On 11/21/2022 8:00 PM, Cezary Rojewski wrote:
Thanks for your time Cezary!!!
On 2022-11-21 2:04 PM, Srinivasa Rao Mandadapu wrote:
Add NULL check in dpcm_be_reparent API, to handle
kernel NULL pointer dereference error.
Signed-off-by: Srinivasa Rao Mandadapu <quic_srivasam@xxxxxxxxxxx>
---
sound/soc/soc-pcm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c
index 493f003..a7810c7 100644
--- a/sound/soc/soc-pcm.c
+++ b/sound/soc/soc-pcm.c
@@ -1247,6 +1247,8 @@ static void dpcm_be_reparent(struct
snd_soc_pcm_runtime *fe,
return;
be_substream = snd_soc_dpcm_get_substream(be, stream);
+ if (!be_substream)
+ return;
for_each_dpcm_fe(be, stream, dpcm) {
if (dpcm->fe == fe)
Hello,
Could you provide reproduction steps that lead to null-ptr-deref
popping up? Also, please drop '.c' in commit title.
Okay will change the comment title.
Actually the issue occurred in internal fuzzing test. and here is the
crash Report.
/lahaina-asoc-snd soc:qcom,msm-audio-apr:qcom,q6core-audio:sound: ASoC:
can't get capture BE for TX_AIF3 Capture/
/VoiceMMode1: ASoC: no BE found for TX_AIF3 Capture/
/voc_end_voice_call: Error: End voice called in state 0/
/==================================================================/
/Default lsm port/
/BUG: KASAN: null-ptr-deref in dpcm_be_reparent
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1325
[inline]/
/BUG: KASAN: null-ptr-deref in dpcm_be_disconnect+0x244/0x4ac
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1349/
/Write of size 8 at addr 0000000000000110 by task syz-executor/21515/
/==================================================================/
/Unable to handle kernel NULL pointer dereference at virtual address
0000000000000110/
/afe_callback: cmd = 0x100fa returned error = 0x3/
/Mem abort info:/
/afe_apr_send_pkt: DSP returned error[ADSP_EUNSUPPORTED]/
/ESR = 0x96000046/
/EC = 0x25: DABT (current EL), IL = 32 bits/
/SET = 0, FnV = 0/
/EA = 0, S1PTW = 0/
/Data abort info:/
/ISV = 0, ISS = 0x00000046/
/CM = 0, WnR = 1/
/user pgtable: 4k pages, 39-bit VAs, pgdp=0000000112c90000/
/[0000000000000110] pgd=00000000c97c2003, pud=00000000c97c2003,
pmd=0000000000000000/
/Internal error: Oops: 96000046 [#1] PREEMPT SMP/
/Modules linked in: wlan(O) rmnet_ctl(O) rmnet_shs(O) rmnet_perf(O)
gspca_main rmnet_core(O) sdhci_msm radio_i2c_rtc6226_qca machine_dlkm
swr_haptics_dlkm swr_dmic_dlkm wcd938x_slave_dlkm wcd938x_dlkm mbhc_dlkm
wcd9xxx_dlkm bt_fm_slim btpower tx_macro_dlkm rx_macro_dlkm
va_macro_dlkm wsa_macro_dlkm swr_ctrl_dlkm bolero_cdc_dlkm wsa883x_dlkm
wcd_core_dlkm stub_dlkm hdmi_dlkm swr_dlkm pinctrl_lpi_dlkm
pinctrl_wcd_dlkm native_dlkm platform_dlkm q6_dlkm adsp_loader_dlkm
apr_dlkm snd_event_dlkm q6_notifier_dlkm q6_pdr_dlkm/
/afe_loopback: AFE loopback failed -95/
/CPU: 4 PID: 21515 Comm: syz-executor Tainted: G S B W O
5.4.24-qgki-debug-ga12050df #1/
/Hardware name: Qualcomm Technologies, Inc. LahainaP MTP (DT)/
/pstate: 60400005 (nZCv daif +PAN -UAO)/
/pc : dpcm_be_reparent
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1325
[inline]/
/pc : dpcm_be_disconnect+0x244/0x4ac
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1349/
/lr : dpcm_be_reparent
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1325
[inline]/
/lr : dpcm_be_disconnect+0x244/0x4ac
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1349/
/sp : ffffff8062c3f970/
/x29: ffffff8062c3f9b0 x28: 000000000000052a/
/x27: ffffff8086a18800 x26: 0000000000000000/
/x25: ffffff80a6d7cc28 x24: ffffff80b7d93400/
/x23: ffffff80b7d93418 x22: ffffffd01364c000/
/x21: ffffff8080e83400 x20: ffffff804a658418/
/x19: ffffff8086a1d000 x18: 0000000000000000/
/x17: 0000000000000000 x16: 0000000000000000/
/x15: 0000000000000000 x14: 1ffffff018766ecc/
/x13: f3f3f300f1f1f1f1 x12: dfffffd000000000/
/x11: dfffffd000000000 x10: dfffffd000000000/
/x9 : 1af35d1dc23a6c00 x8 : 1af35d1dc23a6c00/
/afe_callback: cmd = 0x100fa returned error = 0x3/
/x7 : 0000000000000000 x6 : ffffff80c54462d4/
/afe_apr_send_pkt: DSP returned error[ADSP_EUNSUPPORTED]/
/x5 : 0000000000000000 x4 : 0000000000000000/
/x3 : ffffffd0102c5454 x2 : 0000000000000000/
/x1 : 0000000000000000 x0 : ffffff8037188040/
/Call trace:/
/dpcm_be_reparent
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1325
[inline]/
/dpcm_be_disconnect+0x244/0x4ac
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:1349/
/dpcm_fe_dai_close+0x2f8/0x388
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/soc/soc-pcm.c:3232/
/snd_pcm_release_substream+0x21c/0x2b4
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/core/pcm_native.c:2447/
/snd_pcm_release+0x5c/0xd0
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/sound/core/pcm_native.c:2623/
/__fput+0x180/0x3b8
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/fs/file_table.c:280/
/____fput+0x1c/0x28
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/fs/file_table.c:313/
/task_work_run+0xf8/0x124
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/kernel/task_work.c:113/
/tracehook_notify_resume
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/include/linux/tracehook.h:188
[inline]/
/do_notify_resume+0xe7c/0xf08
local/mnt/workspace/lnxbuild/project/snap_trees_in_use/free_tree_dir/checkout/kernel/msm-5.4/arch/arm64/kernel/signal.c:929/
/work_pending+0x8/0x14/
/Code: 97b3a26e f9408ab5 91044340 97b3a291 (f9008b55)/
/---[ end trace c9e29b4642e01da3 ]---/
Regards,
Czarek
