From: Ravulapati Vishnu Vardhan Rao <quic_visr@quicinc.com> To: unlisted-recipients:; (no To-header on input) Cc: <quic_visr@quicinc.com>, Srinivas Kandagatla <srinivas.kandagatla@linaro.org>, Banajit Goswami <bgoswami@quicinc.com>, Liam Girdwood <lgirdwood@gmail.com>, Mark Brown <broonie@kernel.org>, Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.com>, "moderated list:QCOM AUDIO (ASoC) DRIVERS" <alsa-devel@alsa-project.org>, open list <linux-kernel@vger.kernel.org> Subject: [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds Date: Tue, 9 May 2023 11:43:21 +0530 [thread overview] Message-ID: <20230509061321.10218-1-quic_visr@quicinc.com> (raw) When we run syzkaller we get below Out of Bounds error. "KASAN: slab-out-of-bounds Read in regcache_flat_read" Below is the backtrace of the issue: BUG: KASAN: slab-out-of-bounds in regcache_flat_read+0x10c/0x110 Read of size 4 at addr ffffff8088fbf714 by task syz-executor.4/14144 CPU: 6 PID: 14144 Comm: syz-executor.4 Tainted: G W Hardware name: Qualcomm Technologies, Inc. sc7280 CRD platform (rev5+) (DT) Call trace: dump_backtrace+0x0/0x4ec show_stack+0x34/0x50 dump_stack_lvl+0xdc/0x11c print_address_description+0x30/0x2d8 kasan_report+0x178/0x1e4 __asan_report_load4_noabort+0x44/0x50 regcache_flat_read+0x10c/0x110 regcache_read+0xf8/0x5a0 _regmap_read+0x45c/0x86c _regmap_update_bits+0x128/0x290 regmap_update_bits_base+0xc0/0x15c snd_soc_component_update_bits+0xa8/0x22c snd_soc_component_write_field+0x68/0xd4 tx_macro_put_dec_enum+0x1d0/0x268 snd_ctl_elem_write+0x288/0x474 By Error checking and checking valid values issue gets rectifies. Signed-off-by: Ravulapati Vishnu Vardhan Rao <quic_visr@quicinc.com> --- sound/soc/codecs/lpass-tx-macro.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c index da6fcf7f0991..6575b0bb6a47 100644 --- a/sound/soc/codecs/lpass-tx-macro.c +++ b/sound/soc/codecs/lpass-tx-macro.c @@ -746,6 +746,10 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol, struct tx_macro *tx = snd_soc_component_get_drvdata(component); val = ucontrol->value.enumerated.item[0]; + if (val < 0 && val > 15) { + dev_err(component->dev, "Wrong value for DMIC configuration"); + return -EINVAL; + } switch (e->reg) { case CDC_TX_INP_MUX_ADC_MUX0_CFG0: @@ -772,6 +776,9 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol, case CDC_TX_INP_MUX_ADC_MUX7_CFG0: mic_sel_reg = CDC_TX7_TX_PATH_CFG0; break; + default: + dev_err(component->dev, "Error in configuration!!\n"); + return -EINVAL; } if (val != 0) { @@ -785,13 +792,19 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol, snd_soc_component_write_field(component, mic_sel_reg, CDC_TXn_ADC_DMIC_SEL_MASK, 1); dmic = TX_ADC_TO_DMIC(val); - dmic_clk_reg = CDC_TX_TOP_CSR_SWR_DMICn_CTL(dmic); - snd_soc_component_write_field(component, dmic_clk_reg, - CDC_TX_SWR_DMIC_CLK_SEL_MASK, - tx->dmic_clk_div); + if (dmic < 4) { + dmic_clk_reg = CDC_TX_TOP_CSR_SWR_DMICn_CTL(dmic); + snd_soc_component_write_field(component, dmic_clk_reg, + CDC_TX_SWR_DMIC_CLK_SEL_MASK, + tx->dmic_clk_div); + } else { + dev_err(component->dev, "dmic for clk sel is wrong, + expected less than 4 but received %d\n", dmic); + return -EINVAL; + } + } } - return snd_soc_dapm_put_enum_double(kcontrol, ucontrol); } -- 2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: Ravulapati Vishnu Vardhan Rao <quic_visr@quicinc.com> Cc: quic_visr@quicinc.com, Srinivas Kandagatla <srinivas.kandagatla@linaro.org>, Banajit Goswami <bgoswami@quicinc.com>, Liam Girdwood <lgirdwood@gmail.com>, Mark Brown <broonie@kernel.org>, Takashi Iwai <tiwai@suse.com>, "moderated list:QCOM AUDIO (ASoC) DRIVERS" <alsa-devel@alsa-project.org>, open list <linux-kernel@vger.kernel.org> Subject: [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds Date: Tue, 9 May 2023 11:43:21 +0530 [thread overview] Message-ID: <20230509061321.10218-1-quic_visr@quicinc.com> (raw) When we run syzkaller we get below Out of Bounds error. "KASAN: slab-out-of-bounds Read in regcache_flat_read" Below is the backtrace of the issue: BUG: KASAN: slab-out-of-bounds in regcache_flat_read+0x10c/0x110 Read of size 4 at addr ffffff8088fbf714 by task syz-executor.4/14144 CPU: 6 PID: 14144 Comm: syz-executor.4 Tainted: G W Hardware name: Qualcomm Technologies, Inc. sc7280 CRD platform (rev5+) (DT) Call trace: dump_backtrace+0x0/0x4ec show_stack+0x34/0x50 dump_stack_lvl+0xdc/0x11c print_address_description+0x30/0x2d8 kasan_report+0x178/0x1e4 __asan_report_load4_noabort+0x44/0x50 regcache_flat_read+0x10c/0x110 regcache_read+0xf8/0x5a0 _regmap_read+0x45c/0x86c _regmap_update_bits+0x128/0x290 regmap_update_bits_base+0xc0/0x15c snd_soc_component_update_bits+0xa8/0x22c snd_soc_component_write_field+0x68/0xd4 tx_macro_put_dec_enum+0x1d0/0x268 snd_ctl_elem_write+0x288/0x474 By Error checking and checking valid values issue gets rectifies. Signed-off-by: Ravulapati Vishnu Vardhan Rao <quic_visr@quicinc.com> --- sound/soc/codecs/lpass-tx-macro.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c index da6fcf7f0991..6575b0bb6a47 100644 --- a/sound/soc/codecs/lpass-tx-macro.c +++ b/sound/soc/codecs/lpass-tx-macro.c @@ -746,6 +746,10 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol, struct tx_macro *tx = snd_soc_component_get_drvdata(component); val = ucontrol->value.enumerated.item[0]; + if (val < 0 && val > 15) { + dev_err(component->dev, "Wrong value for DMIC configuration"); + return -EINVAL; + } switch (e->reg) { case CDC_TX_INP_MUX_ADC_MUX0_CFG0: @@ -772,6 +776,9 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol, case CDC_TX_INP_MUX_ADC_MUX7_CFG0: mic_sel_reg = CDC_TX7_TX_PATH_CFG0; break; + default: + dev_err(component->dev, "Error in configuration!!\n"); + return -EINVAL; } if (val != 0) { @@ -785,13 +792,19 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol, snd_soc_component_write_field(component, mic_sel_reg, CDC_TXn_ADC_DMIC_SEL_MASK, 1); dmic = TX_ADC_TO_DMIC(val); - dmic_clk_reg = CDC_TX_TOP_CSR_SWR_DMICn_CTL(dmic); - snd_soc_component_write_field(component, dmic_clk_reg, - CDC_TX_SWR_DMIC_CLK_SEL_MASK, - tx->dmic_clk_div); + if (dmic < 4) { + dmic_clk_reg = CDC_TX_TOP_CSR_SWR_DMICn_CTL(dmic); + snd_soc_component_write_field(component, dmic_clk_reg, + CDC_TX_SWR_DMIC_CLK_SEL_MASK, + tx->dmic_clk_div); + } else { + dev_err(component->dev, "dmic for clk sel is wrong, + expected less than 4 but received %d\n", dmic); + return -EINVAL; + } + } } - return snd_soc_dapm_put_enum_double(kcontrol, ucontrol); } -- 2.17.1
next reply other threads:[~2023-05-09 6:14 UTC|newest] Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-05-09 6:13 Ravulapati Vishnu Vardhan Rao [this message] 2023-05-09 6:13 ` [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds Ravulapati Vishnu Vardhan Rao 2023-05-09 6:46 ` Mark Brown 2023-05-09 6:46 ` Mark Brown 2023-05-09 8:33 ` kernel test robot 2023-05-09 8:33 ` kernel test robot 2023-05-09 8:43 ` kernel test robot 2023-05-09 8:43 ` kernel test robot 2023-05-09 10:32 Ravulapati Vishnu Vardhan Rao 2023-05-09 10:32 ` Ravulapati Vishnu Vardhan Rao 2023-05-09 12:26 ` Srinivas Kandagatla 2023-05-09 12:26 ` Srinivas Kandagatla 2023-05-09 14:12 ` Mark Brown 2023-05-09 14:12 ` Mark Brown 2023-05-09 14:36 ` Mark Brown 2023-05-09 14:36 ` Mark Brown 2023-05-09 18:06 ` VISHNUVARDHAN RAO RAVULAPATI 2023-05-09 18:06 ` VISHNUVARDHAN RAO RAVULAPATI
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20230509061321.10218-1-quic_visr@quicinc.com \ --to=quic_visr@quicinc.com \ --cc=alsa-devel@alsa-project.org \ --cc=bgoswami@quicinc.com \ --cc=broonie@kernel.org \ --cc=lgirdwood@gmail.com \ --cc=linux-kernel@vger.kernel.org \ --cc=perex@perex.cz \ --cc=srinivas.kandagatla@linaro.org \ --cc=tiwai@suse.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.