[PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds
When we run syzkaller we get below Out of Bounds error.
"KASAN: slab-out-of-bounds Read in regcache_flat_read"
Below is the backtrace of the issue:
BUG: KASAN: slab-out-of-bounds in regcache_flat_read+0x10c/0x110 Read of size 4 at addr ffffff8088fbf714 by task syz-executor.4/14144 CPU: 6 PID: 14144 Comm: syz-executor.4 Tainted: G W Hardware name: Qualcomm Technologies, Inc. sc7280 CRD platform (rev5+) (DT) Call trace: dump_backtrace+0x0/0x4ec show_stack+0x34/0x50 dump_stack_lvl+0xdc/0x11c print_address_description+0x30/0x2d8 kasan_report+0x178/0x1e4 __asan_report_load4_noabort+0x44/0x50 regcache_flat_read+0x10c/0x110 regcache_read+0xf8/0x5a0 _regmap_read+0x45c/0x86c _regmap_update_bits+0x128/0x290 regmap_update_bits_base+0xc0/0x15c snd_soc_component_update_bits+0xa8/0x22c snd_soc_component_write_field+0x68/0xd4 tx_macro_put_dec_enum+0x1d0/0x268 snd_ctl_elem_write+0x288/0x474
By Error checking and checking valid values issue gets rectifies.
Signed-off-by: Ravulapati Vishnu Vardhan Rao quic_visr@quicinc.com --- sound/soc/codecs/lpass-tx-macro.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c index da6fcf7f0991..6575b0bb6a47 100644 --- a/sound/soc/codecs/lpass-tx-macro.c +++ b/sound/soc/codecs/lpass-tx-macro.c @@ -746,6 +746,10 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol, struct tx_macro *tx = snd_soc_component_get_drvdata(component);
val = ucontrol->value.enumerated.item[0]; + if (val < 0 && val > 15) { + dev_err(component->dev, "Wrong value for DMIC configuration"); + return -EINVAL; + }
switch (e->reg) { case CDC_TX_INP_MUX_ADC_MUX0_CFG0: @@ -772,6 +776,9 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol, case CDC_TX_INP_MUX_ADC_MUX7_CFG0: mic_sel_reg = CDC_TX7_TX_PATH_CFG0; break; + default: + dev_err(component->dev, "Error in configuration!!\n"); + return -EINVAL; }
if (val != 0) { @@ -785,13 +792,19 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol, snd_soc_component_write_field(component, mic_sel_reg, CDC_TXn_ADC_DMIC_SEL_MASK, 1); dmic = TX_ADC_TO_DMIC(val); - dmic_clk_reg = CDC_TX_TOP_CSR_SWR_DMICn_CTL(dmic); - snd_soc_component_write_field(component, dmic_clk_reg, - CDC_TX_SWR_DMIC_CLK_SEL_MASK, - tx->dmic_clk_div); + if (dmic < 4) { + dmic_clk_reg = CDC_TX_TOP_CSR_SWR_DMICn_CTL(dmic); + snd_soc_component_write_field(component, dmic_clk_reg, + CDC_TX_SWR_DMIC_CLK_SEL_MASK, + tx->dmic_clk_div); + } else { + dev_err(component->dev, "dmic for clk sel is wrong, + expected less than 4 but received %d\n", dmic); + return -EINVAL; + } + } } - return snd_soc_dapm_put_enum_double(kcontrol, ucontrol); }
On Tue, May 09, 2023 at 11:43:21AM +0530, Ravulapati Vishnu Vardhan Rao wrote:
val = ucontrol->value.enumerated.item[0];
- if (val < 0 && val > 15) {
dev_err(component->dev, "Wrong value for DMIC configuration");return -EINVAL;- }
This allows userspace to spam the system logs, no error should be printed for something like this which can be trivially triggered from userspace.
Hi Ravulapati,
kernel test robot noticed the following build warnings:
[auto build test WARNING on broonie-sound/for-next] [also build test WARNING on linus/master v6.4-rc1 next-20230509] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Ravulapati-Vishnu-Vardhan-Rao... base: https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next patch link: https://lore.kernel.org/r/20230509061321.10218-1-quic_visr%40quicinc.com patch subject: [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds config: ia64-allyesconfig (https://download.01.org/0day-ci/archive/20230509/202305091640.yA163Rrh-lkp@i...) compiler: ia64-linux-gcc (GCC) 12.1.0 reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://github.com/intel-lab-lkp/linux/commit/83fb508f4eb95e9495f0e440b47226... git remote add linux-review https://github.com/intel-lab-lkp/linux git fetch --no-tags linux-review Ravulapati-Vishnu-Vardhan-Rao/ASoC-codecs-lpass-Fix-for-KASAN-use_after_free-out-of-bounds/20230509-141447 git checkout 83fb508f4eb95e9495f0e440b47226040e3b4efc # save the config file mkdir build_dir && cp config build_dir/.config COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=ia64 olddefconfig COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=ia64 SHELL=/bin/bash sound/soc/
If you fix the issue, kindly add following tag where applicable | Reported-by: kernel test robot lkp@intel.com | Link: https://lore.kernel.org/oe-kbuild-all/202305091640.yA163Rrh-lkp@intel.com/
All warnings (new ones prefixed by >>):
sound/soc/codecs/lpass-tx-macro.c: In function 'tx_macro_put_dec_enum':
sound/soc/codecs/lpass-tx-macro.c:801:57: warning: missing terminating " character
801 | dev_err(component->dev, "dmic for clk sel is wrong, | ^ sound/soc/codecs/lpass-tx-macro.c:802:79: warning: missing terminating " character 802 | expected less than 4 but received %d\n", dmic); | ^ sound/soc/codecs/lpass-tx-macro.c:2199:23: error: unterminated argument list invoking macro "dev_err" 2199 | MODULE_LICENSE("GPL"); | ^ sound/soc/codecs/lpass-tx-macro.c:801:33: error: 'dev_err' undeclared (first use in this function); did you mean '_dev_err'? 801 | dev_err(component->dev, "dmic for clk sel is wrong, | ^~~~~~~ | _dev_err sound/soc/codecs/lpass-tx-macro.c:801:33: note: each undeclared identifier is reported only once for each function it appears in sound/soc/codecs/lpass-tx-macro.c:801:40: error: expected ';' at end of input 801 | dev_err(component->dev, "dmic for clk sel is wrong, | ^ | ; ...... sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input 801 | dev_err(component->dev, "dmic for clk sel is wrong, | ^~~~~~~ sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input sound/soc/codecs/lpass-tx-macro.c:788:19: note: '-Wmisleading-indentation' is disabled from this point onwards, since column-tracking was disabled due to the size of the code/headers 788 | } else if (val < 5) { | ^~~~ sound/soc/codecs/lpass-tx-macro.c:788:19: note: adding '-flarge-source-files' will allow for more column-tracking support, at the expense of compilation time and memory sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input 801 | dev_err(component->dev, "dmic for clk sel is wrong, | ^~~~~~~ sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input sound/soc/codecs/lpass-tx-macro.c: At top level: sound/soc/codecs/lpass-tx-macro.c:737:12: warning: 'tx_macro_put_dec_enum' defined but not used [-Wunused-function] 737 | static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol, | ^~~~~~~~~~~~~~~~~~~~~ sound/soc/codecs/lpass-tx-macro.c:717:12: warning: 'tx_macro_mclk_event' defined but not used [-Wunused-function] 717 | static int tx_macro_mclk_event(struct snd_soc_dapm_widget *w, | ^~~~~~~~~~~~~~~~~~~ sound/soc/codecs/lpass-tx-macro.c:699:13: warning: 'tx_macro_mute_update_callback' defined but not used [-Wunused-function] 699 | static void tx_macro_mute_update_callback(struct work_struct *work) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sound/soc/codecs/lpass-tx-macro.c:655:13: warning: 'tx_macro_tx_hpf_corner_freq_callback' defined but not used [-Wunused-function] 655 | static void tx_macro_tx_hpf_corner_freq_callback(struct work_struct *work) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sound/soc/codecs/lpass-tx-macro.c:587:35: warning: 'tx_regmap_config' defined but not used [-Wunused-const-variable=] 587 | static const struct regmap_config tx_regmap_config = { | ^~~~~~~~~~~~~~~~ In file included from include/sound/tlv.h:10, from sound/soc/codecs/lpass-tx-macro.c:13: sound/soc/codecs/lpass-tx-macro.c:281:35: warning: 'digital_gain' defined but not used [-Wunused-const-variable=] 281 | static const DECLARE_TLV_DB_SCALE(digital_gain, -8400, 100, -8400); | ^~~~~~~~~~~~ include/uapi/sound/tlv.h:53:22: note: in definition of macro 'SNDRV_CTL_TLVD_DECLARE_DB_SCALE' 53 | unsigned int name[] = { \ | ^~~~ sound/soc/codecs/lpass-tx-macro.c:281:14: note: in expansion of macro 'DECLARE_TLV_DB_SCALE' 281 | static const DECLARE_TLV_DB_SCALE(digital_gain, -8400, 100, -8400); | ^~~~~~~~~~~~~~~~~~~~
vim +801 sound/soc/codecs/lpass-tx-macro.c
736 737 static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol, 738 struct snd_ctl_elem_value *ucontrol) 739 { 740 struct snd_soc_dapm_widget *widget = snd_soc_dapm_kcontrol_widget(kcontrol); 741 struct snd_soc_component *component = snd_soc_dapm_to_component(widget->dapm); 742 struct soc_enum *e = (struct soc_enum *)kcontrol->private_value; 743 unsigned int val, dmic; 744 u16 mic_sel_reg; 745 u16 dmic_clk_reg; 746 struct tx_macro *tx = snd_soc_component_get_drvdata(component); 747 748 val = ucontrol->value.enumerated.item[0]; 749 if (val < 0 && val > 15) { 750 dev_err(component->dev, "Wrong value for DMIC configuration"); 751 return -EINVAL; 752 } 753 754 switch (e->reg) { 755 case CDC_TX_INP_MUX_ADC_MUX0_CFG0: 756 mic_sel_reg = CDC_TX0_TX_PATH_CFG0; 757 break; 758 case CDC_TX_INP_MUX_ADC_MUX1_CFG0: 759 mic_sel_reg = CDC_TX1_TX_PATH_CFG0; 760 break; 761 case CDC_TX_INP_MUX_ADC_MUX2_CFG0: 762 mic_sel_reg = CDC_TX2_TX_PATH_CFG0; 763 break; 764 case CDC_TX_INP_MUX_ADC_MUX3_CFG0: 765 mic_sel_reg = CDC_TX3_TX_PATH_CFG0; 766 break; 767 case CDC_TX_INP_MUX_ADC_MUX4_CFG0: 768 mic_sel_reg = CDC_TX4_TX_PATH_CFG0; 769 break; 770 case CDC_TX_INP_MUX_ADC_MUX5_CFG0: 771 mic_sel_reg = CDC_TX5_TX_PATH_CFG0; 772 break; 773 case CDC_TX_INP_MUX_ADC_MUX6_CFG0: 774 mic_sel_reg = CDC_TX6_TX_PATH_CFG0; 775 break; 776 case CDC_TX_INP_MUX_ADC_MUX7_CFG0: 777 mic_sel_reg = CDC_TX7_TX_PATH_CFG0; 778 break; 779 default: 780 dev_err(component->dev, "Error in configuration!!\n"); 781 return -EINVAL; 782 } 783 784 if (val != 0) { 785 if (widget->shift) { /* MSM DMIC */ 786 snd_soc_component_write_field(component, mic_sel_reg, 787 CDC_TXn_ADC_DMIC_SEL_MASK, 1); 788 } else if (val < 5) { 789 snd_soc_component_write_field(component, mic_sel_reg, 790 CDC_TXn_ADC_DMIC_SEL_MASK, 0); 791 } else { 792 snd_soc_component_write_field(component, mic_sel_reg, 793 CDC_TXn_ADC_DMIC_SEL_MASK, 1); 794 dmic = TX_ADC_TO_DMIC(val); 795 if (dmic < 4) { 796 dmic_clk_reg = CDC_TX_TOP_CSR_SWR_DMICn_CTL(dmic); 797 snd_soc_component_write_field(component, dmic_clk_reg, 798 CDC_TX_SWR_DMIC_CLK_SEL_MASK, 799 tx->dmic_clk_div); 800 } else {
801 dev_err(component->dev, "dmic for clk sel is wrong,
802 expected less than 4 but received %d\n", dmic); 803 return -EINVAL; 804 } 805 806 } 807 } 808 return snd_soc_dapm_put_enum_double(kcontrol, ucontrol); 809 } 810
Hi Ravulapati,
kernel test robot noticed the following build warnings:
[auto build test WARNING on broonie-sound/for-next] [also build test WARNING on linus/master v6.4-rc1 next-20230509] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Ravulapati-Vishnu-Vardhan-Rao... base: https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next patch link: https://lore.kernel.org/r/20230509061321.10218-1-quic_visr%40quicinc.com patch subject: [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds config: x86_64-allmodconfig (https://download.01.org/0day-ci/archive/20230509/202305091655.6KwfcuWa-lkp@i...) compiler: gcc-11 (Debian 11.3.0-12) 11.3.0 reproduce (this is a W=1 build): # https://github.com/intel-lab-lkp/linux/commit/83fb508f4eb95e9495f0e440b47226... git remote add linux-review https://github.com/intel-lab-lkp/linux git fetch --no-tags linux-review Ravulapati-Vishnu-Vardhan-Rao/ASoC-codecs-lpass-Fix-for-KASAN-use_after_free-out-of-bounds/20230509-141447 git checkout 83fb508f4eb95e9495f0e440b47226040e3b4efc # save the config file mkdir build_dir && cp config build_dir/.config make W=1 O=build_dir ARCH=x86_64 olddefconfig make W=1 O=build_dir ARCH=x86_64 SHELL=/bin/bash sound/soc/
If you fix the issue, kindly add following tag where applicable | Reported-by: kernel test robot lkp@intel.com | Link: https://lore.kernel.org/oe-kbuild-all/202305091655.6KwfcuWa-lkp@intel.com/
All warnings (new ones prefixed by >>):
sound/soc/codecs/lpass-tx-macro.c: In function 'tx_macro_put_dec_enum': sound/soc/codecs/lpass-tx-macro.c:801:57: warning: missing terminating " character 801 | dev_err(component->dev, "dmic for clk sel is wrong, | ^ sound/soc/codecs/lpass-tx-macro.c:802:79: warning: missing terminating " character 802 | expected less than 4 but received %d\n", dmic); | ^ sound/soc/codecs/lpass-tx-macro.c:2199:23: error: unterminated argument list invoking macro "dev_err" 2199 | MODULE_LICENSE("GPL"); | ^ sound/soc/codecs/lpass-tx-macro.c:801:33: error: 'dev_err' undeclared (first use in this function); did you mean '_dev_err'? 801 | dev_err(component->dev, "dmic for clk sel is wrong, | ^~~~~~~ | _dev_err sound/soc/codecs/lpass-tx-macro.c:801:33: note: each undeclared identifier is reported only once for each function it appears in sound/soc/codecs/lpass-tx-macro.c:801:40: error: expected ';' at end of input 801 | dev_err(component->dev, "dmic for clk sel is wrong, | ^ | ; ...... sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input 801 | dev_err(component->dev, "dmic for clk sel is wrong, | ^~~~~~~ sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input sound/soc/codecs/lpass-tx-macro.c:788:19: note: '-Wmisleading-indentation' is disabled from this point onwards, since column-tracking was disabled due to the size of the code/headers 788 | } else if (val < 5) { | ^~~~ sound/soc/codecs/lpass-tx-macro.c:788:19: note: adding '-flarge-source-files' will allow for more column-tracking support, at the expense of compilation time and memory sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input 801 | dev_err(component->dev, "dmic for clk sel is wrong, | ^~~~~~~ sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input At top level: sound/soc/codecs/lpass-tx-macro.c:737:12: warning: 'tx_macro_put_dec_enum' defined but not used [-Wunused-function] 737 | static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol, | ^~~~~~~~~~~~~~~~~~~~~ sound/soc/codecs/lpass-tx-macro.c:717:12: warning: 'tx_macro_mclk_event' defined but not used [-Wunused-function] 717 | static int tx_macro_mclk_event(struct snd_soc_dapm_widget *w, | ^~~~~~~~~~~~~~~~~~~ sound/soc/codecs/lpass-tx-macro.c:699:13: warning: 'tx_macro_mute_update_callback' defined but not used [-Wunused-function] 699 | static void tx_macro_mute_update_callback(struct work_struct *work) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sound/soc/codecs/lpass-tx-macro.c:655:13: warning: 'tx_macro_tx_hpf_corner_freq_callback' defined but not used [-Wunused-function] 655 | static void tx_macro_tx_hpf_corner_freq_callback(struct work_struct *work) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sound/soc/codecs/lpass-tx-macro.c:587:35: warning: 'tx_regmap_config' defined but not used [-Wunused-const-variable=]
587 | static const struct regmap_config tx_regmap_config = { | ^~~~~~~~~~~~~~~~ In file included from include/sound/tlv.h:10, from sound/soc/codecs/lpass-tx-macro.c:13:
sound/soc/codecs/lpass-tx-macro.c:281:35: warning: 'digital_gain' defined but not used [-Wunused-const-variable=]
281 | static const DECLARE_TLV_DB_SCALE(digital_gain, -8400, 100, -8400); | ^~~~~~~~~~~~ include/uapi/sound/tlv.h:53:22: note: in definition of macro 'SNDRV_CTL_TLVD_DECLARE_DB_SCALE' 53 | unsigned int name[] = { \ | ^~~~ sound/soc/codecs/lpass-tx-macro.c:281:14: note: in expansion of macro 'DECLARE_TLV_DB_SCALE' 281 | static const DECLARE_TLV_DB_SCALE(digital_gain, -8400, 100, -8400); | ^~~~~~~~~~~~~~~~~~~~
vim +/tx_regmap_config +587 sound/soc/codecs/lpass-tx-macro.c
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 586 c39667ddcfc516 Srinivas Kandagatla 2021-02-11 @587 static const struct regmap_config tx_regmap_config = { c39667ddcfc516 Srinivas Kandagatla 2021-02-11 588 .name = "tx_macro", c39667ddcfc516 Srinivas Kandagatla 2021-02-11 589 .reg_bits = 16, c39667ddcfc516 Srinivas Kandagatla 2021-02-11 590 .val_bits = 32, c39667ddcfc516 Srinivas Kandagatla 2021-02-11 591 .reg_stride = 4, c39667ddcfc516 Srinivas Kandagatla 2021-02-11 592 .cache_type = REGCACHE_FLAT, c39667ddcfc516 Srinivas Kandagatla 2021-02-11 593 .max_register = TX_MAX_OFFSET, c39667ddcfc516 Srinivas Kandagatla 2021-02-11 594 .reg_defaults = tx_defaults, c39667ddcfc516 Srinivas Kandagatla 2021-02-11 595 .num_reg_defaults = ARRAY_SIZE(tx_defaults), c39667ddcfc516 Srinivas Kandagatla 2021-02-11 596 .writeable_reg = tx_is_rw_register, c39667ddcfc516 Srinivas Kandagatla 2021-02-11 597 .volatile_reg = tx_is_volatile_register, c39667ddcfc516 Srinivas Kandagatla 2021-02-11 598 .readable_reg = tx_is_rw_register, c39667ddcfc516 Srinivas Kandagatla 2021-02-11 599 }; c39667ddcfc516 Srinivas Kandagatla 2021-02-11 600
participants (3)
-
kernel test robot -
Mark Brown -
Ravulapati Vishnu Vardhan Rao