| Message ID | 1466855925-4404-1-git-send-email-me@bobcopeland.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show
Return-Path: <alsa-devel-bounces@alsa-project.org> Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 33B116075F for <patchwork-alsa-devel@patchwork.kernel.org>; Sun, 26 Jun 2016 09:10:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1FAA0284FE for <patchwork-alsa-devel@patchwork.kernel.org>; Sun, 26 Jun 2016 09:10:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0FA3128535; Sun, 26 Jun 2016 09:10:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_NONE,T_DKIM_INVALID autolearn=no version=3.3.1 Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 32403284FE for <patchwork-alsa-devel@patchwork.kernel.org>; Sun, 26 Jun 2016 09:10:41 +0000 (UTC) Received: by alsa0.perex.cz (Postfix, from userid 1000) id 062EA26658E; Sun, 26 Jun 2016 11:10:41 +0200 (CEST) Received: from alsa0.perex.cz (localhost [127.0.0.1]) by alsa0.perex.cz (Postfix) with ESMTP id 73019265177; Sun, 26 Jun 2016 11:09:11 +0200 (CEST) X-Original-To: alsa-devel@alsa-project.org Delivered-To: alsa-devel@alsa-project.org Received: by alsa0.perex.cz (Postfix, from userid 1000) id E4B1C2651C7; Sat, 25 Jun 2016 13:59:06 +0200 (CEST) Received: from mail-qk0-f196.google.com (mail-qk0-f196.google.com [209.85.220.196]) by alsa0.perex.cz (Postfix) with ESMTP id 4E595265134 for <alsa-devel@alsa-project.org>; Sat, 25 Jun 2016 13:59:01 +0200 (CEST) Received: by mail-qk0-f196.google.com with SMTP id b136so24371024qkg.2 for <alsa-devel@alsa-project.org>; Sat, 25 Jun 2016 04:59:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bobcopeland-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=YA0u4fbqZHBOvB3ygvENex2FMuOn411WNVi0Ms5sxZ4=; b=AwZcMNfNBF/nSPvBFsC7CqtUFVn5L7UlHC9mKdv1AtIGq67Kza3iqyLtlWk3+HYyfw kncojEAu5tLZeAxhGBQySHWHza29FO60zm0ntI29v6VAbY4ZzHIClz9KuigXTUCf1/sz 8rm1O23ib7Nm6w7Jj+bsXIBoHIOR5Tv+3y3LJsGNwOzHWBOUCekvUrQso945MRVwX5r1 +IaY5cFiC6pyeAyNvPjfgc5f4wR92Z0uxt/0ESSx+H9KWcUSPb4RGYR/oRcE8A0T6Op9 Ei3E8GM2xKsS8oxWtlgwL7CN0Z23YsOnZlfbmMZgO+mh0zrma8v0HsZDnJLdNNhwILte JtIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=YA0u4fbqZHBOvB3ygvENex2FMuOn411WNVi0Ms5sxZ4=; b=Upxjmyf55gYtWux16dzRnwmrkWBeI+PbVS0wrxPEj+6TyJrJgJV9QgmSMrCNbo+oXO Kg8NjwXHnoRLRVg85TFAZE6y+OWaba2Jf5ToykvjdCxY88OEYTb5z5QketVzL4EYFXe2 2YzpuD7Gx3CtPrRpFCNe/JN5m3R4POYXylfRuArPn23DZGDpVdKLMZqh/8YO7effScEn F0BGf15LdQRU8cPKwoGCGzUESipBeSF8WkURIuKQOw4gww+/vUSulI6BirUc17slrDtW 0JXaYMbeh0OQa+rzGmRcjFLRW9aGqRPIJBFD1IQFs/e/G3UQ67FA5igTNJMBVRns+YT7 Fg3Q== X-Gm-Message-State: ALyK8tIv+q+2wDek/pJ8DW7LA6sej8UcULCiSIfxgIVqNrD0qsADZvJ2fe/heRN0s/qVqQ== X-Received: by 10.55.157.210 with SMTP id g201mr10089901qke.107.1466855940368; Sat, 25 Jun 2016 04:59:00 -0700 (PDT) Received: from hash (CPE0018e7fe5281-CM18593342f28f.cpe.net.cable.rogers.com. [99.254.238.186]) by smtp.gmail.com with ESMTPSA id 9sm4398787qts.26.2016.06.25.04.58.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 25 Jun 2016 04:59:00 -0700 (PDT) Received: from glass.lan ([192.168.1.51] helo=glass) by hash with esmtp (Exim 4.84_2) (envelope-from <me@bobcopeland.com>) id 1bGmEg-0004TC-Pr; Sat, 25 Jun 2016 07:58:54 -0400 Received: from bob by glass with local (Exim 4.86) (envelope-from <me@bobcopeland.com>) id 1bGmEl-00019j-AF; Sat, 25 Jun 2016 07:58:59 -0400 From: Bob Copeland <me@bobcopeland.com> To: Takashi Iwai <tiwai@suse.com>, Jaroslav Kysela <perex@perex.cz> Date: Sat, 25 Jun 2016 07:58:45 -0400 Message-Id: <1466855925-4404-1-git-send-email-me@bobcopeland.com> X-Mailer: git-send-email 2.6.1 X-Mailman-Approved-At: Sun, 26 Jun 2016 11:09:07 +0200 Cc: alsa-devel@alsa-project.org, Bob Copeland <me@bobcopeland.com> Subject: [alsa-devel] [PATCH] ALSA: hda - fix read before array start X-BeenThere: alsa-devel@alsa-project.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" <alsa-devel.alsa-project.org> List-Unsubscribe: <http://mailman.alsa-project.org/mailman/options/alsa-devel>, <mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe> List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel/> List-Post: <mailto:alsa-devel@alsa-project.org> List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help> List-Subscribe: <http://mailman.alsa-project.org/mailman/listinfo/alsa-devel>, <mailto:alsa-devel-request@alsa-project.org?subject=subscribe> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: alsa-devel-bounces@alsa-project.org Sender: alsa-devel-bounces@alsa-project.org X-Virus-Scanned: ClamAV using ClamSMTP |
diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c index 320445f3bf73..79c7b340acc2 100644 --- a/sound/pci/hda/hda_generic.c +++ b/sound/pci/hda/hda_generic.c @@ -3977,6 +3977,8 @@ static hda_nid_t set_path_power(struct hda_codec *codec, hda_nid_t nid, for (n = 0; n < spec->paths.used; n++) { path = snd_array_elem(&spec->paths, n); + if (!path->depth) + continue; if (path->path[0] == nid || path->path[path->depth - 1] == nid) { bool pin_old = path->pin_enabled;
UBSAN reports the following warning from accessing path->path[-1] in set_path_power(): [ 16.078040] ================================================================================ [ 16.078124] UBSAN: Undefined behaviour in sound/pci/hda/hda_generic.c:3981:17 [ 16.078198] index -1 is out of range for type 'hda_nid_t [10]' [ 16.078270] CPU: 2 PID: 1738 Comm: modprobe Not tainted 4.7.0-rc1-wt+ #47 [ 16.078274] Hardware name: LENOVO 3443CTO/3443CTO, BIOS G6ET23WW (1.02 ) 08/14/2012 [ 16.078278] ffff8800cb246000 ffff8800cb3638b8 ffffffff815c4fe3 0000000000000032 [ 16.078286] ffff8800cb3638e0 ffffffffffffffff ffff8800cb3638d0 ffffffff8162443d [ 16.078294] ffffffffa0894200 ffff8800cb363920 ffffffff81624af7 0000000000000292 [ 16.078302] Call Trace: [ 16.078311] [<ffffffff815c4fe3>] dump_stack+0x86/0xd3 [ 16.078317] [<ffffffff8162443d>] ubsan_epilogue+0xd/0x40 [ 16.078324] [<ffffffff81624af7>] __ubsan_handle_out_of_bounds+0x67/0x70 [ 16.078335] [<ffffffffa087665f>] set_path_power+0x1bf/0x230 [snd_hda_codec_generic] [ 16.078344] [<ffffffffa087880d>] add_pin_power_ctls+0x8d/0xc0 [snd_hda_codec_generic] [ 16.078352] [<ffffffffa087f190>] ? pin_power_down_callback+0x20/0x20 [snd_hda_codec_generic] [ 16.078360] [<ffffffffa0878947>] add_all_pin_power_ctls+0x107/0x150 [snd_hda_codec_generic] [ 16.078370] [<ffffffffa08842b3>] snd_hda_gen_parse_auto_config+0x2d73/0x49e0 [snd_hda_codec_generic] [ 16.078376] [<ffffffff81173360>] ? trace_hardirqs_on_caller+0x1b0/0x2c0 [ 16.078390] [<ffffffffa089df27>] alc_parse_auto_config+0x147/0x310 [snd_hda_codec_realtek] [ 16.078402] [<ffffffffa08a332a>] patch_alc269+0x23a/0x560 [snd_hda_codec_realtek] [ 16.078417] [<ffffffffa0838644>] hda_codec_driver_probe+0xa4/0x1a0 [snd_hda_codec] [ 16.078424] [<ffffffff817bbac1>] driver_probe_device+0x101/0x380 [ 16.078430] [<ffffffff817bbdf9>] __driver_attach+0xb9/0x100 [ 16.078438] [<ffffffff817bbd40>] ? driver_probe_device+0x380/0x380 [ 16.078444] [<ffffffff817b8d20>] bus_for_each_dev+0x70/0xc0 [ 16.078449] [<ffffffff817bb087>] driver_attach+0x27/0x50 [ 16.078454] [<ffffffff817ba956>] bus_add_driver+0x166/0x2c0 [ 16.078460] [<ffffffffa0369000>] ? 0xffffffffa0369000 [ 16.078465] [<ffffffff817bd13d>] driver_register+0x7d/0x130 [ 16.078477] [<ffffffffa083816f>] __hda_codec_driver_register+0x6f/0x90 [snd_hda_codec] [ 16.078488] [<ffffffffa036901e>] realtek_driver_init+0x1e/0x1000 [snd_hda_codec_realtek] [ 16.078493] [<ffffffff8100215e>] do_one_initcall+0x4e/0x1d0 [ 16.078499] [<ffffffff8119f54d>] ? rcu_read_lock_sched_held+0x6d/0x80 [ 16.078504] [<ffffffff813701b1>] ? kmem_cache_alloc_trace+0x391/0x560 [ 16.078510] [<ffffffff812bb314>] ? do_init_module+0x28/0x273 [ 16.078515] [<ffffffff812bb387>] do_init_module+0x9b/0x273 [ 16.078522] [<ffffffff811e3782>] load_module+0x20b2/0x3410 [ 16.078527] [<ffffffff811df140>] ? m_show+0x210/0x210 [ 16.078533] [<ffffffff813b2b26>] ? kernel_read+0x66/0xe0 [ 16.078541] [<ffffffff811e4cfa>] SYSC_finit_module+0xba/0xc0 [ 16.078547] [<ffffffff811e4d1e>] SyS_finit_module+0xe/0x10 [ 16.078552] [<ffffffff81a860fc>] entry_SYSCALL_64_fastpath+0x1f/0xbd [ 16.078556] ================================================================================ Fix by checking path->depth before use. Signed-off-by: Bob Copeland <me@bobcopeland.com> --- sound/pci/hda/hda_generic.c | 2 ++ 1 file changed, 2 insertions(+)