On Wed, 07 Sep 2022 03:18:00 +0200, Tasos Sahanidis wrote: > > The voice allocator sometimes begins allocating from near the end of the > array and then wraps around, however snd_emu10k1_pcm_channel_alloc() > accesses the newly allocated voices as if it never wrapped around. > > This results in out of bounds access if the first voice has a high enough > index so that first_voice + requested_voice_count > NUM_G (64). > The more voices are requested, the more likely it is for this to occur. > > This was initially discovered using PipeWire, however it can be reproduced > by calling aplay multiple times with 16 channels: > aplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero > > UBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40 > index 65 is out of range for type 'snd_emu10k1_voice [64]' > CPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7 > Hardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010 > Call Trace: > <TASK> > dump_stack_lvl+0x49/0x63 > dump_stack+0x10/0x16 > ubsan_epilogue+0x9/0x3f > __ubsan_handle_out_of_bounds.cold+0x44/0x49 > snd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1] > snd_pcm_hw_params+0x29f/0x600 [snd_pcm] > snd_pcm_common_ioctl+0x188/0x1410 [snd_pcm] > ? exit_to_user_mode_prepare+0x35/0x170 > ? do_syscall_64+0x69/0x90 > ? syscall_exit_to_user_mode+0x26/0x50 > ? do_syscall_64+0x69/0x90 > ? exit_to_user_mode_prepare+0x35/0x170 > snd_pcm_ioctl+0x27/0x40 [snd_pcm] > __x64_sys_ioctl+0x95/0xd0 > do_syscall_64+0x5c/0x90 > ? do_syscall_64+0x69/0x90 > ? do_syscall_64+0x69/0x90 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > > Signed-off-by: Tasos Sahanidis <tasos@xxxxxxxxxxxx> Oh it's an old bug... Now applied. Thanks! Takashi