diff mbox series

ASoC: soc-pcm.c: Add NULL check in BE reparenting

Message ID 1669035895-12036-1-git-send-email-quic_srivasam@quicinc.com (mailing list archive)
State Accepted
Commit db8f91d424fe0ea6db337aca8bc05908bbce1498
Headers show
Series ASoC: soc-pcm.c: Add NULL check in BE reparenting | expand

Commit Message

Srinivasa Rao Mandadapu Nov. 21, 2022, 1:04 p.m. UTC
Add NULL check in dpcm_be_reparent API, to handle
kernel NULL pointer dereference error.

Signed-off-by: Srinivasa Rao Mandadapu <quic_srivasam@quicinc.com>
---
 sound/soc/soc-pcm.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Cezary Rojewski Nov. 21, 2022, 2:30 p.m. UTC | #1
On 2022-11-21 2:04 PM, Srinivasa Rao Mandadapu wrote:
> Add NULL check in dpcm_be_reparent API, to handle
> kernel NULL pointer dereference error.
> 
> Signed-off-by: Srinivasa Rao Mandadapu <quic_srivasam@quicinc.com>
> ---
>   sound/soc/soc-pcm.c | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c
> index 493f003..a7810c7 100644
> --- a/sound/soc/soc-pcm.c
> +++ b/sound/soc/soc-pcm.c
> @@ -1247,6 +1247,8 @@ static void dpcm_be_reparent(struct snd_soc_pcm_runtime *fe,
>   		return;
>   
>   	be_substream = snd_soc_dpcm_get_substream(be, stream);
> +	if (!be_substream)
> +		return;
>   
>   	for_each_dpcm_fe(be, stream, dpcm) {
>   		if (dpcm->fe == fe)


Hello,

Could you provide reproduction steps that lead to null-ptr-deref popping 
up? Also, please drop '.c' in commit title.


Regards,
Czarek
Srinivasa Rao Mandadapu Nov. 22, 2022, 6:22 a.m. UTC | #2
On 11/21/2022 8:00 PM, Cezary Rojewski wrote:
Thanks for your time Cezary!!!
> On 2022-11-21 2:04 PM, Srinivasa Rao Mandadapu wrote:
>> Add NULL check in dpcm_be_reparent API, to handle
>> kernel NULL pointer dereference error.
>>
>> Signed-off-by: Srinivasa Rao Mandadapu <quic_srivasam@quicinc.com>
>> ---
>>   sound/soc/soc-pcm.c | 2 ++
>>   1 file changed, 2 insertions(+)
>>
>> diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c
>> index 493f003..a7810c7 100644
>> --- a/sound/soc/soc-pcm.c
>> +++ b/sound/soc/soc-pcm.c
>> @@ -1247,6 +1247,8 @@ static void dpcm_be_reparent(struct 
>> snd_soc_pcm_runtime *fe,
>>           return;
>>         be_substream = snd_soc_dpcm_get_substream(be, stream);
>> +    if (!be_substream)
>> +        return;
>>         for_each_dpcm_fe(be, stream, dpcm) {
>>           if (dpcm->fe == fe)
>
>
> Hello,
>
> Could you provide reproduction steps that lead to null-ptr-deref 
> popping up? Also, please drop '.c' in commit title.

Okay will change the comment title.

Actually the issue occurred in internal fuzzing test. and here is the 
crash Report.

/lahaina-asoc-snd soc:qcom,msm-audio-apr:qcom,q6core-audio:sound: ASoC: 
can't get capture BE for TX_AIF3 Capture/
/VoiceMMode1: ASoC: no BE found for TX_AIF3 Capture/
/voc_end_voice_call: Error: End voice called in state 0/
/==================================================================/
/Default lsm port/
/BUG: KASAN: null-ptr-deref in dpcm_be_reparent 
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1325 
[inline]/
/BUG: KASAN: null-ptr-deref in dpcm_be_disconnect+0x244/0x4ac 
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1349/
/Write of size 8 at addr 0000000000000110 by task syz-executor/21515/

/==================================================================/
/Unable to handle kernel NULL pointer dereference at virtual address 
0000000000000110/
/afe_callback: cmd = 0x100fa returned error = 0x3/
/Mem abort info:/
/afe_apr_send_pkt: DSP returned error[ADSP_EUNSUPPORTED]/
/ESR = 0x96000046/
/EC = 0x25: DABT (current EL), IL = 32 bits/
/SET = 0, FnV = 0/
/EA = 0, S1PTW = 0/
/Data abort info:/
/ISV = 0, ISS = 0x00000046/
/CM = 0, WnR = 1/
/user pgtable: 4k pages, 39-bit VAs, pgdp=0000000112c90000/
/[0000000000000110] pgd=00000000c97c2003, pud=00000000c97c2003, 
pmd=0000000000000000/
/Internal error: Oops: 96000046 [#1] PREEMPT SMP/
/Modules linked in: wlan(O) rmnet_ctl(O) rmnet_shs(O) rmnet_perf(O) 
gspca_main rmnet_core(O) sdhci_msm radio_i2c_rtc6226_qca machine_dlkm 
swr_haptics_dlkm swr_dmic_dlkm wcd938x_slave_dlkm wcd938x_dlkm mbhc_dlkm 
wcd9xxx_dlkm bt_fm_slim btpower tx_macro_dlkm rx_macro_dlkm 
va_macro_dlkm wsa_macro_dlkm swr_ctrl_dlkm bolero_cdc_dlkm wsa883x_dlkm 
wcd_core_dlkm stub_dlkm hdmi_dlkm swr_dlkm pinctrl_lpi_dlkm 
pinctrl_wcd_dlkm native_dlkm platform_dlkm q6_dlkm adsp_loader_dlkm 
apr_dlkm snd_event_dlkm q6_notifier_dlkm q6_pdr_dlkm/
/afe_loopback: AFE loopback failed -95/
/CPU: 4 PID: 21515 Comm: syz-executor Tainted: G S B W O 
5.4.24-qgki-debug-ga12050df #1/
/Hardware name: Qualcomm Technologies, Inc. LahainaP MTP (DT)/
/pstate: 60400005 (nZCv daif +PAN -UAO)/
/pc : dpcm_be_reparent 
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1325 
[inline]/
/pc : dpcm_be_disconnect+0x244/0x4ac 
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1349/
/lr : dpcm_be_reparent 
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1325 
[inline]/
/lr : dpcm_be_disconnect+0x244/0x4ac 
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1349/
/sp : ffffff8062c3f970/
/x29: ffffff8062c3f9b0 x28: 000000000000052a/
/x27: ffffff8086a18800 x26: 0000000000000000/
/x25: ffffff80a6d7cc28 x24: ffffff80b7d93400/
/x23: ffffff80b7d93418 x22: ffffffd01364c000/
/x21: ffffff8080e83400 x20: ffffff804a658418/
/x19: ffffff8086a1d000 x18: 0000000000000000/
/x17: 0000000000000000 x16: 0000000000000000/
/x15: 0000000000000000 x14: 1ffffff018766ecc/
/x13: f3f3f300f1f1f1f1 x12: dfffffd000000000/
/x11: dfffffd000000000 x10: dfffffd000000000/
/x9 : 1af35d1dc23a6c00 x8 : 1af35d1dc23a6c00/
/afe_callback: cmd = 0x100fa returned error = 0x3/
/x7 : 0000000000000000 x6 : ffffff80c54462d4/
/afe_apr_send_pkt: DSP returned error[ADSP_EUNSUPPORTED]/
/x5 : 0000000000000000 x4 : 0000000000000000/
/x3 : ffffffd0102c5454 x2 : 0000000000000000/
/x1 : 0000000000000000 x0 : ffffff8037188040/
/Call trace:/
/dpcm_be_reparent 
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1325 
[inline]/
/dpcm_be_disconnect+0x244/0x4ac 
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1349/
/dpcm_fe_dai_close+0x2f8/0x388 
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:3232/
/snd_pcm_release_substream+0x21c/0x2b4 
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/core/pcm_native.c:2447/
/snd_pcm_release+0x5c/0xd0 
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/core/pcm_native.c:2623/
/__fput+0x180/0x3b8 
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/fs/file_table.c:280/
/____fput+0x1c/0x28 
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/fs/file_table.c:313/
/task_work_run+0xf8/0x124 
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/kernel/task_work.c:113/
/tracehook_notify_resume 
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/include/linux/tracehook.h:188 
[inline]/
/do_notify_resume+0xe7c/0xf08 
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/arch/arm64/kernel/signal.c:929/
/work_pending+0x8/0x14/
/Code: 97b3a26e f9408ab5 91044340 97b3a291 (f9008b55)/
/---[ end trace c9e29b4642e01da3 ]---/

>
> Regards,
> Czarek
diff mbox series

Patch

diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c
index 493f003..a7810c7 100644
--- a/sound/soc/soc-pcm.c
+++ b/sound/soc/soc-pcm.c
@@ -1247,6 +1247,8 @@  static void dpcm_be_reparent(struct snd_soc_pcm_runtime *fe,
 		return;
 
 	be_substream = snd_soc_dpcm_get_substream(be, stream);
+	if (!be_substream)
+		return;
 
 	for_each_dpcm_fe(be, stream, dpcm) {
 		if (dpcm->fe == fe)