1. 05 Apr, 2022 4 commits
    • Hui Wang's avatar
      ASoC: cs35l41: Fix a shift-out-of-bounds warning found by UBSAN · 0b3d5d2e
      Hui Wang authored
      We enabled UBSAN in the ubuntu kernel, and the cs35l41 driver triggers
      a warning calltrace like below:
      
      cs35l41-hda i2c-CSC3551:00-cs35l41-hda.0: bitoffset= 8, word_offset=23, bit_sum mod 32=0, otp_map[i].size = 24
      cs35l41-hda i2c-CSC3551:00-cs35l41-hda.0: bitoffset= 0, word_offset=24, bit_sum mod 32=24, otp_map[i].size = 0
      ================================================================================
      UBSAN: shift-out-of-bounds in linux-kernel-src/sound/soc/codecs/cs35l41-lib.c:836:8
      shift exponent 64 is too large for 64-bit type 'long unsigned int'
      CPU: 10 PID: 595 Comm: systemd-udevd Not tainted 5.15.0-23-generic #23
      Hardware name: LENOVO \x02MFG_IN_GO/\x02MFG_IN_GO, BIOS N3GET19W (1.00 ) 03/11/2022
      Call Trace:
       <TASK>
       show_stack+0x52/0x58
       dump_stack_lvl+0x4a/0x5f
       dump_stack+0x10/0x12
       ubsan_epilogue+0x9/0x45
       __ubsan_handle_shift_out_of_bounds.cold+0x61/0xef
       ? regmap_unlock_mutex+0xe/0x10
       cs35l41_otp_unpack.cold+0x1c6/0x2b2 [snd_soc_cs35l41_lib]
       cs35l41_hda_probe+0x24f/0x33a [snd_hda_scodec_cs35l41]
       cs35l41_hda_i2c_probe+0x65/0x90 [snd_hda_scodec_cs35l41_i2c]
      
      When both bitoffset and otp_map[i].size are 0, the line 836 will
      result in GENMASK(-1, 0), this triggers the shift-out-of-bounds
      calltrace.
      
      Here add a checking, if both bitoffset and otp_map[i].size are 0,
      do not run GENMASK() and directly set otp_val to 0, this will not
      bring any function change on the driver but could avoid the calltrace.
      Signed-off-by: default avatarHui Wang <hui.wang@canonical.com>
      Link: https://lore.kernel.org/r/20220324081839.62009-2-hui.wang@canonical.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      0b3d5d2e
    • Hui Wang's avatar
      ASoC: cs35l41: Add one more variable in the debug log · c598ccfb
      Hui Wang authored
      otp_map[].size is a key variable to compute the value of otp_val and
      to update the bit_offset, it is helpful to debug if could put it in
      the debug log.
      Signed-off-by: default avatarHui Wang <hui.wang@canonical.com>
      Reviewed-by: default avatarLucas Tanure <tanureal@opensource.cirrus.com>
      Link: https://lore.kernel.org/r/20220324081839.62009-1-hui.wang@canonical.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      c598ccfb
    • Xiaomeng Tong's avatar
      ASoC: rt5682: fix an incorrect NULL check on list iterator · c8618d65
      Xiaomeng Tong authored
      The bug is here:
      	if (!dai) {
      
      The list iterator value 'dai' will *always* be set and non-NULL
      by for_each_component_dais(), so it is incorrect to assume that
      the iterator value will be NULL if the list is empty or no element
      is found (In fact, it will be a bogus pointer to an invalid struct
      object containing the HEAD). Otherwise it will bypass the check
      'if (!dai) {' (never call dev_err() and never return -ENODEV;)
      and lead to invalid memory access lately when calling
      'rt5682_set_bclk1_ratio(dai, factor);'.
      
      To fix the bug, just return rt5682_set_bclk1_ratio(dai, factor);
      when found the 'dai', otherwise dev_err() and return -ENODEV;
      
      Cc: stable@vger.kernel.org
      Fixes: ebbfabc1 ("ASoC: rt5682: Add CCF usage for providing I2S clks")
      Signed-off-by: default avatarXiaomeng Tong <xiam0nd.tong@gmail.com>
      Link: https://lore.kernel.org/r/20220327081002.12684-1-xiam0nd.tong@gmail.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      c8618d65
    • Xiaomeng Tong's avatar
      ASoC: soc-dapm: fix two incorrect uses of list iterator · f730a46b
      Xiaomeng Tong authored
      These two bug are here:
      	list_for_each_entry_safe_continue(w, n, list,
      					power_list);
      	list_for_each_entry_safe_continue(w, n, list,
      					power_list);
      
      After the list_for_each_entry_safe_continue() exits, the list iterator
      will always be a bogus pointer which point to an invalid struct objdect
      containing HEAD member. The funciton poniter 'w->event' will be a
      invalid value which can lead to a control-flow hijack if the 'w' can be
      controlled.
      
      The original intention was to continue the outer list_for_each_entry_safe()
      loop with the same entry if w->event is NULL, but misunderstanding the
      meaning of list_for_each_entry_safe_continue().
      
      So just add a 'continue;' to fix the bug.
      
      Cc: stable@vger.kernel.org
      Fixes: 163cac06 ("ASoC: Factor out DAPM sequence execution")
      Signed-off-by: default avatarXiaomeng Tong <xiam0nd.tong@gmail.com>
      Link: https://lore.kernel.org/r/20220329012134.9375-1-xiam0nd.tong@gmail.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      f730a46b
  2. 04 Apr, 2022 5 commits
  3. 03 Apr, 2022 8 commits
  4. 02 Apr, 2022 23 commits