Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp6297119rdb; Thu, 14 Dec 2023 14:10:21 -0800 (PST) X-Google-Smtp-Source: AGHT+IGy7MKWflPFDTk4PMNs23xPup4taDNdMGC5lRaB4GN72kqXh+AqmtgajEzw15+lDPdjanSI X-Received: by 2002:a05:6a20:1604:b0:190:3b35:5999 with SMTP id l4-20020a056a20160400b001903b355999mr13997288pzj.9.1702591821276; Thu, 14 Dec 2023 14:10:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702591821; cv=none; d=google.com; s=arc-20160816; b=M1yX75l3SCqgs65QwJioGDoM9PrEAqKF8crpeT9X9J93M1G4Qq2iM5zyaHt6qXHUUe EyTQsNPh45FnlZ10P781QO54O6qyR3kJmxCXXb4vZ0jfZKvQAXzvDyssZ4/rbkU8B8z+ eBcpCDgxQzPeIJGo5edO0L1Oa2+f4aU9Z5ZbvDCPM3Hm/icaay01przwFsiFYuLPN6rJ Tv+Wz4ugPhOvU9bBSo3Tapaq1jLWtdPjjjicHkxx+2u2oKstmLewIl1vfvbgV2IAFb6e St+zNJXn02L4+jmQzcKuKMRh/WgCoQp9Ks6tg1ULYPGpAZz7OtGotEz7xlpfU5axkqw+ g+9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from; bh=zMrJN2yEoHlVEGfWOce9jOEh0nHKtR9o/tmNMwnzv0Q=; fh=ahBigso+4ZXn9oXQeKXkQSo52zHzFS3MNA5xDk+zIWo=; b=r5BzqkUUYW5WcLDXIkZGRc3nslFzweiPcpuHlW8L9FggdcOI4A/4BWUSrxLEcoYRRP NfcV7D7mLlQguQqkcISDS1Bef8yb/edtwcae2AnDxQlItZco+Tcok5DsHwVetS913f2Q CNUqD6ELXQau6PKgQpHxD7zT6BHEZMY2IfmVBHpjZDsk8jPYh2dLX2uRoYeLWBw5AHdg XX141WmNcH3BhX6K3N3l9XTlsF7pCY6XDElfaAL+k3wbSoyad0gDWOedcI9ogfOCKJEL PIYyaV69XM6Q87kRi8yVG7ijc0eONn16TshTGoUpbAAjlgyJnIlMByxuR0QDBsz792YK gZHw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-174-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-174-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=irl.hu Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id f51-20020a056a000b3300b006ce7e15ce8esi11427298pfu.239.2023.12.14.14.10.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Dec 2023 14:10:21 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-174-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-174-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-174-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=irl.hu Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id E4D4428221E for ; Thu, 14 Dec 2023 22:10:20 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 269B167209; Thu, 14 Dec 2023 22:10:15 +0000 (UTC) X-Original-To: linux-kernel@vger.kernel.org Received: from irl.hu (irl.hu [95.85.9.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3DEC6671F0; Thu, 14 Dec 2023 22:10:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=irl.hu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=irl.hu Received: from fedori.lan (51b687c3.dsl.pool.telekom.hu [::ffff:81.182.135.195]) (AUTH: CRAM-MD5 soyer@irl.hu, ) by irl.hu with ESMTPSA id 0000000000070E5B.00000000657B7C0C.0012CBE8; Thu, 14 Dec 2023 23:04:59 +0100 From: Gergo Koteles To: Shenghao Ding , Kevin Lu , Baojun Xu , Liam Girdwood , Mark Brown , Jaroslav Kysela , Takashi Iwai Cc: linux-kernel@vger.kernel.org, alsa-devel@alsa-project.org, Gergo Koteles , stable@vger.kernel.org Subject: [PATCH] ASoC: tas2781: check the validity of prm_no/cfg_no Date: Thu, 14 Dec 2023 23:04:44 +0100 Message-ID: <523780155bfdca9bc0acd39efc79ed039454818d.1702591356.git.soyer@irl.hu> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Mime-Autoconverted: from 8bit to 7bit by courier 1.0 Add additional checks for program/config numbers to avoid loading from invalid addresses. If prm_no/cfg_no is negative, skip uploading program/config. The tas2781-hda driver caused a NULL pointer dereference after loading module, and before first runtime_suspend. the state was: tas_priv->cur_conf = -1; tas_priv->tasdevice[i].cur_conf = 0; program = &(tas_fmw->programs[-1]); BUG: kernel NULL pointer dereference, address: 0000000000000010 Call Trace: ? __die+0x23/0x70 ? page_fault_oops+0x171/0x4e0 ? vprintk_emit+0x175/0x2b0 ? exc_page_fault+0x7f/0x180 ? asm_exc_page_fault+0x26/0x30 ? tasdevice_load_block_kernel+0x21/0x310 [snd_soc_tas2781_fmwlib] tasdevice_select_tuningprm_cfg+0x268/0x3a0 [snd_soc_tas2781_fmwlib] tasdevice_tuning_switch+0x69/0x710 [snd_soc_tas2781_fmwlib] tas2781_hda_playback_hook+0xd4/0x110 [snd_hda_scodec_tas2781_i2c] Fixes: 915f5eadebd2 ("ASoC: tas2781: firmware lib") CC: stable@vger.kernel.org Signed-off-by: Gergo Koteles --- sound/soc/codecs/tas2781-fmwlib.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/sound/soc/codecs/tas2781-fmwlib.c b/sound/soc/codecs/tas2781-fmwlib.c index eb55abae0d7b..1dfac9b2fca2 100644 --- a/sound/soc/codecs/tas2781-fmwlib.c +++ b/sound/soc/codecs/tas2781-fmwlib.c @@ -2219,11 +2219,11 @@ int tasdevice_select_tuningprm_cfg(void *context, int prm_no, goto out; } - conf = &(tas_fmw->configs[cfg_no]); for (i = 0, prog_status = 0; i < tas_priv->ndev; i++) { if (cfg_info[rca_conf_no]->active_dev & (1 << i)) { - if (tas_priv->tasdevice[i].cur_prog != prm_no - || tas_priv->force_fwload_status) { + if (prm_no >= 0 + && (tas_priv->tasdevice[i].cur_prog != prm_no + || tas_priv->force_fwload_status)) { tas_priv->tasdevice[i].cur_conf = -1; tas_priv->tasdevice[i].is_loading = true; prog_status++; @@ -2258,7 +2258,8 @@ int tasdevice_select_tuningprm_cfg(void *context, int prm_no, } for (i = 0, status = 0; i < tas_priv->ndev; i++) { - if (tas_priv->tasdevice[i].cur_conf != cfg_no + if (cfg_no >= 0 + && tas_priv->tasdevice[i].cur_conf != cfg_no && (cfg_info[rca_conf_no]->active_dev & (1 << i)) && (tas_priv->tasdevice[i].is_loaderr == false)) { status++; @@ -2268,6 +2269,7 @@ int tasdevice_select_tuningprm_cfg(void *context, int prm_no, } if (status) { + conf = &(tas_fmw->configs[cfg_no]); status = 0; tasdevice_load_data(tas_priv, &(conf->dev_data)); for (i = 0; i < tas_priv->ndev; i++) { @@ -2311,7 +2313,7 @@ int tasdevice_prmg_load(void *context, int prm_no) } for (i = 0, prog_status = 0; i < tas_priv->ndev; i++) { - if (tas_priv->tasdevice[i].cur_prog != prm_no) { + if (prm_no >= 0 && tas_priv->tasdevice[i].cur_prog != prm_no) { tas_priv->tasdevice[i].cur_conf = -1; tas_priv->tasdevice[i].is_loading = true; prog_status++; @@ -2356,7 +2358,7 @@ int tasdevice_prmg_calibdata_load(void *context, int prm_no) } for (i = 0, prog_status = 0; i < tas_priv->ndev; i++) { - if (tas_priv->tasdevice[i].cur_prog != prm_no) { + if (prm_no >= 0 && tas_priv->tasdevice[i].cur_prog != prm_no) { tas_priv->tasdevice[i].cur_conf = -1; tas_priv->tasdevice[i].is_loading = true; prog_status++; base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa -- 2.43.0