* [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds
@ 2023-05-09 6:13 Ravulapati Vishnu Vardhan Rao
2023-05-09 6:46 ` Mark Brown
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Ravulapati Vishnu Vardhan Rao @ 2023-05-09 6:13 UTC (permalink / raw)
Cc: quic_visr, Srinivas Kandagatla, Banajit Goswami, Liam Girdwood,
Mark Brown, Takashi Iwai,
moderated list:QCOM AUDIO (ASoC) DRIVERS, open list
When we run syzkaller we get below Out of Bounds error.
"KASAN: slab-out-of-bounds Read in regcache_flat_read"
Below is the backtrace of the issue:
BUG: KASAN: slab-out-of-bounds in regcache_flat_read+0x10c/0x110
Read of size 4 at addr ffffff8088fbf714 by task syz-executor.4/14144
CPU: 6 PID: 14144 Comm: syz-executor.4 Tainted: G W
Hardware name: Qualcomm Technologies, Inc. sc7280 CRD platform (rev5+) (DT)
Call trace:
dump_backtrace+0x0/0x4ec
show_stack+0x34/0x50
dump_stack_lvl+0xdc/0x11c
print_address_description+0x30/0x2d8
kasan_report+0x178/0x1e4
__asan_report_load4_noabort+0x44/0x50
regcache_flat_read+0x10c/0x110
regcache_read+0xf8/0x5a0
_regmap_read+0x45c/0x86c
_regmap_update_bits+0x128/0x290
regmap_update_bits_base+0xc0/0x15c
snd_soc_component_update_bits+0xa8/0x22c
snd_soc_component_write_field+0x68/0xd4
tx_macro_put_dec_enum+0x1d0/0x268
snd_ctl_elem_write+0x288/0x474
By Error checking and checking valid values issue gets rectifies.
Signed-off-by: Ravulapati Vishnu Vardhan Rao <quic_visr@quicinc.com>
---
sound/soc/codecs/lpass-tx-macro.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c
index da6fcf7f0991..6575b0bb6a47 100644
--- a/sound/soc/codecs/lpass-tx-macro.c
+++ b/sound/soc/codecs/lpass-tx-macro.c
@@ -746,6 +746,10 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
struct tx_macro *tx = snd_soc_component_get_drvdata(component);
val = ucontrol->value.enumerated.item[0];
+ if (val < 0 && val > 15) {
+ dev_err(component->dev, "Wrong value for DMIC configuration");
+ return -EINVAL;
+ }
switch (e->reg) {
case CDC_TX_INP_MUX_ADC_MUX0_CFG0:
@@ -772,6 +776,9 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
case CDC_TX_INP_MUX_ADC_MUX7_CFG0:
mic_sel_reg = CDC_TX7_TX_PATH_CFG0;
break;
+ default:
+ dev_err(component->dev, "Error in configuration!!\n");
+ return -EINVAL;
}
if (val != 0) {
@@ -785,13 +792,19 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
snd_soc_component_write_field(component, mic_sel_reg,
CDC_TXn_ADC_DMIC_SEL_MASK, 1);
dmic = TX_ADC_TO_DMIC(val);
- dmic_clk_reg = CDC_TX_TOP_CSR_SWR_DMICn_CTL(dmic);
- snd_soc_component_write_field(component, dmic_clk_reg,
- CDC_TX_SWR_DMIC_CLK_SEL_MASK,
- tx->dmic_clk_div);
+ if (dmic < 4) {
+ dmic_clk_reg = CDC_TX_TOP_CSR_SWR_DMICn_CTL(dmic);
+ snd_soc_component_write_field(component, dmic_clk_reg,
+ CDC_TX_SWR_DMIC_CLK_SEL_MASK,
+ tx->dmic_clk_div);
+ } else {
+ dev_err(component->dev, "dmic for clk sel is wrong,
+ expected less than 4 but received %d\n", dmic);
+ return -EINVAL;
+ }
+
}
}
-
return snd_soc_dapm_put_enum_double(kcontrol, ucontrol);
}
--
2.17.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds
2023-05-09 6:13 [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds Ravulapati Vishnu Vardhan Rao
@ 2023-05-09 6:46 ` Mark Brown
2023-05-09 8:33 ` kernel test robot
2023-05-09 8:43 ` kernel test robot
2 siblings, 0 replies; 9+ messages in thread
From: Mark Brown @ 2023-05-09 6:46 UTC (permalink / raw)
To: Ravulapati Vishnu Vardhan Rao
Cc: Srinivas Kandagatla, Banajit Goswami, Liam Girdwood, Takashi Iwai,
moderated list:QCOM AUDIO (ASoC) DRIVERS, open list
[-- Attachment #1: Type: text/plain, Size: 400 bytes --]
On Tue, May 09, 2023 at 11:43:21AM +0530, Ravulapati Vishnu Vardhan Rao wrote:
> val = ucontrol->value.enumerated.item[0];
> + if (val < 0 && val > 15) {
> + dev_err(component->dev, "Wrong value for DMIC configuration");
> + return -EINVAL;
> + }
This allows userspace to spam the system logs, no error should be
printed for something like this which can be trivially triggered from
userspace.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds
2023-05-09 6:13 [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds Ravulapati Vishnu Vardhan Rao
2023-05-09 6:46 ` Mark Brown
@ 2023-05-09 8:33 ` kernel test robot
2023-05-09 8:43 ` kernel test robot
2 siblings, 0 replies; 9+ messages in thread
From: kernel test robot @ 2023-05-09 8:33 UTC (permalink / raw)
To: Ravulapati Vishnu Vardhan Rao
Cc: oe-kbuild-all, quic_visr, Srinivas Kandagatla, Banajit Goswami,
Liam Girdwood, Mark Brown, Takashi Iwai,
moderated list:QCOM AUDIO (ASoC) DRIVERS, open list
Hi Ravulapati,
kernel test robot noticed the following build warnings:
[auto build test WARNING on broonie-sound/for-next]
[also build test WARNING on linus/master v6.4-rc1 next-20230509]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Ravulapati-Vishnu-Vardhan-Rao/ASoC-codecs-lpass-Fix-for-KASAN-use_after_free-out-of-bounds/20230509-141447
base: https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next
patch link: https://lore.kernel.org/r/20230509061321.10218-1-quic_visr%40quicinc.com
patch subject: [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds
config: ia64-allyesconfig (https://download.01.org/0day-ci/archive/20230509/202305091640.yA163Rrh-lkp@intel.com/config)
compiler: ia64-linux-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/83fb508f4eb95e9495f0e440b47226040e3b4efc
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Ravulapati-Vishnu-Vardhan-Rao/ASoC-codecs-lpass-Fix-for-KASAN-use_after_free-out-of-bounds/20230509-141447
git checkout 83fb508f4eb95e9495f0e440b47226040e3b4efc
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=ia64 olddefconfig
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=ia64 SHELL=/bin/bash sound/soc/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Link: https://lore.kernel.org/oe-kbuild-all/202305091640.yA163Rrh-lkp@intel.com/
All warnings (new ones prefixed by >>):
sound/soc/codecs/lpass-tx-macro.c: In function 'tx_macro_put_dec_enum':
>> sound/soc/codecs/lpass-tx-macro.c:801:57: warning: missing terminating " character
801 | dev_err(component->dev, "dmic for clk sel is wrong,
| ^
sound/soc/codecs/lpass-tx-macro.c:802:79: warning: missing terminating " character
802 | expected less than 4 but received %d\n", dmic);
| ^
sound/soc/codecs/lpass-tx-macro.c:2199:23: error: unterminated argument list invoking macro "dev_err"
2199 | MODULE_LICENSE("GPL");
| ^
sound/soc/codecs/lpass-tx-macro.c:801:33: error: 'dev_err' undeclared (first use in this function); did you mean '_dev_err'?
801 | dev_err(component->dev, "dmic for clk sel is wrong,
| ^~~~~~~
| _dev_err
sound/soc/codecs/lpass-tx-macro.c:801:33: note: each undeclared identifier is reported only once for each function it appears in
sound/soc/codecs/lpass-tx-macro.c:801:40: error: expected ';' at end of input
801 | dev_err(component->dev, "dmic for clk sel is wrong,
| ^
| ;
......
sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input
801 | dev_err(component->dev, "dmic for clk sel is wrong,
| ^~~~~~~
sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input
sound/soc/codecs/lpass-tx-macro.c:788:19: note: '-Wmisleading-indentation' is disabled from this point onwards, since column-tracking was disabled due to the size of the code/headers
788 | } else if (val < 5) {
| ^~~~
sound/soc/codecs/lpass-tx-macro.c:788:19: note: adding '-flarge-source-files' will allow for more column-tracking support, at the expense of compilation time and memory
sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input
801 | dev_err(component->dev, "dmic for clk sel is wrong,
| ^~~~~~~
sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input
sound/soc/codecs/lpass-tx-macro.c: At top level:
sound/soc/codecs/lpass-tx-macro.c:737:12: warning: 'tx_macro_put_dec_enum' defined but not used [-Wunused-function]
737 | static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
| ^~~~~~~~~~~~~~~~~~~~~
sound/soc/codecs/lpass-tx-macro.c:717:12: warning: 'tx_macro_mclk_event' defined but not used [-Wunused-function]
717 | static int tx_macro_mclk_event(struct snd_soc_dapm_widget *w,
| ^~~~~~~~~~~~~~~~~~~
sound/soc/codecs/lpass-tx-macro.c:699:13: warning: 'tx_macro_mute_update_callback' defined but not used [-Wunused-function]
699 | static void tx_macro_mute_update_callback(struct work_struct *work)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sound/soc/codecs/lpass-tx-macro.c:655:13: warning: 'tx_macro_tx_hpf_corner_freq_callback' defined but not used [-Wunused-function]
655 | static void tx_macro_tx_hpf_corner_freq_callback(struct work_struct *work)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sound/soc/codecs/lpass-tx-macro.c:587:35: warning: 'tx_regmap_config' defined but not used [-Wunused-const-variable=]
587 | static const struct regmap_config tx_regmap_config = {
| ^~~~~~~~~~~~~~~~
In file included from include/sound/tlv.h:10,
from sound/soc/codecs/lpass-tx-macro.c:13:
sound/soc/codecs/lpass-tx-macro.c:281:35: warning: 'digital_gain' defined but not used [-Wunused-const-variable=]
281 | static const DECLARE_TLV_DB_SCALE(digital_gain, -8400, 100, -8400);
| ^~~~~~~~~~~~
include/uapi/sound/tlv.h:53:22: note: in definition of macro 'SNDRV_CTL_TLVD_DECLARE_DB_SCALE'
53 | unsigned int name[] = { \
| ^~~~
sound/soc/codecs/lpass-tx-macro.c:281:14: note: in expansion of macro 'DECLARE_TLV_DB_SCALE'
281 | static const DECLARE_TLV_DB_SCALE(digital_gain, -8400, 100, -8400);
| ^~~~~~~~~~~~~~~~~~~~
vim +801 sound/soc/codecs/lpass-tx-macro.c
736
737 static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
738 struct snd_ctl_elem_value *ucontrol)
739 {
740 struct snd_soc_dapm_widget *widget = snd_soc_dapm_kcontrol_widget(kcontrol);
741 struct snd_soc_component *component = snd_soc_dapm_to_component(widget->dapm);
742 struct soc_enum *e = (struct soc_enum *)kcontrol->private_value;
743 unsigned int val, dmic;
744 u16 mic_sel_reg;
745 u16 dmic_clk_reg;
746 struct tx_macro *tx = snd_soc_component_get_drvdata(component);
747
748 val = ucontrol->value.enumerated.item[0];
749 if (val < 0 && val > 15) {
750 dev_err(component->dev, "Wrong value for DMIC configuration");
751 return -EINVAL;
752 }
753
754 switch (e->reg) {
755 case CDC_TX_INP_MUX_ADC_MUX0_CFG0:
756 mic_sel_reg = CDC_TX0_TX_PATH_CFG0;
757 break;
758 case CDC_TX_INP_MUX_ADC_MUX1_CFG0:
759 mic_sel_reg = CDC_TX1_TX_PATH_CFG0;
760 break;
761 case CDC_TX_INP_MUX_ADC_MUX2_CFG0:
762 mic_sel_reg = CDC_TX2_TX_PATH_CFG0;
763 break;
764 case CDC_TX_INP_MUX_ADC_MUX3_CFG0:
765 mic_sel_reg = CDC_TX3_TX_PATH_CFG0;
766 break;
767 case CDC_TX_INP_MUX_ADC_MUX4_CFG0:
768 mic_sel_reg = CDC_TX4_TX_PATH_CFG0;
769 break;
770 case CDC_TX_INP_MUX_ADC_MUX5_CFG0:
771 mic_sel_reg = CDC_TX5_TX_PATH_CFG0;
772 break;
773 case CDC_TX_INP_MUX_ADC_MUX6_CFG0:
774 mic_sel_reg = CDC_TX6_TX_PATH_CFG0;
775 break;
776 case CDC_TX_INP_MUX_ADC_MUX7_CFG0:
777 mic_sel_reg = CDC_TX7_TX_PATH_CFG0;
778 break;
779 default:
780 dev_err(component->dev, "Error in configuration!!\n");
781 return -EINVAL;
782 }
783
784 if (val != 0) {
785 if (widget->shift) { /* MSM DMIC */
786 snd_soc_component_write_field(component, mic_sel_reg,
787 CDC_TXn_ADC_DMIC_SEL_MASK, 1);
788 } else if (val < 5) {
789 snd_soc_component_write_field(component, mic_sel_reg,
790 CDC_TXn_ADC_DMIC_SEL_MASK, 0);
791 } else {
792 snd_soc_component_write_field(component, mic_sel_reg,
793 CDC_TXn_ADC_DMIC_SEL_MASK, 1);
794 dmic = TX_ADC_TO_DMIC(val);
795 if (dmic < 4) {
796 dmic_clk_reg = CDC_TX_TOP_CSR_SWR_DMICn_CTL(dmic);
797 snd_soc_component_write_field(component, dmic_clk_reg,
798 CDC_TX_SWR_DMIC_CLK_SEL_MASK,
799 tx->dmic_clk_div);
800 } else {
> 801 dev_err(component->dev, "dmic for clk sel is wrong,
802 expected less than 4 but received %d\n", dmic);
803 return -EINVAL;
804 }
805
806 }
807 }
808 return snd_soc_dapm_put_enum_double(kcontrol, ucontrol);
809 }
810
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds
2023-05-09 6:13 [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds Ravulapati Vishnu Vardhan Rao
2023-05-09 6:46 ` Mark Brown
2023-05-09 8:33 ` kernel test robot
@ 2023-05-09 8:43 ` kernel test robot
2 siblings, 0 replies; 9+ messages in thread
From: kernel test robot @ 2023-05-09 8:43 UTC (permalink / raw)
To: Ravulapati Vishnu Vardhan Rao
Cc: oe-kbuild-all, quic_visr, Srinivas Kandagatla, Banajit Goswami,
Liam Girdwood, Mark Brown, Takashi Iwai,
moderated list:QCOM AUDIO (ASoC) DRIVERS, open list
Hi Ravulapati,
kernel test robot noticed the following build warnings:
[auto build test WARNING on broonie-sound/for-next]
[also build test WARNING on linus/master v6.4-rc1 next-20230509]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Ravulapati-Vishnu-Vardhan-Rao/ASoC-codecs-lpass-Fix-for-KASAN-use_after_free-out-of-bounds/20230509-141447
base: https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next
patch link: https://lore.kernel.org/r/20230509061321.10218-1-quic_visr%40quicinc.com
patch subject: [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds
config: x86_64-allmodconfig (https://download.01.org/0day-ci/archive/20230509/202305091655.6KwfcuWa-lkp@intel.com/config)
compiler: gcc-11 (Debian 11.3.0-12) 11.3.0
reproduce (this is a W=1 build):
# https://github.com/intel-lab-lkp/linux/commit/83fb508f4eb95e9495f0e440b47226040e3b4efc
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Ravulapati-Vishnu-Vardhan-Rao/ASoC-codecs-lpass-Fix-for-KASAN-use_after_free-out-of-bounds/20230509-141447
git checkout 83fb508f4eb95e9495f0e440b47226040e3b4efc
# save the config file
mkdir build_dir && cp config build_dir/.config
make W=1 O=build_dir ARCH=x86_64 olddefconfig
make W=1 O=build_dir ARCH=x86_64 SHELL=/bin/bash sound/soc/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Link: https://lore.kernel.org/oe-kbuild-all/202305091655.6KwfcuWa-lkp@intel.com/
All warnings (new ones prefixed by >>):
sound/soc/codecs/lpass-tx-macro.c: In function 'tx_macro_put_dec_enum':
sound/soc/codecs/lpass-tx-macro.c:801:57: warning: missing terminating " character
801 | dev_err(component->dev, "dmic for clk sel is wrong,
| ^
sound/soc/codecs/lpass-tx-macro.c:802:79: warning: missing terminating " character
802 | expected less than 4 but received %d\n", dmic);
| ^
sound/soc/codecs/lpass-tx-macro.c:2199:23: error: unterminated argument list invoking macro "dev_err"
2199 | MODULE_LICENSE("GPL");
| ^
sound/soc/codecs/lpass-tx-macro.c:801:33: error: 'dev_err' undeclared (first use in this function); did you mean '_dev_err'?
801 | dev_err(component->dev, "dmic for clk sel is wrong,
| ^~~~~~~
| _dev_err
sound/soc/codecs/lpass-tx-macro.c:801:33: note: each undeclared identifier is reported only once for each function it appears in
sound/soc/codecs/lpass-tx-macro.c:801:40: error: expected ';' at end of input
801 | dev_err(component->dev, "dmic for clk sel is wrong,
| ^
| ;
......
sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input
801 | dev_err(component->dev, "dmic for clk sel is wrong,
| ^~~~~~~
sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input
sound/soc/codecs/lpass-tx-macro.c:788:19: note: '-Wmisleading-indentation' is disabled from this point onwards, since column-tracking was disabled due to the size of the code/headers
788 | } else if (val < 5) {
| ^~~~
sound/soc/codecs/lpass-tx-macro.c:788:19: note: adding '-flarge-source-files' will allow for more column-tracking support, at the expense of compilation time and memory
sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input
801 | dev_err(component->dev, "dmic for clk sel is wrong,
| ^~~~~~~
sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input
At top level:
sound/soc/codecs/lpass-tx-macro.c:737:12: warning: 'tx_macro_put_dec_enum' defined but not used [-Wunused-function]
737 | static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
| ^~~~~~~~~~~~~~~~~~~~~
sound/soc/codecs/lpass-tx-macro.c:717:12: warning: 'tx_macro_mclk_event' defined but not used [-Wunused-function]
717 | static int tx_macro_mclk_event(struct snd_soc_dapm_widget *w,
| ^~~~~~~~~~~~~~~~~~~
sound/soc/codecs/lpass-tx-macro.c:699:13: warning: 'tx_macro_mute_update_callback' defined but not used [-Wunused-function]
699 | static void tx_macro_mute_update_callback(struct work_struct *work)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sound/soc/codecs/lpass-tx-macro.c:655:13: warning: 'tx_macro_tx_hpf_corner_freq_callback' defined but not used [-Wunused-function]
655 | static void tx_macro_tx_hpf_corner_freq_callback(struct work_struct *work)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> sound/soc/codecs/lpass-tx-macro.c:587:35: warning: 'tx_regmap_config' defined but not used [-Wunused-const-variable=]
587 | static const struct regmap_config tx_regmap_config = {
| ^~~~~~~~~~~~~~~~
In file included from include/sound/tlv.h:10,
from sound/soc/codecs/lpass-tx-macro.c:13:
>> sound/soc/codecs/lpass-tx-macro.c:281:35: warning: 'digital_gain' defined but not used [-Wunused-const-variable=]
281 | static const DECLARE_TLV_DB_SCALE(digital_gain, -8400, 100, -8400);
| ^~~~~~~~~~~~
include/uapi/sound/tlv.h:53:22: note: in definition of macro 'SNDRV_CTL_TLVD_DECLARE_DB_SCALE'
53 | unsigned int name[] = { \
| ^~~~
sound/soc/codecs/lpass-tx-macro.c:281:14: note: in expansion of macro 'DECLARE_TLV_DB_SCALE'
281 | static const DECLARE_TLV_DB_SCALE(digital_gain, -8400, 100, -8400);
| ^~~~~~~~~~~~~~~~~~~~
vim +/tx_regmap_config +587 sound/soc/codecs/lpass-tx-macro.c
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 586
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 @587 static const struct regmap_config tx_regmap_config = {
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 588 .name = "tx_macro",
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 589 .reg_bits = 16,
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 590 .val_bits = 32,
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 591 .reg_stride = 4,
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 592 .cache_type = REGCACHE_FLAT,
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 593 .max_register = TX_MAX_OFFSET,
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 594 .reg_defaults = tx_defaults,
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 595 .num_reg_defaults = ARRAY_SIZE(tx_defaults),
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 596 .writeable_reg = tx_is_rw_register,
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 597 .volatile_reg = tx_is_volatile_register,
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 598 .readable_reg = tx_is_rw_register,
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 599 };
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 600
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds
@ 2023-05-09 10:32 Ravulapati Vishnu Vardhan Rao
2023-05-09 12:26 ` Srinivas Kandagatla
2023-05-09 14:36 ` Mark Brown
0 siblings, 2 replies; 9+ messages in thread
From: Ravulapati Vishnu Vardhan Rao @ 2023-05-09 10:32 UTC (permalink / raw)
Cc: quic_visr, Srinivas Kandagatla, Banajit Goswami, Liam Girdwood,
Mark Brown, Takashi Iwai,
moderated list:QCOM AUDIO (ASoC) DRIVERS, open list
When we run syzkaller we get below Out of Bounds error.
"KASAN: slab-out-of-bounds Read in regcache_flat_read"
Below is the backtrace of the issue:
BUG: KASAN: slab-out-of-bounds in regcache_flat_read+0x10c/0x110
Read of size 4 at addr ffffff8088fbf714 by task syz-executor.4/14144
CPU: 6 PID: 14144 Comm: syz-executor.4 Tainted: G W
Hardware name: Qualcomm Technologies, Inc. sc7280 CRD platform (rev5+) (DT)
Call trace:
dump_backtrace+0x0/0x4ec
show_stack+0x34/0x50
dump_stack_lvl+0xdc/0x11c
print_address_description+0x30/0x2d8
kasan_report+0x178/0x1e4
__asan_report_load4_noabort+0x44/0x50
regcache_flat_read+0x10c/0x110
regcache_read+0xf8/0x5a0
_regmap_read+0x45c/0x86c
_regmap_update_bits+0x128/0x290
regmap_update_bits_base+0xc0/0x15c
snd_soc_component_update_bits+0xa8/0x22c
snd_soc_component_write_field+0x68/0xd4
tx_macro_put_dec_enum+0x1d0/0x268
snd_ctl_elem_write+0x288/0x474
By Error checking and checking valid values issue gets rectifies.
Signed-off-by: Ravulapati Vishnu Vardhan Rao <quic_visr@quicinc.com>
---
sound/soc/codecs/lpass-tx-macro.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c
index da6fcf7f0991..2fc150b17f29 100644
--- a/sound/soc/codecs/lpass-tx-macro.c
+++ b/sound/soc/codecs/lpass-tx-macro.c
@@ -746,6 +746,8 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
struct tx_macro *tx = snd_soc_component_get_drvdata(component);
val = ucontrol->value.enumerated.item[0];
+ if (val < 0 && val > 15)
+ return -EINVAL;
switch (e->reg) {
case CDC_TX_INP_MUX_ADC_MUX0_CFG0:
@@ -772,6 +774,9 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
case CDC_TX_INP_MUX_ADC_MUX7_CFG0:
mic_sel_reg = CDC_TX7_TX_PATH_CFG0;
break;
+ default:
+ dev_err(component->dev, "Error in configuration!!\n");
+ return -EINVAL;
}
if (val != 0) {
@@ -785,10 +790,16 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
snd_soc_component_write_field(component, mic_sel_reg,
CDC_TXn_ADC_DMIC_SEL_MASK, 1);
dmic = TX_ADC_TO_DMIC(val);
- dmic_clk_reg = CDC_TX_TOP_CSR_SWR_DMICn_CTL(dmic);
- snd_soc_component_write_field(component, dmic_clk_reg,
- CDC_TX_SWR_DMIC_CLK_SEL_MASK,
- tx->dmic_clk_div);
+ if (dmic < 4) {
+ dmic_clk_reg = CDC_TX_TOP_CSR_SWR_DMICn_CTL(dmic);
+ snd_soc_component_write_field(component, dmic_clk_reg,
+ CDC_TX_SWR_DMIC_CLK_SEL_MASK,
+ tx->dmic_clk_div);
+ } else {
+ dev_err(component->dev, "Error in dmic configuration!!\n");
+ return -EINVAL;
+ }
+
}
}
--
2.17.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds
2023-05-09 10:32 Ravulapati Vishnu Vardhan Rao
@ 2023-05-09 12:26 ` Srinivas Kandagatla
2023-05-09 14:12 ` Mark Brown
2023-05-09 14:36 ` Mark Brown
1 sibling, 1 reply; 9+ messages in thread
From: Srinivas Kandagatla @ 2023-05-09 12:26 UTC (permalink / raw)
To: Ravulapati Vishnu Vardhan Rao
Cc: Banajit Goswami, Liam Girdwood, Mark Brown, Takashi Iwai,
moderated list:QCOM AUDIO (ASoC) DRIVERS, open list
On 09/05/2023 11:32, Ravulapati Vishnu Vardhan Rao wrote:
> When we run syzkaller we get below Out of Bounds error.
>
> "KASAN: slab-out-of-bounds Read in regcache_flat_read"
>
> Below is the backtrace of the issue:
>
> BUG: KASAN: slab-out-of-bounds in regcache_flat_read+0x10c/0x110
> Read of size 4 at addr ffffff8088fbf714 by task syz-executor.4/14144
> CPU: 6 PID: 14144 Comm: syz-executor.4 Tainted: G W
> Hardware name: Qualcomm Technologies, Inc. sc7280 CRD platform (rev5+) (DT)
> Call trace:
> dump_backtrace+0x0/0x4ec
> show_stack+0x34/0x50
> dump_stack_lvl+0xdc/0x11c
> print_address_description+0x30/0x2d8
> kasan_report+0x178/0x1e4
> __asan_report_load4_noabort+0x44/0x50
> regcache_flat_read+0x10c/0x110
> regcache_read+0xf8/0x5a0
> _regmap_read+0x45c/0x86c
> _regmap_update_bits+0x128/0x290
> regmap_update_bits_base+0xc0/0x15c
> snd_soc_component_update_bits+0xa8/0x22c
> snd_soc_component_write_field+0x68/0xd4
> tx_macro_put_dec_enum+0x1d0/0x268
> snd_ctl_elem_write+0x288/0x474
>
> By Error checking and checking valid values issue gets rectifies.
>
> Signed-off-by: Ravulapati Vishnu Vardhan Rao <quic_visr@quicinc.com>
> ---
> sound/soc/codecs/lpass-tx-macro.c | 19 +++++++++++++++----
> 1 file changed, 15 insertions(+), 4 deletions(-)
>
> diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c
> index da6fcf7f0991..2fc150b17f29 100644
> --- a/sound/soc/codecs/lpass-tx-macro.c
> +++ b/sound/soc/codecs/lpass-tx-macro.c
> @@ -746,6 +746,8 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
> struct tx_macro *tx = snd_soc_component_get_drvdata(component);
>
> val = ucontrol->value.enumerated.item[0];
> + if (val < 0 && val > 15)
> + return -EINVAL;
how about
if (val >= e->items)
return -EINVAL;
We could get these checks if CONFIG_SND_CTL_INTPUT_VALIDATION was enabled.
>
> switch (e->reg) {
> case CDC_TX_INP_MUX_ADC_MUX0_CFG0:
> @@ -772,6 +774,9 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
> case CDC_TX_INP_MUX_ADC_MUX7_CFG0:
> mic_sel_reg = CDC_TX7_TX_PATH_CFG0;
> break;
> + default:
> + dev_err(component->dev, "Error in configuration!!\n");
> + return -EINVAL;
> }
>
> if (val != 0) {
> @@ -785,10 +790,16 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
> snd_soc_component_write_field(component, mic_sel_reg,
> CDC_TXn_ADC_DMIC_SEL_MASK, 1);
> dmic = TX_ADC_TO_DMIC(val);
> - dmic_clk_reg = CDC_TX_TOP_CSR_SWR_DMICn_CTL(dmic);
> - snd_soc_component_write_field(component, dmic_clk_reg,
> - CDC_TX_SWR_DMIC_CLK_SEL_MASK,
> - tx->dmic_clk_div);
> + if (dmic < 4) {
> + dmic_clk_reg = CDC_TX_TOP_CSR_SWR_DMICn_CTL(dmic);
> + snd_soc_component_write_field(component, dmic_clk_reg,
> + CDC_TX_SWR_DMIC_CLK_SEL_MASK,
> + tx->dmic_clk_div);
> + } else {
> + dev_err(component->dev, "Error in dmic configuration!!\n");
> + return -EINVAL;
> + }
These changes look unrelated.
--srini
> +
> }
> }
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds
2023-05-09 12:26 ` Srinivas Kandagatla
@ 2023-05-09 14:12 ` Mark Brown
0 siblings, 0 replies; 9+ messages in thread
From: Mark Brown @ 2023-05-09 14:12 UTC (permalink / raw)
To: Srinivas Kandagatla
Cc: Ravulapati Vishnu Vardhan Rao, Banajit Goswami, Liam Girdwood,
Takashi Iwai, moderated list:QCOM AUDIO (ASoC) DRIVERS, open list
[-- Attachment #1: Type: text/plain, Size: 467 bytes --]
On Tue, May 09, 2023 at 01:26:32PM +0100, Srinivas Kandagatla wrote:
> On 09/05/2023 11:32, Ravulapati Vishnu Vardhan Rao wrote:
> > val = ucontrol->value.enumerated.item[0];
> > + if (val < 0 && val > 15)
> > + return -EINVAL;
> how about
> if (val >= e->items)
> return -EINVAL;
The enum value is passed as an int so is signed unfortunately.
> We could get these checks if CONFIG_SND_CTL_INTPUT_VALIDATION was enabled.
You can't rely on that being set.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds
2023-05-09 10:32 Ravulapati Vishnu Vardhan Rao
2023-05-09 12:26 ` Srinivas Kandagatla
@ 2023-05-09 14:36 ` Mark Brown
2023-05-09 18:06 ` VISHNUVARDHAN RAO RAVULAPATI
1 sibling, 1 reply; 9+ messages in thread
From: Mark Brown @ 2023-05-09 14:36 UTC (permalink / raw)
To: Ravulapati Vishnu Vardhan Rao
Cc: Srinivas Kandagatla, Banajit Goswami, Liam Girdwood, Takashi Iwai,
moderated list:QCOM AUDIO (ASoC) DRIVERS, open list
[-- Attachment #1: Type: text/plain, Size: 290 bytes --]
On Tue, May 09, 2023 at 04:02:31PM +0530, Ravulapati Vishnu Vardhan Rao wrote:
> val = ucontrol->value.enumerated.item[0];
> + if (val < 0 && val > 15)
> + return -EINVAL;
Srini is right that it'd be better to read the upper bound from the
control, that way it can't geto out of sync.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds
2023-05-09 14:36 ` Mark Brown
@ 2023-05-09 18:06 ` VISHNUVARDHAN RAO RAVULAPATI
0 siblings, 0 replies; 9+ messages in thread
From: VISHNUVARDHAN RAO RAVULAPATI @ 2023-05-09 18:06 UTC (permalink / raw)
To: Mark Brown
Cc: Srinivas Kandagatla, Banajit Goswami, Liam Girdwood, Takashi Iwai,
moderated list:QCOM AUDIO (ASoC) DRIVERS, open list
On 5/9/2023 8:06 PM, Mark Brown wrote:
> On Tue, May 09, 2023 at 04:02:31PM +0530, Ravulapati Vishnu Vardhan Rao wrote:
>
>> val = ucontrol->value.enumerated.item[0];
>> + if (val < 0 && val > 15)
>> + return -EINVAL;
> Srini is right that it'd be better to read the upper bound from the
> control, that way it can't geto out of sync.
Will address and resend it..
Thanks for review.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2023-05-10 6:36 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-05-09 6:13 [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds Ravulapati Vishnu Vardhan Rao
2023-05-09 6:46 ` Mark Brown
2023-05-09 8:33 ` kernel test robot
2023-05-09 8:43 ` kernel test robot
-- strict thread matches above, loose matches on Subject: below --
2023-05-09 10:32 Ravulapati Vishnu Vardhan Rao
2023-05-09 12:26 ` Srinivas Kandagatla
2023-05-09 14:12 ` Mark Brown
2023-05-09 14:36 ` Mark Brown
2023-05-09 18:06 ` VISHNUVARDHAN RAO RAVULAPATI
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox