When we run syzkaller we get below Out of Bounds error.
"KASAN: slab-out-of-bounds Read in regcache_flat_read"
Below is the backtrace of the issue:
BUG: KASAN: slab-out-of-bounds in regcache_flat_read+0x10c/0x110
Read of size 4 at addr ffffff8088fbf714 by task syz-executor.4/14144
CPU: 6 PID: 14144 Comm: syz-executor.4 Tainted: G W
Hardware name: Qualcomm Technologies, Inc. sc7280 CRD platform (rev5+) (DT)
Call trace:
dump_backtrace+0x0/0x4ec
show_stack+0x34/0x50
dump_stack_lvl+0xdc/0x11c
print_address_description+0x30/0x2d8
kasan_report+0x178/0x1e4
__asan_report_load4_noabort+0x44/0x50
regcache_flat_read+0x10c/0x110
regcache_read+0xf8/0x5a0
_regmap_read+0x45c/0x86c
_regmap_update_bits+0x128/0x290
regmap_update_bits_base+0xc0/0x15c
snd_soc_component_update_bits+0xa8/0x22c
snd_soc_component_write_field+0x68/0xd4
tx_macro_put_dec_enum+0x1d0/0x268
snd_ctl_elem_write+0x288/0x474
By Error checking and checking valid values issue gets rectifies.
Signed-off-by: Ravulapati Vishnu Vardhan Rao <[email protected]>
---
sound/soc/codecs/lpass-tx-macro.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c
index da6fcf7f0991..6575b0bb6a47 100644
--- a/sound/soc/codecs/lpass-tx-macro.c
+++ b/sound/soc/codecs/lpass-tx-macro.c
@@ -746,6 +746,10 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
struct tx_macro *tx = snd_soc_component_get_drvdata(component);
val = ucontrol->value.enumerated.item[0];
+ if (val < 0 && val > 15) {
+ dev_err(component->dev, "Wrong value for DMIC configuration");
+ return -EINVAL;
+ }
switch (e->reg) {
case CDC_TX_INP_MUX_ADC_MUX0_CFG0:
@@ -772,6 +776,9 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
case CDC_TX_INP_MUX_ADC_MUX7_CFG0:
mic_sel_reg = CDC_TX7_TX_PATH_CFG0;
break;
+ default:
+ dev_err(component->dev, "Error in configuration!!\n");
+ return -EINVAL;
}
if (val != 0) {
@@ -785,13 +792,19 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
snd_soc_component_write_field(component, mic_sel_reg,
CDC_TXn_ADC_DMIC_SEL_MASK, 1);
dmic = TX_ADC_TO_DMIC(val);
- dmic_clk_reg = CDC_TX_TOP_CSR_SWR_DMICn_CTL(dmic);
- snd_soc_component_write_field(component, dmic_clk_reg,
- CDC_TX_SWR_DMIC_CLK_SEL_MASK,
- tx->dmic_clk_div);
+ if (dmic < 4) {
+ dmic_clk_reg = CDC_TX_TOP_CSR_SWR_DMICn_CTL(dmic);
+ snd_soc_component_write_field(component, dmic_clk_reg,
+ CDC_TX_SWR_DMIC_CLK_SEL_MASK,
+ tx->dmic_clk_div);
+ } else {
+ dev_err(component->dev, "dmic for clk sel is wrong,
+ expected less than 4 but received %d\n", dmic);
+ return -EINVAL;
+ }
+
}
}
-
return snd_soc_dapm_put_enum_double(kcontrol, ucontrol);
}
--
2.17.1
On Tue, May 09, 2023 at 11:43:21AM +0530, Ravulapati Vishnu Vardhan Rao wrote:
> val = ucontrol->value.enumerated.item[0];
> + if (val < 0 && val > 15) {
> + dev_err(component->dev, "Wrong value for DMIC configuration");
> + return -EINVAL;
> + }
This allows userspace to spam the system logs, no error should be
printed for something like this which can be trivially triggered from
userspace.
Hi Ravulapati,
kernel test robot noticed the following build warnings:
[auto build test WARNING on broonie-sound/for-next]
[also build test WARNING on linus/master v6.4-rc1 next-20230509]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Ravulapati-Vishnu-Vardhan-Rao/ASoC-codecs-lpass-Fix-for-KASAN-use_after_free-out-of-bounds/20230509-141447
base: https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next
patch link: https://lore.kernel.org/r/20230509061321.10218-1-quic_visr%40quicinc.com
patch subject: [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds
config: ia64-allyesconfig (https://download.01.org/0day-ci/archive/20230509/[email protected]/config)
compiler: ia64-linux-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/83fb508f4eb95e9495f0e440b47226040e3b4efc
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Ravulapati-Vishnu-Vardhan-Rao/ASoC-codecs-lpass-Fix-for-KASAN-use_after_free-out-of-bounds/20230509-141447
git checkout 83fb508f4eb95e9495f0e440b47226040e3b4efc
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=ia64 olddefconfig
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=ia64 SHELL=/bin/bash sound/soc/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <[email protected]>
| Link: https://lore.kernel.org/oe-kbuild-all/[email protected]/
All warnings (new ones prefixed by >>):
sound/soc/codecs/lpass-tx-macro.c: In function 'tx_macro_put_dec_enum':
>> sound/soc/codecs/lpass-tx-macro.c:801:57: warning: missing terminating " character
801 | dev_err(component->dev, "dmic for clk sel is wrong,
| ^
sound/soc/codecs/lpass-tx-macro.c:802:79: warning: missing terminating " character
802 | expected less than 4 but received %d\n", dmic);
| ^
sound/soc/codecs/lpass-tx-macro.c:2199:23: error: unterminated argument list invoking macro "dev_err"
2199 | MODULE_LICENSE("GPL");
| ^
sound/soc/codecs/lpass-tx-macro.c:801:33: error: 'dev_err' undeclared (first use in this function); did you mean '_dev_err'?
801 | dev_err(component->dev, "dmic for clk sel is wrong,
| ^~~~~~~
| _dev_err
sound/soc/codecs/lpass-tx-macro.c:801:33: note: each undeclared identifier is reported only once for each function it appears in
sound/soc/codecs/lpass-tx-macro.c:801:40: error: expected ';' at end of input
801 | dev_err(component->dev, "dmic for clk sel is wrong,
| ^
| ;
......
sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input
801 | dev_err(component->dev, "dmic for clk sel is wrong,
| ^~~~~~~
sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input
sound/soc/codecs/lpass-tx-macro.c:788:19: note: '-Wmisleading-indentation' is disabled from this point onwards, since column-tracking was disabled due to the size of the code/headers
788 | } else if (val < 5) {
| ^~~~
sound/soc/codecs/lpass-tx-macro.c:788:19: note: adding '-flarge-source-files' will allow for more column-tracking support, at the expense of compilation time and memory
sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input
801 | dev_err(component->dev, "dmic for clk sel is wrong,
| ^~~~~~~
sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input
sound/soc/codecs/lpass-tx-macro.c: At top level:
sound/soc/codecs/lpass-tx-macro.c:737:12: warning: 'tx_macro_put_dec_enum' defined but not used [-Wunused-function]
737 | static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
| ^~~~~~~~~~~~~~~~~~~~~
sound/soc/codecs/lpass-tx-macro.c:717:12: warning: 'tx_macro_mclk_event' defined but not used [-Wunused-function]
717 | static int tx_macro_mclk_event(struct snd_soc_dapm_widget *w,
| ^~~~~~~~~~~~~~~~~~~
sound/soc/codecs/lpass-tx-macro.c:699:13: warning: 'tx_macro_mute_update_callback' defined but not used [-Wunused-function]
699 | static void tx_macro_mute_update_callback(struct work_struct *work)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sound/soc/codecs/lpass-tx-macro.c:655:13: warning: 'tx_macro_tx_hpf_corner_freq_callback' defined but not used [-Wunused-function]
655 | static void tx_macro_tx_hpf_corner_freq_callback(struct work_struct *work)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sound/soc/codecs/lpass-tx-macro.c:587:35: warning: 'tx_regmap_config' defined but not used [-Wunused-const-variable=]
587 | static const struct regmap_config tx_regmap_config = {
| ^~~~~~~~~~~~~~~~
In file included from include/sound/tlv.h:10,
from sound/soc/codecs/lpass-tx-macro.c:13:
sound/soc/codecs/lpass-tx-macro.c:281:35: warning: 'digital_gain' defined but not used [-Wunused-const-variable=]
281 | static const DECLARE_TLV_DB_SCALE(digital_gain, -8400, 100, -8400);
| ^~~~~~~~~~~~
include/uapi/sound/tlv.h:53:22: note: in definition of macro 'SNDRV_CTL_TLVD_DECLARE_DB_SCALE'
53 | unsigned int name[] = { \
| ^~~~
sound/soc/codecs/lpass-tx-macro.c:281:14: note: in expansion of macro 'DECLARE_TLV_DB_SCALE'
281 | static const DECLARE_TLV_DB_SCALE(digital_gain, -8400, 100, -8400);
| ^~~~~~~~~~~~~~~~~~~~
vim +801 sound/soc/codecs/lpass-tx-macro.c
736
737 static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
738 struct snd_ctl_elem_value *ucontrol)
739 {
740 struct snd_soc_dapm_widget *widget = snd_soc_dapm_kcontrol_widget(kcontrol);
741 struct snd_soc_component *component = snd_soc_dapm_to_component(widget->dapm);
742 struct soc_enum *e = (struct soc_enum *)kcontrol->private_value;
743 unsigned int val, dmic;
744 u16 mic_sel_reg;
745 u16 dmic_clk_reg;
746 struct tx_macro *tx = snd_soc_component_get_drvdata(component);
747
748 val = ucontrol->value.enumerated.item[0];
749 if (val < 0 && val > 15) {
750 dev_err(component->dev, "Wrong value for DMIC configuration");
751 return -EINVAL;
752 }
753
754 switch (e->reg) {
755 case CDC_TX_INP_MUX_ADC_MUX0_CFG0:
756 mic_sel_reg = CDC_TX0_TX_PATH_CFG0;
757 break;
758 case CDC_TX_INP_MUX_ADC_MUX1_CFG0:
759 mic_sel_reg = CDC_TX1_TX_PATH_CFG0;
760 break;
761 case CDC_TX_INP_MUX_ADC_MUX2_CFG0:
762 mic_sel_reg = CDC_TX2_TX_PATH_CFG0;
763 break;
764 case CDC_TX_INP_MUX_ADC_MUX3_CFG0:
765 mic_sel_reg = CDC_TX3_TX_PATH_CFG0;
766 break;
767 case CDC_TX_INP_MUX_ADC_MUX4_CFG0:
768 mic_sel_reg = CDC_TX4_TX_PATH_CFG0;
769 break;
770 case CDC_TX_INP_MUX_ADC_MUX5_CFG0:
771 mic_sel_reg = CDC_TX5_TX_PATH_CFG0;
772 break;
773 case CDC_TX_INP_MUX_ADC_MUX6_CFG0:
774 mic_sel_reg = CDC_TX6_TX_PATH_CFG0;
775 break;
776 case CDC_TX_INP_MUX_ADC_MUX7_CFG0:
777 mic_sel_reg = CDC_TX7_TX_PATH_CFG0;
778 break;
779 default:
780 dev_err(component->dev, "Error in configuration!!\n");
781 return -EINVAL;
782 }
783
784 if (val != 0) {
785 if (widget->shift) { /* MSM DMIC */
786 snd_soc_component_write_field(component, mic_sel_reg,
787 CDC_TXn_ADC_DMIC_SEL_MASK, 1);
788 } else if (val < 5) {
789 snd_soc_component_write_field(component, mic_sel_reg,
790 CDC_TXn_ADC_DMIC_SEL_MASK, 0);
791 } else {
792 snd_soc_component_write_field(component, mic_sel_reg,
793 CDC_TXn_ADC_DMIC_SEL_MASK, 1);
794 dmic = TX_ADC_TO_DMIC(val);
795 if (dmic < 4) {
796 dmic_clk_reg = CDC_TX_TOP_CSR_SWR_DMICn_CTL(dmic);
797 snd_soc_component_write_field(component, dmic_clk_reg,
798 CDC_TX_SWR_DMIC_CLK_SEL_MASK,
799 tx->dmic_clk_div);
800 } else {
> 801 dev_err(component->dev, "dmic for clk sel is wrong,
802 expected less than 4 but received %d\n", dmic);
803 return -EINVAL;
804 }
805
806 }
807 }
808 return snd_soc_dapm_put_enum_double(kcontrol, ucontrol);
809 }
810
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests
Hi Ravulapati,
kernel test robot noticed the following build warnings:
[auto build test WARNING on broonie-sound/for-next]
[also build test WARNING on linus/master v6.4-rc1 next-20230509]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Ravulapati-Vishnu-Vardhan-Rao/ASoC-codecs-lpass-Fix-for-KASAN-use_after_free-out-of-bounds/20230509-141447
base: https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next
patch link: https://lore.kernel.org/r/20230509061321.10218-1-quic_visr%40quicinc.com
patch subject: [PATCH] ASoC:codecs: lpass: Fix for KASAN use_after_free out of bounds
config: x86_64-allmodconfig (https://download.01.org/0day-ci/archive/20230509/[email protected]/config)
compiler: gcc-11 (Debian 11.3.0-12) 11.3.0
reproduce (this is a W=1 build):
# https://github.com/intel-lab-lkp/linux/commit/83fb508f4eb95e9495f0e440b47226040e3b4efc
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Ravulapati-Vishnu-Vardhan-Rao/ASoC-codecs-lpass-Fix-for-KASAN-use_after_free-out-of-bounds/20230509-141447
git checkout 83fb508f4eb95e9495f0e440b47226040e3b4efc
# save the config file
mkdir build_dir && cp config build_dir/.config
make W=1 O=build_dir ARCH=x86_64 olddefconfig
make W=1 O=build_dir ARCH=x86_64 SHELL=/bin/bash sound/soc/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <[email protected]>
| Link: https://lore.kernel.org/oe-kbuild-all/[email protected]/
All warnings (new ones prefixed by >>):
sound/soc/codecs/lpass-tx-macro.c: In function 'tx_macro_put_dec_enum':
sound/soc/codecs/lpass-tx-macro.c:801:57: warning: missing terminating " character
801 | dev_err(component->dev, "dmic for clk sel is wrong,
| ^
sound/soc/codecs/lpass-tx-macro.c:802:79: warning: missing terminating " character
802 | expected less than 4 but received %d\n", dmic);
| ^
sound/soc/codecs/lpass-tx-macro.c:2199:23: error: unterminated argument list invoking macro "dev_err"
2199 | MODULE_LICENSE("GPL");
| ^
sound/soc/codecs/lpass-tx-macro.c:801:33: error: 'dev_err' undeclared (first use in this function); did you mean '_dev_err'?
801 | dev_err(component->dev, "dmic for clk sel is wrong,
| ^~~~~~~
| _dev_err
sound/soc/codecs/lpass-tx-macro.c:801:33: note: each undeclared identifier is reported only once for each function it appears in
sound/soc/codecs/lpass-tx-macro.c:801:40: error: expected ';' at end of input
801 | dev_err(component->dev, "dmic for clk sel is wrong,
| ^
| ;
......
sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input
801 | dev_err(component->dev, "dmic for clk sel is wrong,
| ^~~~~~~
sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input
sound/soc/codecs/lpass-tx-macro.c:788:19: note: '-Wmisleading-indentation' is disabled from this point onwards, since column-tracking was disabled due to the size of the code/headers
788 | } else if (val < 5) {
| ^~~~
sound/soc/codecs/lpass-tx-macro.c:788:19: note: adding '-flarge-source-files' will allow for more column-tracking support, at the expense of compilation time and memory
sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input
801 | dev_err(component->dev, "dmic for clk sel is wrong,
| ^~~~~~~
sound/soc/codecs/lpass-tx-macro.c:801:33: error: expected declaration or statement at end of input
At top level:
sound/soc/codecs/lpass-tx-macro.c:737:12: warning: 'tx_macro_put_dec_enum' defined but not used [-Wunused-function]
737 | static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol,
| ^~~~~~~~~~~~~~~~~~~~~
sound/soc/codecs/lpass-tx-macro.c:717:12: warning: 'tx_macro_mclk_event' defined but not used [-Wunused-function]
717 | static int tx_macro_mclk_event(struct snd_soc_dapm_widget *w,
| ^~~~~~~~~~~~~~~~~~~
sound/soc/codecs/lpass-tx-macro.c:699:13: warning: 'tx_macro_mute_update_callback' defined but not used [-Wunused-function]
699 | static void tx_macro_mute_update_callback(struct work_struct *work)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sound/soc/codecs/lpass-tx-macro.c:655:13: warning: 'tx_macro_tx_hpf_corner_freq_callback' defined but not used [-Wunused-function]
655 | static void tx_macro_tx_hpf_corner_freq_callback(struct work_struct *work)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> sound/soc/codecs/lpass-tx-macro.c:587:35: warning: 'tx_regmap_config' defined but not used [-Wunused-const-variable=]
587 | static const struct regmap_config tx_regmap_config = {
| ^~~~~~~~~~~~~~~~
In file included from include/sound/tlv.h:10,
from sound/soc/codecs/lpass-tx-macro.c:13:
>> sound/soc/codecs/lpass-tx-macro.c:281:35: warning: 'digital_gain' defined but not used [-Wunused-const-variable=]
281 | static const DECLARE_TLV_DB_SCALE(digital_gain, -8400, 100, -8400);
| ^~~~~~~~~~~~
include/uapi/sound/tlv.h:53:22: note: in definition of macro 'SNDRV_CTL_TLVD_DECLARE_DB_SCALE'
53 | unsigned int name[] = { \
| ^~~~
sound/soc/codecs/lpass-tx-macro.c:281:14: note: in expansion of macro 'DECLARE_TLV_DB_SCALE'
281 | static const DECLARE_TLV_DB_SCALE(digital_gain, -8400, 100, -8400);
| ^~~~~~~~~~~~~~~~~~~~
vim +/tx_regmap_config +587 sound/soc/codecs/lpass-tx-macro.c
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 586
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 @587 static const struct regmap_config tx_regmap_config = {
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 588 .name = "tx_macro",
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 589 .reg_bits = 16,
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 590 .val_bits = 32,
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 591 .reg_stride = 4,
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 592 .cache_type = REGCACHE_FLAT,
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 593 .max_register = TX_MAX_OFFSET,
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 594 .reg_defaults = tx_defaults,
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 595 .num_reg_defaults = ARRAY_SIZE(tx_defaults),
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 596 .writeable_reg = tx_is_rw_register,
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 597 .volatile_reg = tx_is_volatile_register,
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 598 .readable_reg = tx_is_rw_register,
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 599 };
c39667ddcfc516 Srinivas Kandagatla 2021-02-11 600
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests