ASoC: rt1011: fix KASAN out-of-bounds bug in find_next_bit()#2179
Merged
kv2019i merged 1 commit intothesofproject:topic/sof-devfrom Jun 15, 2020
Merged
Conversation
fredoh9
requested review from
dbaluta,
kv2019i,
lgirdwood,
plbossart and
ranj063
as code owners
fredoh9
force-pushed
the
fix/cml_kasan_find_next_bit
branch
from
3fda7ee to
6e8604f
Compare
ranj063
reviewed
Jun 9, 2020
fredoh9
force-pushed
the
fix/cml_kasan_find_next_bit
branch
from
6e8604f to
1b09e4b
Compare
ranj063
previously approved these changes
Jun 9, 2020
Collaborator
Author
|
For failure in device test in multiple-pipeline-capture.sh with CML_MANTIS_HDA, while multiple-pipeline-playback is passed. The test case was 3x arecord + 1x aplay, one of instance is not able to run, but there is no log to dig more. I don't think the failure is related with with this PR.
|
lyakh
requested changes
Jun 10, 2020
fredoh9
force-pushed
the
fix/cml_kasan_find_next_bit
branch
from
1b09e4b to
e076705
Compare
Collaborator
Author
|
@plbossart @ranj063 |
fredoh9
force-pushed
the
fix/cml_kasan_find_next_bit
branch
2 times, most recently
from
1970c6d to
bb90e6f
Compare
Collaborator
Author
|
I worked on this in this morning. Just found I didn't push my last change. Sorry just pushed now. |
ranj063
reviewed
Jun 11, 2020
fredoh9
force-pushed
the
fix/cml_kasan_find_next_bit
branch
from
bb90e6f to
971d7ac
Compare
ranj063
previously approved these changes
Jun 11, 2020
plbossart
previously approved these changes
Jun 11, 2020
lyakh
requested changes
Jun 12, 2020
KASAN throws the following warning in rt1011.c: [ 170.777603] BUG: KASAN: stack-out-of-bounds in _find_next_bit.constprop.0+0x3e/0xf0 find_next_bit() relies on unsigned long pointer arguments, but this driver uses a type cast that generates the KASAN warning. Replace find_next_bit() and find_last_bit() with __ffs() and __fls() to pass the value and avoid casting pointers to make the warning go away. Signed-off-by: Fred Oh <fred.oh@linux.intel.com>
fredoh9
force-pushed
the
fix/cml_kasan_find_next_bit
branch
from
971d7ac to
c9f7a3b
Compare
lyakh
approved these changes
Jun 15, 2020
plbossart
approved these changes
Jun 15, 2020
Collaborator
|
Thanks @fredoh9 ! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
find_next_bit() try to access out-of-bounds of unsigned int variables,
rx_mask and tx_mask. Replace with unsigned long variable to avoid
pointer casting. This is verified with KASAN.
Return value of find_next_bit() is unsigned long, this is irrelevant
with the KASAN bug. But when down casting happens, at least better match
with 'unsigned'.
KASAN bug fixed,
[ 170.777592] ==================================================================
[ 170.777603] BUG: KASAN: stack-out-of-bounds in _find_next_bit.constprop.0+0x3e/0xf0
[ 170.777608] Read of size 8 at addr ffff888202d6f530 by task aplay/1757
[ 170.777615] CPU: 0 PID: 1757 Comm: aplay Not tainted 5.7.0-rc7-test+ #3
[ 170.777617] Hardware name: Google Helios/Helios, BIOS 01/21/2020
[ 170.777618] Call Trace:
[ 170.777624] dump_stack+0x76/0xa0
[ 170.777629] print_address_description.constprop.0.cold+0xd3/0x43e
[ 170.777634] ? _raw_spin_lock_irqsave+0x7b/0xd0
[ 170.777637] ? _raw_spin_trylock_bh+0xf0/0xf0
[ 170.777640] ? _find_next_bit.constprop.0+0x3e/0xf0
[ 170.777643] __kasan_report.cold+0x37/0x86
[ 170.777647] ? regmap_readable+0xb0/0xc0
[ 170.777650] ? _find_next_bit.constprop.0+0x3e/0xf0
[ 170.777652] kasan_report+0x38/0x50
[ 170.777656] _find_next_bit.constprop.0+0x3e/0xf0
[ 170.777663] rt1011_set_tdm_slot+0x125/0x5d0 [snd_soc_rt1011]
[ 170.777669] ? rt1011_hw_params+0x2f0/0x2f0 [snd_soc_rt1011]
[ 170.777672] ? mutex_unlock+0x18/0x40
[ 170.777691] snd_soc_dai_set_tdm_slot+0x152/0x210 [snd_soc_core]
[ 170.777710] ? snd_soc_dai_set_fmt+0x80/0x80 [snd_soc_core]
[ 170.777717] cml_rt1011_hw_params+0x20c/0x320 [snd_soc_cml_rt1011_rt5682]
[ 170.777735] snd_soc_link_hw_params+0x59/0x90 [snd_soc_core]
[ 170.777752] soc_pcm_hw_params+0x42c/0xb10 [snd_soc_core]
[ 170.777771] ? soc_pcm_open+0xbd0/0xbd0 [snd_soc_core]
Signed-off-by: Fred Oh fred.oh@linux.intel.com
fixes: #2176