic_visr@quicinc.com> (raw)
When we run syzkaller we get below Out of Bounds error.
"KASAN: slab-out-of-bounds Read in regcache_flat_read"
Below is the backtrace of the issue:
BUG: KASAN: slab-out-of-bounds in regcache_flat_read+0x10c/0x110
Read of size 4 at addr ffffff8088fbf714 by task syz-executor.4/14144
CPU: 6 PID: 14144 Comm: syz-executor.4 Tainted: G W
Hardware name: Qualcomm Technologies, Inc. sc7280 CRD platform (rev5+) (DT)
Call trace:
dump_backtrace+0x0/0x4ec
show_stack+0x34/0x50
dump_stack_lvl+0xdc/0x11c
print_address_description+0x30/0x2d8
kasan_report+0x178/0x1e4
__asan_report_load4_noabort+0x44/0x50
regcache_flat_read+0x10c/0x110
regcache_read+0xf8/0x5a0
_regmap_read+0x45c/0x86c
_regmap_update_bits+0x128/0x290
regmap_update_bits_base+0xc0/0x15c
snd_soc_component_update_bits+0xa8/0x22c
snd_soc_component_write_field+0x68/0xd4
tx_macro_put_dec_enum+0x1d0/0x268
snd_ctl_elem_write+0x288/0x474
By Error checking and checking valid values issue gets rectifies.
Signed-off-by: Ravulapati Vishnu Vardhan Rao <quic_visr@quicinc.com>
---
sound/soc/codecs/lpass-tx-macro.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c
index da6fcf7f0991..6575b0bb6a47 100644
--- a/sound/soc/codecs/lpass-tx-macro.c
+++ b/sound/soc/codecs/lpass-tx-macro.c
@@ -746,6 +746,10 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
struct tx_macro *tx = snd_soc_component_get_drvdata(component);
val = ucontrol->value.enumerated.item[0];
+ if (val < 0 && val > 15) {
+ dev_err(component->dev, "Wrong value for DMIC configuration");
+ return -EINVAL;
+ }
switch (e->reg) {
case CDC_TX_INP_MUX_ADC_MUX0_CFG0:
@@ -772,6 +776,9 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
case CDC_TX_INP_MUX_ADC_MUX7_CFG0:
mic_sel_reg = CDC_TX7_TX_PATH_CFG0;
break;
+ default:
+ dev_err(component->dev, "Error in configuration!!\n");
+ return -EINVAL;
}
if (val != 0) {
@@ -785,13 +792,19 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
snd_soc_component_write_field(component, mic_sel_reg,
CDC_TXn_ADC_DMIC_SEL_MASK, 1);
dmic = TX_ADC_TO_DMIC(val);
- dmic_clk_reg = CDC_TX_TOP_CSR_SWR_DMICn_CTL(dmic);
- snd_soc_component_write_field(component, dmic_clk_reg,
- CDC_TX_SWR_DMIC_CLK_SEL_MASK,
- tx->dmic_clk_div);
+ if (dmic < 4) {
+ dmic_clk_reg = CDC_TX_TOP_CSR_SWR_DMICn_CTL(dmic);
+ snd_soc_component_write_field(component, dmic_clk_reg,
+ CDC_TX_SWR_DMIC_CLK_SEL_MASK,
+ tx->dmic_clk_div);
+ } else {
+ dev_err(component->dev, "dmic for clk sel is wrong,
+ expected less than 4 but received %d\n", dmic);
+ return -EINVAL;
+ }
+
}
}
-
return snd_soc_dapm_put_enum_double(kcontrol, ucontrol);
}
--
2.17.1
next reply other threads:[~2023-05-09 6:14 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-09 6:13 Ravulapati Vishnu Vardhan Rao [this message]
2023-05-09 6:13 ` [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds Ravulapati Vishnu Vardhan Rao
2023-05-09 6:46 ` Mark Brown
2023-05-09 6:46 ` Mark Brown
2023-05-09 8:33 ` kernel test robot
2023-05-09 8:33 ` kernel test robot
2023-05-09 8:43 ` kernel test robot
2023-05-09 8:43 ` kernel test robot
2023-05-09 10:32 Ravulapati Vishnu Vardhan Rao
2023-05-09 10:32 ` Ravulapati Vishnu Vardhan Rao
2023-05-09 12:26 ` Srinivas Kandagatla
2023-05-09 12:26 ` Srinivas Kandagatla
2023-05-09 14:12 ` Mark Brown
2023-05-09 14:12 ` Mark Brown
2023-05-09 14:36 ` Mark Brown
2023-05-09 14:36 ` Mark Brown
2023-05-09 18:06 ` VISHNUVARDHAN RAO RAVULAPATI
2023-05-09 18:06 ` VISHNUVARDHAN RAO RAVULAPATI
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230509061321.10218-1-quic_visr@quicinc.com \
--to=quic_visr@quicinc.com \
--cc=alsa-devel@alsa-project.org \
--cc=bgoswami@quicinc.com \
--cc=broonie@kernel.org \
--cc=lgirdwood@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=perex@perex.cz \
--cc=srinivas.kandagatla@linaro.org \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.