Re: UBSAN: shift-out-of-bounds in sound/pci/ctxfi/cthw20k2.c:956:31

Re: UBSAN: shift-out-of-bounds in sound/pci/ctxfi/cthw20k2.c:956:31

[Takashi Iwai]

On Sun, 15 Mar 2026 16:50:04 +0100,
Karsten Hohmeier wrote:
> 
> Hello Takashi,
> 
> Updated to 6.19.8 and got some more UBSAN errors.
> Care to take a look?

Through a quick glance, the patch below should paper over it, but we'd
need to check the printed error values.  You can uncomment
"//dump_stack();" lines to show the stack traces for further
investigation, too.


Takashi

-- 8< --
diff --git a/sound/pci/ctxfi/ctdaio.c b/sound/pci/ctxfi/ctdaio.c
index b8bde27f3a1d..ad465f66e5bc 100644
--- a/sound/pci/ctxfi/ctdaio.c
+++ b/sound/pci/ctxfi/ctdaio.c
@@ -99,7 +99,7 @@ static const struct rsc_ops daio_in_rsc_ops_20k2 = {
 	.output_slot	= daio_index,
 };
 
-static unsigned int daio_device_index(enum DAIOTYP type, struct hw *hw)
+static int daio_device_index(enum DAIOTYP type, struct hw *hw)
 {
 	switch (hw->chip_type) {
 	case ATC20K1:
@@ -112,7 +112,10 @@ static unsigned int daio_device_index(enum DAIOTYP type, struct hw *hw)
 		case LINEO3:	return 5;
 		case LINEO4:	return 6;
 		case LINEIM:	return 7;
-		default:	return -EINVAL;
+		default:
+			pr_err("XXX invalid type %d for hw20k1\n", type);
+			//dump_stack();
+			return -EINVAL;
 		}
 	case ATC20K2:
 		switch (type) {
@@ -125,9 +128,14 @@ static unsigned int daio_device_index(enum DAIOTYP type, struct hw *hw)
 		case LINEIM:	return 4;
 		case MIC:	return 5;
 		case RCA:	return 3;
-		default:	return -EINVAL;
+		default:
+			pr_err("XXX invalid type %d for hw20k2\n", type);
+			//dump_stack();
+			return -EINVAL;
 		}
 	default:
+		pr_err("XXX invalid chip type %d\n", hw->chip_type);
+		//dump_stack();
 		return -EINVAL;
 	}
 }
@@ -148,8 +156,11 @@ static int dao_spdif_set_spos(struct dao *dao, unsigned int spos)
 
 static int dao_commit_write(struct dao *dao)
 {
-	dao->hw->dao_commit_write(dao->hw,
-		daio_device_index(dao->daio.type, dao->hw), dao->ctrl_blk);
+	int idx = daio_device_index(dao->daio.type, dao->hw);
+
+	if (idx < 0)
+		return idx;
+	dao->hw->dao_commit_write(dao->hw, idx, dao->ctrl_blk);
 	return 0;
 }
 
@@ -287,8 +298,11 @@ static int dai_set_enb_srt(struct dai *dai, unsigned int enb)
 
 static int dai_commit_write(struct dai *dai)
 {
-	dai->hw->dai_commit_write(dai->hw,
-		daio_device_index(dai->daio.type, dai->hw), dai->ctrl_blk);
+	int idx = daio_device_index(dai->daio.type, dai->hw);
+
+	if (idx < 0)
+		return idx;
+	dai->hw->dai_commit_write(dai->hw, idx, dai->ctrl_blk);
 	return 0;
 }
 
@@ -367,7 +381,7 @@ static int dao_rsc_init(struct dao *dao,
 {
 	struct hw *hw = mgr->mgr.hw;
 	unsigned int conf;
-	int err;
+	int idx, err;
 
 	err = daio_rsc_init(&dao->daio, desc, mgr->mgr.hw);
 	if (err)
@@ -386,15 +400,18 @@ static int dao_rsc_init(struct dao *dao,
 	if (err)
 		goto error2;
 
-	hw->daio_mgr_dsb_dao(mgr->mgr.ctrl_blk,
-			daio_device_index(dao->daio.type, hw));
+	idx = daio_device_index(dao->daio.type, hw);
+	if (idx < 0) {
+		err = idx;
+		goto error2;
+	}
+
+	hw->daio_mgr_dsb_dao(mgr->mgr.ctrl_blk, idx);
 	hw->daio_mgr_commit_write(hw, mgr->mgr.ctrl_blk);
 
 	conf = (desc->msr & 0x7) | (desc->passthru << 3);
-	hw->daio_mgr_dao_init(hw, mgr->mgr.ctrl_blk,
-			daio_device_index(dao->daio.type, hw), conf);
-	hw->daio_mgr_enb_dao(mgr->mgr.ctrl_blk,
-			daio_device_index(dao->daio.type, hw));
+	hw->daio_mgr_dao_init(hw, mgr->mgr.ctrl_blk, idx, conf);
+	hw->daio_mgr_enb_dao(mgr->mgr.ctrl_blk, idx);
 	hw->daio_mgr_commit_write(hw, mgr->mgr.ctrl_blk);
 
 	return 0;
@@ -443,7 +460,7 @@ static int dai_rsc_init(struct dai *dai,
 			const struct daio_desc *desc,
 			struct daio_mgr *mgr)
 {
-	int err;
+	int idx, err;
 	struct hw *hw = mgr->mgr.hw;
 	unsigned int rsr, msr;
 
@@ -457,6 +474,12 @@ static int dai_rsc_init(struct dai *dai,
 	if (err)
 		goto error1;
 
+	idx = daio_device_index(dai->daio.type, dai->hw);
+	if (idx < 0) {
+		err = idx;
+		goto error1;
+	}
+
 	for (rsr = 0, msr = desc->msr; msr > 1; msr >>= 1)
 		rsr++;
 
@@ -465,8 +488,7 @@ static int dai_rsc_init(struct dai *dai,
 	/* default to disabling control of a SRC */
 	hw->dai_srt_set_ec(dai->ctrl_blk, 0);
 	hw->dai_srt_set_et(dai->ctrl_blk, 0); /* default to disabling SRT */
-	hw->dai_commit_write(hw,
-		daio_device_index(dai->daio.type, dai->hw), dai->ctrl_blk);
+	hw->dai_commit_write(hw, idx, dai->ctrl_blk);
 
 	return 0;
 
@@ -581,28 +603,28 @@ static int put_daio_rsc(struct daio_mgr *mgr, struct daio *daio)
 static int daio_mgr_enb_daio(struct daio_mgr *mgr, struct daio *daio)
 {
 	struct hw *hw = mgr->mgr.hw;
+	int idx = daio_device_index(daio->type, hw);
 
-	if (daio->output) {
-		hw->daio_mgr_enb_dao(mgr->mgr.ctrl_blk,
-				daio_device_index(daio->type, hw));
-	} else {
-		hw->daio_mgr_enb_dai(mgr->mgr.ctrl_blk,
-				daio_device_index(daio->type, hw));
-	}
+	if (idx < 0)
+		return idx;
+	if (daio->output)
+		hw->daio_mgr_enb_dao(mgr->mgr.ctrl_blk, idx);
+	else
+		hw->daio_mgr_enb_dai(mgr->mgr.ctrl_blk, idx);
 	return 0;
 }
 
 static int daio_mgr_dsb_daio(struct daio_mgr *mgr, struct daio *daio)
 {
 	struct hw *hw = mgr->mgr.hw;
+	int idx = daio_device_index(daio->type, hw);
 
-	if (daio->output) {
-		hw->daio_mgr_dsb_dao(mgr->mgr.ctrl_blk,
-				daio_device_index(daio->type, hw));
-	} else {
-		hw->daio_mgr_dsb_dai(mgr->mgr.ctrl_blk,
-				daio_device_index(daio->type, hw));
-	}
+	if (idx < 0)
+		return idx;
+	if (daio->output)
+		hw->daio_mgr_dsb_dao(mgr->mgr.ctrl_blk, idx);
+	else
+		hw->daio_mgr_dsb_dai(mgr->mgr.ctrl_blk, idx);
 	return 0;
 }
 

Re: UBSAN: shift-out-of-bounds in sound/pci/ctxfi/cthw20k2.c:956:31

[Karsten Hohmeier]

Hello Takashi,

I applied your patch and uncommented the stack dumps.
Here is what I get.

Mar 21 20:41:34 dtest kernel: XXX invalid type 9 for hw20k2
Mar 21 20:41:34 dtest kernel: CPU: 8 UID: 0 PID: 535 Comm: (udev-worker) Tainted: G           OE       6.19.8 #2 PREEMPT(lazy) 
Mar 21 20:41:34 dtest kernel: Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Mar 21 20:41:34 dtest kernel: Hardware name: To Be Filled By O.E.M. A320M-DVS R4.0/A320M-DVS R4.0, BIOS P10.44 02/23/2026
Mar 21 20:41:34 dtest kernel: Call Trace:
Mar 21 20:41:34 dtest kernel:  <TASK>
Mar 21 20:41:34 dtest kernel:  dump_stack_lvl+0x5d/0x80
Mar 21 20:41:34 dtest kernel:  daio_device_index.isra.0.cold+0x13/0x45 [snd_ctxfi]
Mar 21 20:41:34 dtest kernel:  get_daio_rsc+0x1d1/0x2c0 [snd_ctxfi]
Mar 21 20:41:34 dtest kernel:  atc_get_resources+0x161/0x380 [snd_ctxfi]
Mar 21 20:41:34 dtest kernel:  ct_atc_create+0x3ec/0x540 [snd_ctxfi]
Mar 21 20:41:34 dtest kernel:  ct_card_probe+0x104/0x2c0 [snd_ctxfi]
Mar 21 20:41:34 dtest kernel:  local_pci_probe+0x42/0x90
Mar 21 20:41:34 dtest kernel:  pci_device_probe+0xda/0x2b0
Mar 21 20:41:34 dtest kernel:  ? sysfs_do_create_link_sd+0x6d/0xd0
Mar 21 20:41:34 dtest kernel:  really_probe+0xde/0x380
Mar 21 20:41:34 dtest kernel:  __driver_probe_device+0x78/0x150
Mar 21 20:41:34 dtest kernel:  driver_probe_device+0x1f/0xa0
Mar 21 20:41:34 dtest kernel:  ? __pfx___driver_attach+0x10/0x10
Mar 21 20:41:34 dtest kernel:  __driver_attach+0xcb/0x200
Mar 21 20:41:34 dtest kernel:  bus_for_each_dev+0x85/0xd0
Mar 21 20:41:34 dtest kernel:  bus_add_driver+0x118/0x200
Mar 21 20:41:34 dtest kernel:  ? __pfx_ct_driver_init+0x10/0x10 [snd_ctxfi]
Mar 21 20:41:34 dtest kernel:  driver_register+0x75/0xe0
Mar 21 20:41:34 dtest kernel:  do_one_initcall+0x5b/0x300
Mar 21 20:41:34 dtest kernel:  do_init_module+0x62/0x250
Mar 21 20:41:34 dtest kernel:  init_module_from_file+0xd8/0x140
Mar 21 20:41:34 dtest kernel:  idempotent_init_module+0x114/0x310
Mar 21 20:41:34 dtest kernel:  __x64_sys_finit_module+0x71/0xe0
Mar 21 20:41:34 dtest kernel:  ? syscall_trace_enter+0x8d/0x1d0
Mar 21 20:41:34 dtest kernel:  do_syscall_64+0x81/0x600
Mar 21 20:41:34 dtest kernel:  ? vfs_read+0x165/0x390
Mar 21 20:41:34 dtest kernel:  ? vfs_read+0x165/0x390
Mar 21 20:41:34 dtest kernel:  ? restore_fpregs_from_fpstate+0x46/0xa0
Mar 21 20:41:34 dtest kernel:  ? switch_fpu_return+0x5b/0xe0
Mar 21 20:41:34 dtest kernel:  ? do_syscall_64+0x245/0x600
Mar 21 20:41:34 dtest kernel:  ? exc_page_fault+0x7e/0x1a0
Mar 21 20:41:34 dtest kernel:  entry_SYSCALL_64_after_hwframe+0x76/0x7e
Mar 21 20:41:34 dtest kernel: RIP: 0033:0x7ff26a11bc29
Mar 21 20:41:34 dtest kernel: Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 51 0d 0>
Mar 21 20:41:34 dtest kernel: RSP: 002b:00007ffcf4bdf7c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
Mar 21 20:41:34 dtest kernel: RAX: ffffffffffffffda RBX: 000055a12d9ec2b0 RCX: 00007ff26a11bc29
Mar 21 20:41:34 dtest kernel: RDX: 0000000000000004 RSI: 00007ff2696e844d RDI: 000000000000004d
Mar 21 20:41:34 dtest kernel: RBP: 0000000000000004 R08: 0000000000000000 R09: 000055a12d5e1670
Mar 21 20:41:34 dtest kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000020000
Mar 21 20:41:34 dtest kernel: R13: 00007ff2696e844d R14: 000055a12d9e7720 R15: 0000000000000000
Mar 21 20:41:34 dtest kernel:  </TASK>
Mar 21 20:41:34 dtest kernel: snd_ctxfi 0000:05:00.0: Failed to get DAIO resource 9!!!
Mar 21 20:41:34 dtest kernel: snd_ctxfi 0000:05:00.0: Something wrong!!!
Mar 21 20:41:34 dtest kernel: snd_ctxfi 0000:05:00.0: probe with driver snd_ctxfi failed with error -22

Sorry, that it takes a while for me to test, but I only have access to this machine on weekends.

Regards

Karsten

Re: UBSAN: shift-out-of-bounds in sound/pci/ctxfi/cthw20k2.c:956:31

[Takashi Iwai]

On Sat, 21 Mar 2026 20:56:21 +0100,
Karsten Hohmeier wrote:
> 
> Hello Takashi,
> 
> I applied your patch and uncommented the stack dumps.
> Here is what I get.
> 
> Mar 21 20:41:34 dtest kernel: XXX invalid type 9 for hw20k2

Thanks, this looks like the cause.
Could you try the following one-liner?


thanks,

Takashi

--- a/sound/pci/ctxfi/ctdaio.c
+++ b/sound/pci/ctxfi/ctdaio.c
@@ -118,6 +118,7 @@ static unsigned int daio_device_index(enum DAIOTYP type, struct hw *hw)
 		switch (type) {
 		case SPDIFOO:	return 0;
 		case SPDIFIO:	return 0;
+		case SPDIFI1:	return 1;
 		case LINEO1:	return 4;
 		case LINEO2:	return 7;
 		case LINEO3:	return 5;

Re: UBSAN: shift-out-of-bounds in sound/pci/ctxfi/cthw20k2.c:956:31

[Karsten Hohmeier]

Hello Takashi,

I applied your one-liner with the previous patch still in place.
The module loads and kernel boots without messages.
Since the one-liner seemed SPDIF related I also tested the optical in and out and it all works.

Idk if it is the hardware or just a quirky implementation, but the SPDIF-in is grouped together with the analog inputs and without enabling those AND turning up SPDIF-in in alsamixer I don't get anything.
But I think it has always been like this.

Thumbs up from me if you want to turn this into a proper patch again.

Regards

Karsten

Re: UBSAN: shift-out-of-bounds in sound/pci/ctxfi/cthw20k2.c:956:31

[Takashi Iwai]

On Sat, 28 Mar 2026 20:24:17 +0100,
Karsten Hohmeier wrote:
> 
> Hello Takashi,
> 
> I applied your one-liner with the previous patch still in place.
> The module loads and kernel boots without messages.
> Since the one-liner seemed SPDIF related I also tested the optical in and out and it all works.
> 
> Idk if it is the hardware or just a quirky implementation, but the SPDIF-in is grouped together with the analog inputs and without enabling those AND turning up SPDIF-in in alsamixer I don't get anything.
> But I think it has always been like this.
> 
> Thumbs up from me if you want to turn this into a proper patch again.

Thanks for verification!  I'm going to submit the proper fix patches.


Takashi