diff mbox series

ALSA: pcm: fix out-of-bounds in snd_pcm_state_names

Message ID 20231206013139.20506-1-jason.zhang@rock-chips.com (mailing list archive)
State New, archived
Headers show
Series ALSA: pcm: fix out-of-bounds in snd_pcm_state_names | expand

Commit Message

Jason Zhang Dec. 6, 2023, 1:31 a.m. UTC
The pcm state can be SNDRV_PCM_STATE_DISCONNECTED at disconnect
callback, and there is not an entry of SNDRV_PCM_STATE_DISCONNECTED
in snd_pcm_state_names.

This patch adds the missing entry to resolve this issue.

cat /proc/asound/card2/pcm0p/sub0/status
That results in stack traces like the following:

[   99.702732][ T5171] Unexpected kernel BRK exception at EL1
[   99.702774][ T5171] Internal error: BRK handler: f2005512 [#1] PREEMPT SMP
[   99.703858][ T5171] Modules linked in: bcmdhd(E) (...)
[   99.747425][ T5171] CPU: 3 PID: 5171 Comm: cat Tainted: G         C OE     5.10.189-android13-4-00003-g4a17384380d8-ab11086999 #1
[   99.748447][ T5171] Hardware name: Rockchip RK3588 CVTE V10 Board (DT)
[   99.749024][ T5171] pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--)
[   99.749616][ T5171] pc : snd_pcm_substream_proc_status_read+0x264/0x2bc
[   99.750204][ T5171] lr : snd_pcm_substream_proc_status_read+0xa4/0x2bc
[   99.750778][ T5171] sp : ffffffc0175abae0
[   99.751132][ T5171] x29: ffffffc0175abb80 x28: ffffffc009a2c498
[   99.751665][ T5171] x27: 0000000000000001 x26: ffffff810cbae6e8
[   99.752199][ T5171] x25: 0000000000400cc0 x24: ffffffc0175abc60
[   99.752729][ T5171] x23: 0000000000000000 x22: ffffff802f558400
[   99.753263][ T5171] x21: ffffff81d8d8ff00 x20: ffffff81020cdc00
[   99.753795][ T5171] x19: ffffff802d110000 x18: ffffffc014fbd058
[   99.754326][ T5171] x17: 0000000000000000 x16: 0000000000000000
[   99.754861][ T5171] x15: 000000000000c276 x14: ffffffff9a976fda
[   99.755392][ T5171] x13: 0000000065689089 x12: 000000000000d72e
[   99.755923][ T5171] x11: ffffff802d110000 x10: 00000000000000e0
[   99.756457][ T5171] x9 : 9c431600c8385d00 x8 : 0000000000000008
[   99.756990][ T5171] x7 : 0000000000000000 x6 : 000000000000003f
[   99.757522][ T5171] x5 : 0000000000000040 x4 : ffffffc0175abb70
[   99.758056][ T5171] x3 : 0000000000000001 x2 : 0000000000000001
[   99.758588][ T5171] x1 : 0000000000000000 x0 : 0000000000000000
[   99.759123][ T5171] Call trace:
[   99.759404][ T5171]  snd_pcm_substream_proc_status_read+0x264/0x2bc
[   99.759958][ T5171]  snd_info_seq_show+0x54/0xa4
[   99.760370][ T5171]  seq_read_iter+0x19c/0x7d4
[   99.760770][ T5171]  seq_read+0xf0/0x128
[   99.761117][ T5171]  proc_reg_read+0x100/0x1f8
[   99.761515][ T5171]  vfs_read+0xf4/0x354
[   99.761869][ T5171]  ksys_read+0x7c/0x148
[   99.762226][ T5171]  __arm64_sys_read+0x20/0x30
[   99.762625][ T5171]  el0_svc_common+0xd0/0x1e4
[   99.763023][ T5171]  el0_svc+0x28/0x98
[   99.763358][ T5171]  el0_sync_handler+0x8c/0xf0
[   99.763759][ T5171]  el0_sync+0x1b8/0x1c0
[   99.764118][ T5171] Code: d65f03c0 b9406102 17ffffae 94191565 (d42aa240)
[   99.764715][ T5171] ---[ end trace 1eeffa3e17c58e10 ]---
[   99.780720][ T5171] Kernel panic - not syncing: BRK handler: Fatal exception

Signed-off-by: Jason Zhang <jason.zhang@rock-chips.com>
---
 sound/core/pcm.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Takashi Iwai Dec. 6, 2023, 7:20 a.m. UTC | #1
On Wed, 06 Dec 2023 02:31:39 +0100,
Jason Zhang wrote:
> 
> The pcm state can be SNDRV_PCM_STATE_DISCONNECTED at disconnect
> callback, and there is not an entry of SNDRV_PCM_STATE_DISCONNECTED
> in snd_pcm_state_names.
> 
> This patch adds the missing entry to resolve this issue.
> 
> cat /proc/asound/card2/pcm0p/sub0/status
> That results in stack traces like the following:
> 
> [   99.702732][ T5171] Unexpected kernel BRK exception at EL1
> [   99.702774][ T5171] Internal error: BRK handler: f2005512 [#1] PREEMPT SMP
> [   99.703858][ T5171] Modules linked in: bcmdhd(E) (...)
> [   99.747425][ T5171] CPU: 3 PID: 5171 Comm: cat Tainted: G         C OE     5.10.189-android13-4-00003-g4a17384380d8-ab11086999 #1
> [   99.748447][ T5171] Hardware name: Rockchip RK3588 CVTE V10 Board (DT)
> [   99.749024][ T5171] pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--)
> [   99.749616][ T5171] pc : snd_pcm_substream_proc_status_read+0x264/0x2bc
> [   99.750204][ T5171] lr : snd_pcm_substream_proc_status_read+0xa4/0x2bc
> [   99.750778][ T5171] sp : ffffffc0175abae0
> [   99.751132][ T5171] x29: ffffffc0175abb80 x28: ffffffc009a2c498
> [   99.751665][ T5171] x27: 0000000000000001 x26: ffffff810cbae6e8
> [   99.752199][ T5171] x25: 0000000000400cc0 x24: ffffffc0175abc60
> [   99.752729][ T5171] x23: 0000000000000000 x22: ffffff802f558400
> [   99.753263][ T5171] x21: ffffff81d8d8ff00 x20: ffffff81020cdc00
> [   99.753795][ T5171] x19: ffffff802d110000 x18: ffffffc014fbd058
> [   99.754326][ T5171] x17: 0000000000000000 x16: 0000000000000000
> [   99.754861][ T5171] x15: 000000000000c276 x14: ffffffff9a976fda
> [   99.755392][ T5171] x13: 0000000065689089 x12: 000000000000d72e
> [   99.755923][ T5171] x11: ffffff802d110000 x10: 00000000000000e0
> [   99.756457][ T5171] x9 : 9c431600c8385d00 x8 : 0000000000000008
> [   99.756990][ T5171] x7 : 0000000000000000 x6 : 000000000000003f
> [   99.757522][ T5171] x5 : 0000000000000040 x4 : ffffffc0175abb70
> [   99.758056][ T5171] x3 : 0000000000000001 x2 : 0000000000000001
> [   99.758588][ T5171] x1 : 0000000000000000 x0 : 0000000000000000
> [   99.759123][ T5171] Call trace:
> [   99.759404][ T5171]  snd_pcm_substream_proc_status_read+0x264/0x2bc
> [   99.759958][ T5171]  snd_info_seq_show+0x54/0xa4
> [   99.760370][ T5171]  seq_read_iter+0x19c/0x7d4
> [   99.760770][ T5171]  seq_read+0xf0/0x128
> [   99.761117][ T5171]  proc_reg_read+0x100/0x1f8
> [   99.761515][ T5171]  vfs_read+0xf4/0x354
> [   99.761869][ T5171]  ksys_read+0x7c/0x148
> [   99.762226][ T5171]  __arm64_sys_read+0x20/0x30
> [   99.762625][ T5171]  el0_svc_common+0xd0/0x1e4
> [   99.763023][ T5171]  el0_svc+0x28/0x98
> [   99.763358][ T5171]  el0_sync_handler+0x8c/0xf0
> [   99.763759][ T5171]  el0_sync+0x1b8/0x1c0
> [   99.764118][ T5171] Code: d65f03c0 b9406102 17ffffae 94191565 (d42aa240)
> [   99.764715][ T5171] ---[ end trace 1eeffa3e17c58e10 ]---
> [   99.780720][ T5171] Kernel panic - not syncing: BRK handler: Fatal exception
> 
> Signed-off-by: Jason Zhang <jason.zhang@rock-chips.com>

Thanks, applied now.

We should add range checks at the helper functions that access the
arrays, too.  I'll submit the patch later.


Takashi
diff mbox series

Patch

diff --git a/sound/core/pcm.c b/sound/core/pcm.c
index 20bb2d7c8d4b..6d0c9c37796c 100644
--- a/sound/core/pcm.c
+++ b/sound/core/pcm.c
@@ -253,6 +253,7 @@  static const char * const snd_pcm_state_names[] = {
 	STATE(DRAINING),
 	STATE(PAUSED),
 	STATE(SUSPENDED),
+	STATE(DISCONNECTED),
 };
 
 static const char * const snd_pcm_access_names[] = {