Message ID | 1669035895-12036-1-git-send-email-quic_srivasam@quicinc.com (mailing list archive) |
---|---|
State | Accepted |
Commit | db8f91d424fe0ea6db337aca8bc05908bbce1498 |
Headers | show |
Series | ASoC: soc-pcm.c: Add NULL check in BE reparenting | expand |
On 2022-11-21 2:04 PM, Srinivasa Rao Mandadapu wrote: > Add NULL check in dpcm_be_reparent API, to handle > kernel NULL pointer dereference error. > > Signed-off-by: Srinivasa Rao Mandadapu <quic_srivasam@quicinc.com> > --- > sound/soc/soc-pcm.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c > index 493f003..a7810c7 100644 > --- a/sound/soc/soc-pcm.c > +++ b/sound/soc/soc-pcm.c > @@ -1247,6 +1247,8 @@ static void dpcm_be_reparent(struct snd_soc_pcm_runtime *fe, > return; > > be_substream = snd_soc_dpcm_get_substream(be, stream); > + if (!be_substream) > + return; > > for_each_dpcm_fe(be, stream, dpcm) { > if (dpcm->fe == fe) Hello, Could you provide reproduction steps that lead to null-ptr-deref popping up? Also, please drop '.c' in commit title. Regards, Czarek
On 11/21/2022 8:00 PM, Cezary Rojewski wrote: Thanks for your time Cezary!!! > On 2022-11-21 2:04 PM, Srinivasa Rao Mandadapu wrote: >> Add NULL check in dpcm_be_reparent API, to handle >> kernel NULL pointer dereference error. >> >> Signed-off-by: Srinivasa Rao Mandadapu <quic_srivasam@quicinc.com> >> --- >> sound/soc/soc-pcm.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c >> index 493f003..a7810c7 100644 >> --- a/sound/soc/soc-pcm.c >> +++ b/sound/soc/soc-pcm.c >> @@ -1247,6 +1247,8 @@ static void dpcm_be_reparent(struct >> snd_soc_pcm_runtime *fe, >> return; >> be_substream = snd_soc_dpcm_get_substream(be, stream); >> + if (!be_substream) >> + return; >> for_each_dpcm_fe(be, stream, dpcm) { >> if (dpcm->fe == fe) > > > Hello, > > Could you provide reproduction steps that lead to null-ptr-deref > popping up? Also, please drop '.c' in commit title. Okay will change the comment title. Actually the issue occurred in internal fuzzing test. and here is the crash Report. /lahaina-asoc-snd soc:qcom,msm-audio-apr:qcom,q6core-audio:sound: ASoC: can't get capture BE for TX_AIF3 Capture/ /VoiceMMode1: ASoC: no BE found for TX_AIF3 Capture/ /voc_end_voice_call: Error: End voice called in state 0/ /==================================================================/ /Default lsm port/ /BUG: KASAN: null-ptr-deref in dpcm_be_reparent local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1325 [inline]/ /BUG: KASAN: null-ptr-deref in dpcm_be_disconnect+0x244/0x4ac local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1349/ /Write of size 8 at addr 0000000000000110 by task syz-executor/21515/ /==================================================================/ /Unable to handle kernel NULL pointer dereference at virtual address 0000000000000110/ /afe_callback: cmd = 0x100fa returned error = 0x3/ /Mem abort info:/ /afe_apr_send_pkt: DSP returned error[ADSP_EUNSUPPORTED]/ /ESR = 0x96000046/ /EC = 0x25: DABT (current EL), IL = 32 bits/ /SET = 0, FnV = 0/ /EA = 0, S1PTW = 0/ /Data abort info:/ /ISV = 0, ISS = 0x00000046/ /CM = 0, WnR = 1/ /user pgtable: 4k pages, 39-bit VAs, pgdp=0000000112c90000/ /[0000000000000110] pgd=00000000c97c2003, pud=00000000c97c2003, pmd=0000000000000000/ /Internal error: Oops: 96000046 [#1] PREEMPT SMP/ /Modules linked in: wlan(O) rmnet_ctl(O) rmnet_shs(O) rmnet_perf(O) gspca_main rmnet_core(O) sdhci_msm radio_i2c_rtc6226_qca machine_dlkm swr_haptics_dlkm swr_dmic_dlkm wcd938x_slave_dlkm wcd938x_dlkm mbhc_dlkm wcd9xxx_dlkm bt_fm_slim btpower tx_macro_dlkm rx_macro_dlkm va_macro_dlkm wsa_macro_dlkm swr_ctrl_dlkm bolero_cdc_dlkm wsa883x_dlkm wcd_core_dlkm stub_dlkm hdmi_dlkm swr_dlkm pinctrl_lpi_dlkm pinctrl_wcd_dlkm native_dlkm platform_dlkm q6_dlkm adsp_loader_dlkm apr_dlkm snd_event_dlkm q6_notifier_dlkm q6_pdr_dlkm/ /afe_loopback: AFE loopback failed -95/ /CPU: 4 PID: 21515 Comm: syz-executor Tainted: G S B W O 5.4.24-qgki-debug-ga12050df #1/ /Hardware name: Qualcomm Technologies, Inc. LahainaP MTP (DT)/ /pstate: 60400005 (nZCv daif +PAN -UAO)/ /pc : dpcm_be_reparent local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1325 [inline]/ /pc : dpcm_be_disconnect+0x244/0x4ac local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1349/ /lr : dpcm_be_reparent local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1325 [inline]/ /lr : dpcm_be_disconnect+0x244/0x4ac local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1349/ /sp : ffffff8062c3f970/ /x29: ffffff8062c3f9b0 x28: 000000000000052a/ /x27: ffffff8086a18800 x26: 0000000000000000/ /x25: ffffff80a6d7cc28 x24: ffffff80b7d93400/ /x23: ffffff80b7d93418 x22: ffffffd01364c000/ /x21: ffffff8080e83400 x20: ffffff804a658418/ /x19: ffffff8086a1d000 x18: 0000000000000000/ /x17: 0000000000000000 x16: 0000000000000000/ /x15: 0000000000000000 x14: 1ffffff018766ecc/ /x13: f3f3f300f1f1f1f1 x12: dfffffd000000000/ /x11: dfffffd000000000 x10: dfffffd000000000/ /x9 : 1af35d1dc23a6c00 x8 : 1af35d1dc23a6c00/ /afe_callback: cmd = 0x100fa returned error = 0x3/ /x7 : 0000000000000000 x6 : ffffff80c54462d4/ /afe_apr_send_pkt: DSP returned error[ADSP_EUNSUPPORTED]/ /x5 : 0000000000000000 x4 : 0000000000000000/ /x3 : ffffffd0102c5454 x2 : 0000000000000000/ /x1 : 0000000000000000 x0 : ffffff8037188040/ /Call trace:/ /dpcm_be_reparent local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1325 [inline]/ /dpcm_be_disconnect+0x244/0x4ac local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1349/ /dpcm_fe_dai_close+0x2f8/0x388 local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:3232/ /snd_pcm_release_substream+0x21c/0x2b4 local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/core/pcm_native.c:2447/ /snd_pcm_release+0x5c/0xd0 local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/core/pcm_native.c:2623/ /__fput+0x180/0x3b8 local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/fs/file_table.c:280/ /____fput+0x1c/0x28 local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/fs/file_table.c:313/ /task_work_run+0xf8/0x124 local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/kernel/task_work.c:113/ /tracehook_notify_resume local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/include/linux/tracehook.h:188 [inline]/ /do_notify_resume+0xe7c/0xf08 local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/arch/arm64/kernel/signal.c:929/ /work_pending+0x8/0x14/ /Code: 97b3a26e f9408ab5 91044340 97b3a291 (f9008b55)/ /---[ end trace c9e29b4642e01da3 ]---/ > > Regards, > Czarek
diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c index 493f003..a7810c7 100644 --- a/sound/soc/soc-pcm.c +++ b/sound/soc/soc-pcm.c @@ -1247,6 +1247,8 @@ static void dpcm_be_reparent(struct snd_soc_pcm_runtime *fe, return; be_substream = snd_soc_dpcm_get_substream(be, stream); + if (!be_substream) + return; for_each_dpcm_fe(be, stream, dpcm) { if (dpcm->fe == fe)
Add NULL check in dpcm_be_reparent API, to handle kernel NULL pointer dereference error. Signed-off-by: Srinivasa Rao Mandadapu <quic_srivasam@quicinc.com> --- sound/soc/soc-pcm.c | 2 ++ 1 file changed, 2 insertions(+)