From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Takashi Sakamoto <o-takashi@sakamocchi.jp>,
Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 4.16 06/52] ALSA: dice: fix kernel NULL pointer dereference due to invalid calculation for array index
Date: Tue, 8 May 2018 10:10:04 +0200 [thread overview]
Message-ID: <20180508073928.849975950@linuxfoundation.org> (raw)
In-Reply-To: <20180508073928.058320984@linuxfoundation.org>
4.16-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
commit 52759c0963510a2843774aac9b65ccaed3308dc0 upstream.
At a commit f91c9d7610a ('ALSA: firewire-lib: cache maximum length of
payload to reduce function calls'), maximum size of payload for tx
isochronous packet is cached to reduce the number of function calls.
This cache was programmed to updated at a first callback of ohci1394 IR
context. However, the maximum size is required to queueing packets before
starting the isochronous context.
As a result, the cached value is reused to queue packets in next time to
starting the isochronous context. Then the cache is updated in a first
callback of the isochronous context. This can cause kernel NULL pointer
dereference in a below call graph:
(sound/firewire/amdtp-stream.c)
amdtp_stream_start()
->queue_in_packet()
->queue_packet()
(drivers/firewire/core-iso.c)
->fw_iso_context_queue()
->struct fw_card_driver.queue_iso()
(drivers/firewire/ohci.c)
= ohci_queue_iso()
->queue_iso_packet_per_buffer()
buffer->pages[page]
The issued dereference occurs in a case that:
- target unit supports different stream formats for sampling transmission
frequency.
- maximum length of payload for tx stream in a first trial is bigger
than the length in a second trial.
In this case, correct number of pages are allocated for DMA and the 'pages'
array has enough elements, while index of the element is wrongly calculated
according to the old value of length of payload in a call of
'queue_in_packet()'. Then it causes the issue.
This commit fixes the critical bug. This affects all of drivers in ALSA
firewire stack in Linux kernel v4.12 or later.
[12665.302360] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
[12665.302415] IP: ohci_queue_iso+0x47c/0x800 [firewire_ohci]
[12665.302439] PGD 0
[12665.302440] P4D 0
[12665.302450]
[12665.302470] Oops: 0000 [#1] SMP PTI
[12665.302487] Modules linked in: ...
[12665.303096] CPU: 1 PID: 12760 Comm: jackd Tainted: P OE 4.13.0-38-generic #43-Ubuntu
[12665.303154] Hardware name: /DH77DF, BIOS KCH7710H.86A.0069.2012.0224.1825 02/24/2012
[12665.303215] task: ffff9ce87da2ae80 task.stack: ffffb5b8823d0000
[12665.303258] RIP: 0010:ohci_queue_iso+0x47c/0x800 [firewire_ohci]
[12665.303301] RSP: 0018:ffffb5b8823d3ab8 EFLAGS: 00010086
[12665.303337] RAX: ffff9ce4f4876930 RBX: 0000000000000008 RCX: ffff9ce88a3955e0
[12665.303384] RDX: 0000000000000000 RSI: 0000000034877f00 RDI: 0000000000000000
[12665.303427] RBP: ffffb5b8823d3b68 R08: ffff9ce8ccb390a0 R09: ffff9ce877639ab0
[12665.303475] R10: 0000000000000108 R11: 0000000000000000 R12: 0000000000000003
[12665.303513] R13: 0000000000000000 R14: ffff9ce4f4876950 R15: 0000000000000000
[12665.303554] FS: 00007f2ec467f8c0(0000) GS:ffff9ce8df280000(0000) knlGS:0000000000000000
[12665.303600] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[12665.303633] CR2: 0000000000000030 CR3: 00000002dcf90004 CR4: 00000000000606e0
[12665.303674] Call Trace:
[12665.303698] fw_iso_context_queue+0x18/0x20 [firewire_core]
[12665.303735] queue_packet+0x88/0xe0 [snd_firewire_lib]
[12665.303770] amdtp_stream_start+0x19b/0x270 [snd_firewire_lib]
[12665.303811] start_streams+0x276/0x3c0 [snd_dice]
[12665.303840] snd_dice_stream_start_duplex+0x1bf/0x480 [snd_dice]
[12665.303882] ? vma_gap_callbacks_rotate+0x1e/0x30
[12665.303914] ? __rb_insert_augmented+0xab/0x240
[12665.303936] capture_prepare+0x3c/0x70 [snd_dice]
[12665.303961] snd_pcm_do_prepare+0x1d/0x30 [snd_pcm]
[12665.303985] snd_pcm_action_single+0x3b/0x90 [snd_pcm]
[12665.304009] snd_pcm_action_nonatomic+0x68/0x70 [snd_pcm]
[12665.304035] snd_pcm_prepare+0x68/0x90 [snd_pcm]
[12665.304058] snd_pcm_common_ioctl1+0x4c0/0x940 [snd_pcm]
[12665.304083] snd_pcm_capture_ioctl1+0x19b/0x250 [snd_pcm]
[12665.304108] snd_pcm_capture_ioctl+0x27/0x40 [snd_pcm]
[12665.304131] do_vfs_ioctl+0xa8/0x630
[12665.304148] ? entry_SYSCALL_64_after_hwframe+0xe9/0x139
[12665.304172] ? entry_SYSCALL_64_after_hwframe+0xe2/0x139
[12665.304195] ? entry_SYSCALL_64_after_hwframe+0xdb/0x139
[12665.304218] ? entry_SYSCALL_64_after_hwframe+0xd4/0x139
[12665.304242] ? entry_SYSCALL_64_after_hwframe+0xcd/0x139
[12665.304265] ? entry_SYSCALL_64_after_hwframe+0xc6/0x139
[12665.304288] ? entry_SYSCALL_64_after_hwframe+0xbf/0x139
[12665.304312] ? entry_SYSCALL_64_after_hwframe+0xb8/0x139
[12665.304335] ? entry_SYSCALL_64_after_hwframe+0xb1/0x139
[12665.304358] SyS_ioctl+0x79/0x90
[12665.304374] ? entry_SYSCALL_64_after_hwframe+0x72/0x139
[12665.304397] entry_SYSCALL_64_fastpath+0x24/0xab
[12665.304417] RIP: 0033:0x7f2ec3750ef7
[12665.304433] RSP: 002b:00007fff99e31388 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[12665.304465] RAX: ffffffffffffffda RBX: 00007fff99e312f0 RCX: 00007f2ec3750ef7
[12665.304494] RDX: 0000000000000000 RSI: 0000000000004140 RDI: 0000000000000007
[12665.304522] RBP: 0000556ebc63fd60 R08: 0000556ebc640560 R09: 0000000000000000
[12665.304553] R10: 0000000000000001 R11: 0000000000000246 R12: 0000556ebc63fcf0
[12665.304584] R13: 0000000000000000 R14: 0000000000000007 R15: 0000000000000000
[12665.304612] Code: 01 00 00 44 89 eb 45 31 ed 45 31 db 66 41 89 1e 66 41 89 5e 0c 66 45 89 5e 0e 49 8b 49 08 49 63 d4 4d 85 c0 49 63 ff 48 8b 14 d1 <48> 8b 72 30 41 8d 14 37 41 89 56 04 48 63 d3 0f 84 ce 00 00 00
[12665.304713] RIP: ohci_queue_iso+0x47c/0x800 [firewire_ohci] RSP: ffffb5b8823d3ab8
[12665.304743] CR2: 0000000000000030
[12665.317701] ---[ end trace 9d55b056dd52a19f ]---
Fixes: f91c9d7610a ('ALSA: firewire-lib: cache maximum length of payload to reduce function calls')
Cc: <stable@vger.kernel.org> # v4.12+
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/firewire/amdtp-stream.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/sound/firewire/amdtp-stream.c
+++ b/sound/firewire/amdtp-stream.c
@@ -773,8 +773,6 @@ static void amdtp_stream_first_callback(
u32 cycle;
unsigned int packets;
- s->max_payload_length = amdtp_stream_get_max_payload(s);
-
/*
* For in-stream, first packet has come.
* For out-stream, prepared to transmit first packet
@@ -879,6 +877,9 @@ int amdtp_stream_start(struct amdtp_stre
amdtp_stream_update(s);
+ if (s->direction == AMDTP_IN_STREAM)
+ s->max_payload_length = amdtp_stream_get_max_payload(s);
+
if (s->flags & CIP_NO_HEADER)
s->tag = TAG_NO_CIP_HEADER;
else
next prev parent reply other threads:[~2018-05-08 8:12 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-08 8:09 [PATCH 4.16 00/52] 4.16.8-stable review Greg Kroah-Hartman
2018-05-08 8:09 ` [PATCH 4.16 01/52] ACPI / button: make module loadable when booted in non-ACPI mode Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 02/52] arm64: Add work around for Arm Cortex-A55 Erratum 1024718 Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 03/52] ALSA: hda - Fix incorrect usage of IS_REACHABLE() Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 04/52] ALSA: pcm: Check PCM state at xfern compat ioctl Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 05/52] ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger() Greg Kroah-Hartman
2018-05-08 8:10 ` Greg Kroah-Hartman [this message]
2018-05-08 8:10 ` [PATCH 4.16 07/52] ALSA: aloop: Mark paused device as inactive Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 08/52] ALSA: aloop: Add missing cable lock to ctl API callbacks Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 09/52] errseq: Always report a writeback error once Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 10/52] tracepoint: Do not warn on ENOMEM Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 11/52] scsi: target: Fix fortify_panic kernel exception Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 12/52] Input: leds - fix out of bound access Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 13/52] Input: atmel_mxt_ts - add touchpad button mapping for Samsung Chromebook Pro Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 15/52] rtlwifi: cleanup 8723be ant_sel definition Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 16/52] xfs: prevent creating negative-sized file via INSERT_RANGE Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 17/52] tools: power/acpi, revert to LD = gcc Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 18/52] RDMA/cxgb4: release hw resources on device removal Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 19/52] RDMA/ucma: Allow resolving address w/o specifying source address Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 20/52] RDMA/mlx5: Fix multiple NULL-ptr deref errors in rereg_mr flow Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 21/52] RDMA/mlx4: Add missed RSS hash inner header flag Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 22/52] RDMA/mlx5: Protect from shift operand overflow Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 24/52] IB/mlx5: Use unlimited rate when static rate is not supported Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 25/52] infiniband: mlx5: fix build errors when INFINIBAND_USER_ACCESS=m Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 26/52] IB/hfi1: Fix handling of FECN marked multicast packet Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 27/52] IB/hfi1: Fix loss of BECN with AHG Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 28/52] IB/hfi1: Fix NULL pointer dereference when invalid num_vls is used Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 29/52] iw_cxgb4: Atomically flush per QP HW CQEs Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 30/52] btrfs: Take trans lock before access running trans in check_delayed_ref Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 31/52] drm/vc4: Make sure vc4_bo_{inc,dec}_usecnt() calls are balanced Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 32/52] drm/vmwgfx: Fix a buffer object leak Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 33/52] drm/bridge: vga-dac: Fix edid memory leak Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 34/52] test_firmware: fix setting old custom fw path back on exit, second try Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 35/52] xhci: Fix use-after-free in xhci_free_virt_device Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 36/52] USB: serial: visor: handle potential invalid device configuration Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 37/52] usb: dwc3: gadget: Fix list_del corruption in dwc3_ep_dequeue Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 38/52] USB: Accept bulk endpoints with 1024-byte maxpacket Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 39/52] USB: serial: option: reimplement interface masking Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 41/52] usb: musb: host: fix potential NULL pointer dereference Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 42/52] usb: musb: trace: fix NULL pointer dereference in musb_g_tx() Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 44/52] platform/x86: Kconfig: Fix dell-laptop dependency chain Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 46/52] x86/tsc: Always unregister clocksource_tsc_early Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 47/52] x86/tsc: Fix mark_tsc_unstable() Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 48/52] irqchip/qcom: Fix check for spurious interrupts Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 49/52] clocksource: Allow clocksource_mark_unstable() on unregistered clocksources Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 50/52] clocksource: Initialize cs->wd_list Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 51/52] clocksource: Consistent de-rate when marking unstable Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 52/52] tracing: Fix bad use of igrab in trace_uprobe.c Greg Kroah-Hartman
2018-05-08 16:22 ` [PATCH 4.16 00/52] 4.16.8-stable review Guenter Roeck
2018-05-08 17:52 ` Greg Kroah-Hartman
2018-05-08 17:56 ` Naresh Kamboju
2018-05-08 18:48 ` Greg Kroah-Hartman
2018-05-08 23:53 ` Shuah Khan
2018-05-09 7:32 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180508073928.849975950@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=o-takashi@sakamocchi.jp \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).