1. 11 Sep, 2024 2 commits
    • Arseniy Krasnov's avatar
      ASoC: meson: axg-card: fix 'use-after-free' · 4f9a7143
      Arseniy Krasnov authored
      Buffer 'card->dai_link' is reallocated in 'meson_card_reallocate_links()',
      so move 'pad' pointer initialization after this function when memory is
      already reallocated.
      
      Kasan bug report:
      
      ==================================================================
      BUG: KASAN: slab-use-after-free in axg_card_add_link+0x76c/0x9bc
      Read of size 8 at addr ffff000000e8b260 by task modprobe/356
      
      CPU: 0 PID: 356 Comm: modprobe Tainted: G O 6.9.12-sdkernel #1
      Call trace:
       dump_backtrace+0x94/0xec
       show_stack+0x18/0x24
       dump_stack_lvl+0x78/0x90
       print_report+0xfc/0x5c0
       kasan_report+0xb8/0xfc
       __asan_load8+0x9c/0xb8
       axg_card_add_link+0x76c/0x9bc [snd_soc_meson_axg_sound_card]
       meson_card_probe+0x344/0x3b8 [snd_soc_meson_card_utils]
       platform_probe+0x8c/0xf4
       really_probe+0x110/0x39c
       __driver_probe_device+0xb8/0x18c
       driver_probe_device+0x108/0x1d8
       __driver_attach+0xd0/0x25c
       bus_for_each_dev+0xe0/0x154
       driver_attach+0x34/0x44
       bus_add_driver+0x134/0x294
       driver_register+0xa8/0x1e8
       __platform_driver_register+0x44/0x54
       axg_card_pdrv_init+0x20/0x1000 [snd_soc_meson_axg_sound_card]
       do_one_initcall+0xdc/0x25c
       do_init_module+0x10c/0x334
       load_module+0x24c4/0x26cc
       init_module_from_file+0xd4/0x128
       __arm64_sys_finit_module+0x1f4/0x41c
       invoke_syscall+0x60/0x188
       el0_svc_common.constprop.0+0x78/0x13c
       do_el0_svc+0x30/0x40
       el0_svc+0x38/0x78
       el0t_64_sync_handler+0x100/0x12c
       el0t_64_sync+0x190/0x194
      
      Fixes: 7864a79f ("ASoC: meson: add axg sound card support")
      Cc: Stable@vger.kernel.org
      Signed-off-by: default avatarArseniy Krasnov <avkrasnov@salutedevices.com>
      Reviewed-by: default avatarJerome Brunet <jbrunet@baylibre.com>
      Link: https://patch.msgid.link/20240911142425.598631-1-avkrasnov@salutedevices.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      4f9a7143
    • Su Hui's avatar
      ASoC: codecs: avoid possible garbage value in peb2466_reg_read() · 38cc0334
      Su Hui authored
      Clang static checker (scan-build) warning:
      sound/soc/codecs/peb2466.c:232:8:
      Assigned value is garbage or undefined [core.uninitialized.Assign]
        232 |                 *val = tmp;
            |                      ^ ~~~
      
      When peb2466_read_byte() fails, 'tmp' will have a garbage value.
      Add a judgemnet to avoid this problem.
      
      Fixes: 227f609c ("ASoC: codecs: Add support for the Infineon PEB2466 codec")
      Signed-off-by: default avatarSu Hui <suhui@nfschina.com>
      Link: https://patch.msgid.link/20240911115448.277828-1-suhui@nfschina.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      38cc0334
  2. 10 Sep, 2024 1 commit
  3. 09 Sep, 2024 1 commit
  4. 06 Sep, 2024 2 commits
  5. 30 Aug, 2024 1 commit
  6. 29 Aug, 2024 2 commits
  7. 28 Aug, 2024 2 commits
  8. 26 Aug, 2024 6 commits
  9. 23 Aug, 2024 4 commits
    • Mohan Kumar's avatar
      ASoC: tegra: Fix CBB error during probe() · 6781b962
      Mohan Kumar authored
      When Tegra audio drivers are built as part of the kernel image,
      TIMEOUT_ERR is observed from cbb-fabric. Following is seen on
      Jetson AGX Orin during boot:
      
      [    8.012482] **************************************
      [    8.017423] CPU:0, Error:cbb-fabric, Errmon:2
      [    8.021922]    Error Code            : TIMEOUT_ERR
      [    8.025966]    Overflow              : Multiple TIMEOUT_ERR
      [    8.030644]
      [    8.032175]    Error Code            : TIMEOUT_ERR
      [    8.036217]    MASTER_ID             : CCPLEX
      [    8.039722]    Address               : 0x290a0a8
      [    8.043318]    Cache                 : 0x1 -- Bufferable
      [    8.047630]    Protection            : 0x2 -- Unprivileged, Non-Secure, Data Access
      [    8.054628]    Access_Type           : Write
      
      [    8.106130] WARNING: CPU: 0 PID: 124 at drivers/soc/tegra/cbb/tegra234-cbb.c:604 tegra234_cbb_isr+0x134/0x178
      
      [    8.240602] Call trace:
      [    8.243126]  tegra234_cbb_isr+0x134/0x178
      [    8.247261]  __handle_irq_event_percpu+0x60/0x238
      [    8.252132]  handle_irq_event+0x54/0xb8
      
      These errors happen when MVC device, which is a child of AHUB
      device, tries to access its device registers. This happens as
      part of call tegra210_mvc_reset_vol_settings() in MVC device
      probe().
      
      The root cause of this problem is, the child MVC device gets
      probed before the AHUB clock gets enabled. The AHUB clock is
      enabled in runtime PM resume of parent AHUB device and due to
      the wrong sequence of pm_runtime_enable() in AHUB driver,
      runtime PM resume doesn't happen for AHUB device when MVC makes
      register access.
      
      Fix this by calling pm_runtime_enable() for parent AHUB device
      before of_platform_populate() in AHUB driver. This ensures that
      clock becomes available when MVC makes register access.
      
      Fixes: 16e1bcc2 ("ASoC: tegra: Add Tegra210 based AHUB driver")
      Signed-off-by: default avatarMohan Kumar <mkumard@nvidia.com>
      Signed-off-by: default avatarRitu Chaudhary <rituc@nvidia.com>
      Signed-off-by: default avatarSameer Pujar <spujar@nvidia.com>
      Link: https://patch.msgid.link/20240823144342.4123814-3-spujar@nvidia.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      6781b962
    • robelin's avatar
      ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object · b4a90b54
      robelin authored
      When using kernel with the following extra config,
      
        - CONFIG_KASAN=y
        - CONFIG_KASAN_GENERIC=y
        - CONFIG_KASAN_INLINE=y
        - CONFIG_KASAN_VMALLOC=y
        - CONFIG_FRAME_WARN=4096
      
      kernel detects that snd_pcm_suspend_all() access a freed
      'snd_soc_pcm_runtime' object when the system is suspended, which
      leads to a use-after-free bug:
      
      [   52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270
      [   52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330
      
      [   52.047785] Call trace:
      [   52.047787]  dump_backtrace+0x0/0x3c0
      [   52.047794]  show_stack+0x34/0x50
      [   52.047797]  dump_stack_lvl+0x68/0x8c
      [   52.047802]  print_address_description.constprop.0+0x74/0x2c0
      [   52.047809]  kasan_report+0x210/0x230
      [   52.047815]  __asan_report_load1_noabort+0x3c/0x50
      [   52.047820]  snd_pcm_suspend_all+0x1a8/0x270
      [   52.047824]  snd_soc_suspend+0x19c/0x4e0
      
      The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before
      making any access. So we need to always set 'substream->runtime' to NULL
      everytime we kfree() it.
      
      Fixes: a72706ed ("ASoC: codec2codec: remove ephemeral variables")
      Signed-off-by: default avatarrobelin <robelin@nvidia.com>
      Signed-off-by: default avatarSameer Pujar <spujar@nvidia.com>
      Link: https://patch.msgid.link/20240823144342.4123814-2-spujar@nvidia.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      b4a90b54
    • Hans de Goede's avatar
      ASoC: Intel: soc-acpi-cht: Make Lenovo Yoga Tab 3 X90F DMI match less strict · 839a4ec0
      Hans de Goede authored
      There are 2G and 4G RAM versions of the Lenovo Yoga Tab 3 X90F and it
      turns out that the 2G version has a DMI product name of
      "CHERRYVIEW D1 PLATFORM" where as the 4G version has
      "CHERRYVIEW C0 PLATFORM". The sys-vendor + product-version check are
      unique enough that the product-name check is not necessary.
      
      Drop the product-name check so that the existing DMI match for the 4G
      RAM version also matches the 2G RAM version.
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Reviewed-by: default avatarPierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
      Link: https://patch.msgid.link/20240823074305.16873-1-hdegoede@redhat.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      839a4ec0
    • Hans de Goede's avatar
      ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder · 0cc65482
      Hans de Goede authored
      Since commit 13f58267 ("ASoC: soc.h: don't create dummy Component
      via COMP_DUMMY()") dummy codecs declared like this:
      
      SND_SOC_DAILINK_DEF(dummy,
              DAILINK_COMP_ARRAY(COMP_DUMMY()));
      
      expand to:
      
      static struct snd_soc_dai_link_component dummy[] = {
      };
      
      Which means that dummy is a zero sized array and thus dais[i].codecs should
      not be dereferenced *at all* since it points to the address of the next
      variable stored in the data section as the "dummy" variable has an address
      but no size, so even dereferencing dais[0] is already an out of bounds
      array reference.
      
      Which means that the if (dais[i].codecs->name) check added in
      commit 7d99a70b ("ASoC: Intel: Boards: Fix NULL pointer deref
      in BYT/CHT boards") relies on that the part of the next variable which
      the name member maps to just happens to be NULL.
      
      Which apparently so far it usually is, except when it isn't
      and then it results in crashes like this one:
      
      [   28.795659] BUG: unable to handle page fault for address: 0000000000030011
      ...
      [   28.795780] Call Trace:
      [   28.795787]  <TASK>
      ...
      [   28.795862]  ? strcmp+0x18/0x40
      [   28.795872]  0xffffffffc150c605
      [   28.795887]  platform_probe+0x40/0xa0
      ...
      [   28.795979]  ? __pfx_init_module+0x10/0x10 [snd_soc_sst_bytcr_wm5102]
      
      Really fix things this time around by checking dais.num_codecs != 0.
      
      Fixes: 7d99a70b ("ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Reviewed-by: default avatarPierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
      Link: https://patch.msgid.link/20240823074217.14653-1-hdegoede@redhat.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      0cc65482
  10. 22 Aug, 2024 2 commits
  11. 21 Aug, 2024 2 commits
  12. 16 Aug, 2024 1 commit
  13. 15 Aug, 2024 1 commit
  14. 14 Aug, 2024 2 commits
  15. 13 Aug, 2024 4 commits
  16. 08 Aug, 2024 7 commits