* Re: UBSAN: shift-out-of-bounds in sound/pci/ctxfi/cthw20k2.c:956:31 [not found] <20260315155004.15633-1-linux@hohmatik.de> @ 2026-03-16 8:46 ` Takashi Iwai 2026-03-21 19:56 ` Karsten Hohmeier 2026-03-28 19:24 ` Karsten Hohmeier 0 siblings, 2 replies; 5+ messages in thread From: Takashi Iwai @ 2026-03-16 8:46 UTC (permalink / raw) To: Karsten Hohmeier; +Cc: tiwai, linux-kernel, linux-sound On Sun, 15 Mar 2026 16:50:04 +0100, Karsten Hohmeier wrote: > > Hello Takashi, > > Updated to 6.19.8 and got some more UBSAN errors. > Care to take a look? Through a quick glance, the patch below should paper over it, but we'd need to check the printed error values. You can uncomment "//dump_stack();" lines to show the stack traces for further investigation, too. Takashi -- 8< -- diff --git a/sound/pci/ctxfi/ctdaio.c b/sound/pci/ctxfi/ctdaio.c index b8bde27f3a1d..ad465f66e5bc 100644 --- a/sound/pci/ctxfi/ctdaio.c +++ b/sound/pci/ctxfi/ctdaio.c @@ -99,7 +99,7 @@ static const struct rsc_ops daio_in_rsc_ops_20k2 = { .output_slot = daio_index, }; -static unsigned int daio_device_index(enum DAIOTYP type, struct hw *hw) +static int daio_device_index(enum DAIOTYP type, struct hw *hw) { switch (hw->chip_type) { case ATC20K1: @@ -112,7 +112,10 @@ static unsigned int daio_device_index(enum DAIOTYP type, struct hw *hw) case LINEO3: return 5; case LINEO4: return 6; case LINEIM: return 7; - default: return -EINVAL; + default: + pr_err("XXX invalid type %d for hw20k1\n", type); + //dump_stack(); + return -EINVAL; } case ATC20K2: switch (type) { @@ -125,9 +128,14 @@ static unsigned int daio_device_index(enum DAIOTYP type, struct hw *hw) case LINEIM: return 4; case MIC: return 5; case RCA: return 3; - default: return -EINVAL; + default: + pr_err("XXX invalid type %d for hw20k2\n", type); + //dump_stack(); + return -EINVAL; } default: + pr_err("XXX invalid chip type %d\n", hw->chip_type); + //dump_stack(); return -EINVAL; } } @@ -148,8 +156,11 @@ static int dao_spdif_set_spos(struct dao *dao, unsigned int spos) static int dao_commit_write(struct dao *dao) { - dao->hw->dao_commit_write(dao->hw, - daio_device_index(dao->daio.type, dao->hw), dao->ctrl_blk); + int idx = daio_device_index(dao->daio.type, dao->hw); + + if (idx < 0) + return idx; + dao->hw->dao_commit_write(dao->hw, idx, dao->ctrl_blk); return 0; } @@ -287,8 +298,11 @@ static int dai_set_enb_srt(struct dai *dai, unsigned int enb) static int dai_commit_write(struct dai *dai) { - dai->hw->dai_commit_write(dai->hw, - daio_device_index(dai->daio.type, dai->hw), dai->ctrl_blk); + int idx = daio_device_index(dai->daio.type, dai->hw); + + if (idx < 0) + return idx; + dai->hw->dai_commit_write(dai->hw, idx, dai->ctrl_blk); return 0; } @@ -367,7 +381,7 @@ static int dao_rsc_init(struct dao *dao, { struct hw *hw = mgr->mgr.hw; unsigned int conf; - int err; + int idx, err; err = daio_rsc_init(&dao->daio, desc, mgr->mgr.hw); if (err) @@ -386,15 +400,18 @@ static int dao_rsc_init(struct dao *dao, if (err) goto error2; - hw->daio_mgr_dsb_dao(mgr->mgr.ctrl_blk, - daio_device_index(dao->daio.type, hw)); + idx = daio_device_index(dao->daio.type, hw); + if (idx < 0) { + err = idx; + goto error2; + } + + hw->daio_mgr_dsb_dao(mgr->mgr.ctrl_blk, idx); hw->daio_mgr_commit_write(hw, mgr->mgr.ctrl_blk); conf = (desc->msr & 0x7) | (desc->passthru << 3); - hw->daio_mgr_dao_init(hw, mgr->mgr.ctrl_blk, - daio_device_index(dao->daio.type, hw), conf); - hw->daio_mgr_enb_dao(mgr->mgr.ctrl_blk, - daio_device_index(dao->daio.type, hw)); + hw->daio_mgr_dao_init(hw, mgr->mgr.ctrl_blk, idx, conf); + hw->daio_mgr_enb_dao(mgr->mgr.ctrl_blk, idx); hw->daio_mgr_commit_write(hw, mgr->mgr.ctrl_blk); return 0; @@ -443,7 +460,7 @@ static int dai_rsc_init(struct dai *dai, const struct daio_desc *desc, struct daio_mgr *mgr) { - int err; + int idx, err; struct hw *hw = mgr->mgr.hw; unsigned int rsr, msr; @@ -457,6 +474,12 @@ static int dai_rsc_init(struct dai *dai, if (err) goto error1; + idx = daio_device_index(dai->daio.type, dai->hw); + if (idx < 0) { + err = idx; + goto error1; + } + for (rsr = 0, msr = desc->msr; msr > 1; msr >>= 1) rsr++; @@ -465,8 +488,7 @@ static int dai_rsc_init(struct dai *dai, /* default to disabling control of a SRC */ hw->dai_srt_set_ec(dai->ctrl_blk, 0); hw->dai_srt_set_et(dai->ctrl_blk, 0); /* default to disabling SRT */ - hw->dai_commit_write(hw, - daio_device_index(dai->daio.type, dai->hw), dai->ctrl_blk); + hw->dai_commit_write(hw, idx, dai->ctrl_blk); return 0; @@ -581,28 +603,28 @@ static int put_daio_rsc(struct daio_mgr *mgr, struct daio *daio) static int daio_mgr_enb_daio(struct daio_mgr *mgr, struct daio *daio) { struct hw *hw = mgr->mgr.hw; + int idx = daio_device_index(daio->type, hw); - if (daio->output) { - hw->daio_mgr_enb_dao(mgr->mgr.ctrl_blk, - daio_device_index(daio->type, hw)); - } else { - hw->daio_mgr_enb_dai(mgr->mgr.ctrl_blk, - daio_device_index(daio->type, hw)); - } + if (idx < 0) + return idx; + if (daio->output) + hw->daio_mgr_enb_dao(mgr->mgr.ctrl_blk, idx); + else + hw->daio_mgr_enb_dai(mgr->mgr.ctrl_blk, idx); return 0; } static int daio_mgr_dsb_daio(struct daio_mgr *mgr, struct daio *daio) { struct hw *hw = mgr->mgr.hw; + int idx = daio_device_index(daio->type, hw); - if (daio->output) { - hw->daio_mgr_dsb_dao(mgr->mgr.ctrl_blk, - daio_device_index(daio->type, hw)); - } else { - hw->daio_mgr_dsb_dai(mgr->mgr.ctrl_blk, - daio_device_index(daio->type, hw)); - } + if (idx < 0) + return idx; + if (daio->output) + hw->daio_mgr_dsb_dao(mgr->mgr.ctrl_blk, idx); + else + hw->daio_mgr_dsb_dai(mgr->mgr.ctrl_blk, idx); return 0; } ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: UBSAN: shift-out-of-bounds in sound/pci/ctxfi/cthw20k2.c:956:31 2026-03-16 8:46 ` UBSAN: shift-out-of-bounds in sound/pci/ctxfi/cthw20k2.c:956:31 Takashi Iwai @ 2026-03-21 19:56 ` Karsten Hohmeier 2026-03-27 9:08 ` Takashi Iwai 2026-03-28 19:24 ` Karsten Hohmeier 1 sibling, 1 reply; 5+ messages in thread From: Karsten Hohmeier @ 2026-03-21 19:56 UTC (permalink / raw) To: tiwai; +Cc: linux-kernel, linux-sound, linux Hello Takashi, I applied your patch and uncommented the stack dumps. Here is what I get. Mar 21 20:41:34 dtest kernel: XXX invalid type 9 for hw20k2 Mar 21 20:41:34 dtest kernel: CPU: 8 UID: 0 PID: 535 Comm: (udev-worker) Tainted: G OE 6.19.8 #2 PREEMPT(lazy) Mar 21 20:41:34 dtest kernel: Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Mar 21 20:41:34 dtest kernel: Hardware name: To Be Filled By O.E.M. A320M-DVS R4.0/A320M-DVS R4.0, BIOS P10.44 02/23/2026 Mar 21 20:41:34 dtest kernel: Call Trace: Mar 21 20:41:34 dtest kernel: <TASK> Mar 21 20:41:34 dtest kernel: dump_stack_lvl+0x5d/0x80 Mar 21 20:41:34 dtest kernel: daio_device_index.isra.0.cold+0x13/0x45 [snd_ctxfi] Mar 21 20:41:34 dtest kernel: get_daio_rsc+0x1d1/0x2c0 [snd_ctxfi] Mar 21 20:41:34 dtest kernel: atc_get_resources+0x161/0x380 [snd_ctxfi] Mar 21 20:41:34 dtest kernel: ct_atc_create+0x3ec/0x540 [snd_ctxfi] Mar 21 20:41:34 dtest kernel: ct_card_probe+0x104/0x2c0 [snd_ctxfi] Mar 21 20:41:34 dtest kernel: local_pci_probe+0x42/0x90 Mar 21 20:41:34 dtest kernel: pci_device_probe+0xda/0x2b0 Mar 21 20:41:34 dtest kernel: ? sysfs_do_create_link_sd+0x6d/0xd0 Mar 21 20:41:34 dtest kernel: really_probe+0xde/0x380 Mar 21 20:41:34 dtest kernel: __driver_probe_device+0x78/0x150 Mar 21 20:41:34 dtest kernel: driver_probe_device+0x1f/0xa0 Mar 21 20:41:34 dtest kernel: ? __pfx___driver_attach+0x10/0x10 Mar 21 20:41:34 dtest kernel: __driver_attach+0xcb/0x200 Mar 21 20:41:34 dtest kernel: bus_for_each_dev+0x85/0xd0 Mar 21 20:41:34 dtest kernel: bus_add_driver+0x118/0x200 Mar 21 20:41:34 dtest kernel: ? __pfx_ct_driver_init+0x10/0x10 [snd_ctxfi] Mar 21 20:41:34 dtest kernel: driver_register+0x75/0xe0 Mar 21 20:41:34 dtest kernel: do_one_initcall+0x5b/0x300 Mar 21 20:41:34 dtest kernel: do_init_module+0x62/0x250 Mar 21 20:41:34 dtest kernel: init_module_from_file+0xd8/0x140 Mar 21 20:41:34 dtest kernel: idempotent_init_module+0x114/0x310 Mar 21 20:41:34 dtest kernel: __x64_sys_finit_module+0x71/0xe0 Mar 21 20:41:34 dtest kernel: ? syscall_trace_enter+0x8d/0x1d0 Mar 21 20:41:34 dtest kernel: do_syscall_64+0x81/0x600 Mar 21 20:41:34 dtest kernel: ? vfs_read+0x165/0x390 Mar 21 20:41:34 dtest kernel: ? vfs_read+0x165/0x390 Mar 21 20:41:34 dtest kernel: ? restore_fpregs_from_fpstate+0x46/0xa0 Mar 21 20:41:34 dtest kernel: ? switch_fpu_return+0x5b/0xe0 Mar 21 20:41:34 dtest kernel: ? do_syscall_64+0x245/0x600 Mar 21 20:41:34 dtest kernel: ? exc_page_fault+0x7e/0x1a0 Mar 21 20:41:34 dtest kernel: entry_SYSCALL_64_after_hwframe+0x76/0x7e Mar 21 20:41:34 dtest kernel: RIP: 0033:0x7ff26a11bc29 Mar 21 20:41:34 dtest kernel: Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 51 0d 0> Mar 21 20:41:34 dtest kernel: RSP: 002b:00007ffcf4bdf7c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 Mar 21 20:41:34 dtest kernel: RAX: ffffffffffffffda RBX: 000055a12d9ec2b0 RCX: 00007ff26a11bc29 Mar 21 20:41:34 dtest kernel: RDX: 0000000000000004 RSI: 00007ff2696e844d RDI: 000000000000004d Mar 21 20:41:34 dtest kernel: RBP: 0000000000000004 R08: 0000000000000000 R09: 000055a12d5e1670 Mar 21 20:41:34 dtest kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000020000 Mar 21 20:41:34 dtest kernel: R13: 00007ff2696e844d R14: 000055a12d9e7720 R15: 0000000000000000 Mar 21 20:41:34 dtest kernel: </TASK> Mar 21 20:41:34 dtest kernel: snd_ctxfi 0000:05:00.0: Failed to get DAIO resource 9!!! Mar 21 20:41:34 dtest kernel: snd_ctxfi 0000:05:00.0: Something wrong!!! Mar 21 20:41:34 dtest kernel: snd_ctxfi 0000:05:00.0: probe with driver snd_ctxfi failed with error -22 Sorry, that it takes a while for me to test, but I only have access to this machine on weekends. Regards Karsten ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: UBSAN: shift-out-of-bounds in sound/pci/ctxfi/cthw20k2.c:956:31 2026-03-21 19:56 ` Karsten Hohmeier @ 2026-03-27 9:08 ` Takashi Iwai 0 siblings, 0 replies; 5+ messages in thread From: Takashi Iwai @ 2026-03-27 9:08 UTC (permalink / raw) To: Karsten Hohmeier; +Cc: tiwai, linux-kernel, linux-sound On Sat, 21 Mar 2026 20:56:21 +0100, Karsten Hohmeier wrote: > > Hello Takashi, > > I applied your patch and uncommented the stack dumps. > Here is what I get. > > Mar 21 20:41:34 dtest kernel: XXX invalid type 9 for hw20k2 Thanks, this looks like the cause. Could you try the following one-liner? thanks, Takashi --- a/sound/pci/ctxfi/ctdaio.c +++ b/sound/pci/ctxfi/ctdaio.c @@ -118,6 +118,7 @@ static unsigned int daio_device_index(enum DAIOTYP type, struct hw *hw) switch (type) { case SPDIFOO: return 0; case SPDIFIO: return 0; + case SPDIFI1: return 1; case LINEO1: return 4; case LINEO2: return 7; case LINEO3: return 5; ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: UBSAN: shift-out-of-bounds in sound/pci/ctxfi/cthw20k2.c:956:31 2026-03-16 8:46 ` UBSAN: shift-out-of-bounds in sound/pci/ctxfi/cthw20k2.c:956:31 Takashi Iwai 2026-03-21 19:56 ` Karsten Hohmeier @ 2026-03-28 19:24 ` Karsten Hohmeier 2026-03-29 9:12 ` Takashi Iwai 1 sibling, 1 reply; 5+ messages in thread From: Karsten Hohmeier @ 2026-03-28 19:24 UTC (permalink / raw) To: tiwai; +Cc: linux-kernel, linux-sound, linux Hello Takashi, I applied your one-liner with the previous patch still in place. The module loads and kernel boots without messages. Since the one-liner seemed SPDIF related I also tested the optical in and out and it all works. Idk if it is the hardware or just a quirky implementation, but the SPDIF-in is grouped together with the analog inputs and without enabling those AND turning up SPDIF-in in alsamixer I don't get anything. But I think it has always been like this. Thumbs up from me if you want to turn this into a proper patch again. Regards Karsten ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: UBSAN: shift-out-of-bounds in sound/pci/ctxfi/cthw20k2.c:956:31 2026-03-28 19:24 ` Karsten Hohmeier @ 2026-03-29 9:12 ` Takashi Iwai 0 siblings, 0 replies; 5+ messages in thread From: Takashi Iwai @ 2026-03-29 9:12 UTC (permalink / raw) To: Karsten Hohmeier; +Cc: tiwai, linux-kernel, linux-sound On Sat, 28 Mar 2026 20:24:17 +0100, Karsten Hohmeier wrote: > > Hello Takashi, > > I applied your one-liner with the previous patch still in place. > The module loads and kernel boots without messages. > Since the one-liner seemed SPDIF related I also tested the optical in and out and it all works. > > Idk if it is the hardware or just a quirky implementation, but the SPDIF-in is grouped together with the analog inputs and without enabling those AND turning up SPDIF-in in alsamixer I don't get anything. > But I think it has always been like this. > > Thumbs up from me if you want to turn this into a proper patch again. Thanks for verification! I'm going to submit the proper fix patches. Takashi ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-03-29 9:12 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20260315155004.15633-1-linux@hohmatik.de>
2026-03-16 8:46 ` UBSAN: shift-out-of-bounds in sound/pci/ctxfi/cthw20k2.c:956:31 Takashi Iwai
2026-03-21 19:56 ` Karsten Hohmeier
2026-03-27 9:08 ` Takashi Iwai
2026-03-28 19:24 ` Karsten Hohmeier
2026-03-29 9:12 ` Takashi Iwai
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox