Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp661211pxj;
        Wed, 2 Jun 2021 08:20:12 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzxa9yUFTHtBKAmX5r64OTPk6EWp1QmAe+QVNIFV8j8vuYmyBqvZ69HrdCAO7sX4xDMNRld
X-Received: by 2002:aa7:cd92:: with SMTP id x18mr39096013edv.17.1622647212662;
        Wed, 02 Jun 2021 08:20:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1622647212; cv=none;
        d=google.com; s=arc-20160816;
        b=ozbgGCeKeCe86f7rC/bvIzkRvVXSn0KwZPWWTVRWDQTDbBE/1YfTJhDrnjZYa2nvG8
         1uVHwD/ZzDJE7QUGwQOtcp9/LrPAX+My4VyXA8ANjL+0xEXK9MMag+Em4w3VRTRvpU+n
         h7UZ9AXyaUVQDEnexdb6bY6oZQcoOuO7C484qLEOFdrn4IzwF48apma8NxW5e3LqYqgl
         UbefiaLvr2oHvUtV24B+FGAof/H/wvC6vtlqIGTHpq7h96MQTfpNWIlfVylWnpVx9jze
         kx92IRTrHQczCNTTK4j2uFkH46vh0hg33IehiQGAQYCWW/V1+TfFczS2UxiHP3mMvUA9
         uzng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:user-agent:references:in-reply-to
         :subject:cc:to:from:message-id:date:dkim-signature:dkim-signature;
        bh=5wuqoEIoWxqpFQz0JrbocfIk8+mWjeTL8hH48BsFrio=;
        b=tos4g861wPakwSdidu8FaT6gWt3UPPiLbbneQXImP6cej+WfKGgmklGau8iK6M2r9Q
         WeJg4R9d2D8+WuVutHJDk2ZejvvDnz8QaGgnR82brp2ytrQV8O1DssdLGTWenViUuAul
         fTqbNcPyvnA+D7nUdMzqjxzTSY61vTZ2kPfWe7Nr/t+TjO6aIFNLCu7lBN3W8Wv1uHKD
         mc/uffBqo3S+YRSzJv27KUKIqLB5u5bHBr3UQS8HMZGfGN/5QAkRS46fWl2Rjikzof/a
         /y5yje+FD+9de0xJR2eL1v7FDOmZyV4mhujWi5oQlX6X31gsqoJLyjVzsq9ZFLScd9ds
         Ax6w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=VnDu0wwe;
       dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id l16si138256ejd.23.2021.06.02.08.19.49;
        Wed, 02 Jun 2021 08:20:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=VnDu0wwe;
       dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232149AbhFBPTt (ORCPT <rfc822;lukasz.wituch.linux@gmail.com>
        + 99 others); Wed, 2 Jun 2021 11:19:49 -0400
Received: from smtp-out1.suse.de ([195.135.220.28]:50014 "EHLO
        smtp-out1.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231998AbhFBPTr (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 2 Jun 2021 11:19:47 -0400
Received: from relay2.suse.de (unknown [149.44.160.134])
        by smtp-out1.suse.de (Postfix) with ESMTP id 91BF222158;
        Wed,  2 Jun 2021 15:18:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
        t=1622647083; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=5wuqoEIoWxqpFQz0JrbocfIk8+mWjeTL8hH48BsFrio=;
        b=VnDu0wwelXhxsEbDcNyQ7jNOtAKDLRdCx/mClJOM7xrxWm0iwYSD5e3ftUOWY2bLzMp9xc
        9K8yG/eCKYN6q9tj8/YhvuxBawcwGiLzcmujIS2djIbFeC1ZzyahluV6Rafu31F6u1jkgz
        D0Gpw4sMHfX3CG1h3UHQTvuy4av5AUg=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
        s=susede2_ed25519; t=1622647083;
        h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=5wuqoEIoWxqpFQz0JrbocfIk8+mWjeTL8hH48BsFrio=;
        b=Uvq2cbXvnOMXfHKFe4Yl8NNHtqkEU+Ipuj00FwaqmMMvS2p9oepnwxl9G1xcTANOASKlY+
        laKy1+BIRFE75XDw==
Received: by relay2.suse.de (Postfix, from userid 51)
        id 8DB31A3D7E; Wed,  2 Jun 2021 15:25:10 +0000 (UTC)
Received: from alsa1.suse.de (alsa1.suse.de [10.160.4.42])
        by relay2.suse.de (Postfix) with ESMTP id 06E87A7B47;
        Wed,  2 Jun 2021 14:24:13 +0000 (UTC)
Date:   Wed, 02 Jun 2021 16:24:13 +0200
Message-ID: <s5ha6o8wdiq.wl-tiwai@suse.de>
From:   Takashi Iwai <tiwai@suse.de>
To:     Jaroslav Kysela <perex@perex.cz>
Cc:     Dongliang Mu <mudongliangabcd@gmail.com>, allen.lkml@gmail.com,
        alsa-devel@alsa-project.org, Joe Perches <joe@perches.com>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        pierre-louis.bossart@linux.intel.com, romain.perier@gmail.com,
        syzkaller-bugs <syzkaller-bugs@googlegroups.com>, tiwai@suse.com
Subject: Re: [syzbot] UBSAN: shift-out-of-bounds in snd_timer_user_ccallback
In-Reply-To: <5c3fbdf8-bfa3-a50e-edb9-81fbce84d9cb@perex.cz>
References: <CAD-N9QUDYbzkZXnDzf2P4b4Qk_kBQ_9ZVL3B4jhe9Xf2rgtpGA@mail.gmail.com>
        <5c3fbdf8-bfa3-a50e-edb9-81fbce84d9cb@perex.cz>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka)
 FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3
 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 02 Jun 2021 16:19:13 +0200,
Jaroslav Kysela wrote:
> 
> On 02. 06. 21 15:18, Dongliang Mu wrote:
> >> Hello,
> >>
> >> syzbot found the following issue on:
> >>
> >> HEAD commit: 5ff2756a Merge tag 'nfs-for-5.13-2' of git://git.linux-nfs..
> >> git tree: upstream
> >> console output: https://syzkaller.appspot.com/x/log.txt?x=17872d5bd00000
> >> kernel config: https://syzkaller.appspot.com/x/.config?x=770708ea7cfd4916
> >> dashboard link: https://syzkaller.appspot.com/bug?extid=d102fa5b35335a7e544e
> >>
> >> Unfortunately, I don't have any reproducer for this issue yet.
> >>
> >> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >> Reported-by: syzbot+d102fa...@syzkaller.appspotmail.com
> >>
> >> ================================================================================
> >> UBSAN: shift-out-of-bounds in sound/core/timer.c:1376:23
> >> shift exponent 105 is too large for 32-bit type 'int'
> >> CPU: 1 PID: 10368 Comm: syz-executor.1 Not tainted 5.13.0-rc3-syzkaller #0
> >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> >> Call Trace:
> >> __dump_stack lib/dump_stack.c:79 [inline]
> >> dump_stack+0x141/0x1d7 lib/dump_stack.c:120
> >> ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
> >> __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
> >> snd_timer_user_ccallback.cold+0x19/0x1e sound/core/timer.c:1376
> >>
> >> snd_timer_notify1+0x243/0x3b0 sound/core/timer.c:525
> > 
> > The root cause of this bug is in the snd_timer_notify1 [1]. At the end
> > of this function, it calls "ts->ccallback(ts, event + 100, &tstamp,
> > resolution)".
> > 
> > Here the variable event is 5. It adds 100 and is passed as 2nd
> > argument of snd_timer_user_ccallback.
> > 
> >>From the variable naming, the 2nd argument should an event, and in the
> > range of event enumeration. In fact, 105 (event + 100) is out of this
> > range. I don't quite understand the meaning of adding 100. Any thought
> > here?
> 
> It seems that the original intent was to move the event to the M... events:
> 
>      SNDRV_TIMER_EVENT_MSTART = SNDRV_TIMER_EVENT_START + 10,
> 
> So the added value should be 10 which should not break the shift range (8
> /resume/ + 10 = 18).

I've already submitted the fix patch, but it doesn't seem reaching
properly to ML.  Hmm.  Will resend.


Takashi