Patch "ASoC: hdac_hda: fix hda pcm buffer overflow issue" has been added to the 6.0-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 27 Nov 2022 14:08:07 -0500

This is a note to let you know that I've just added the patch titled

    ASoC: hdac_hda: fix hda pcm buffer overflow issue

to the 6.0-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     asoc-hdac_hda-fix-hda-pcm-buffer-overflow-issue.patch
and it can be found in the queue-6.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 0413d34adc5819256a4b0c624e15efe3bf0a54d2
Author: Junxiao Chang <junxiao.chang@xxxxxxxxx>
Date:   Thu Nov 10 07:40:23 2022 +0800

    ASoC: hdac_hda: fix hda pcm buffer overflow issue
    
    [ Upstream commit 37882100cd0629d830db430a8cee0b724fe1fea3 ]
    
    When KASAN is enabled, below log might be dumped with Intel EHL hardware:
    [   48.583597] ==================================================================
    [   48.585921] BUG: KASAN: slab-out-of-bounds in hdac_hda_dai_hw_params+0x20a/0x22b [snd_soc_hdac_hda]
    [   48.587995] Write of size 4 at addr ffff888103489708 by task pulseaudio/759
    
    [   48.589237] CPU: 2 PID: 759 Comm: pulseaudio Tainted: G     U      E     5.15.71-intel-ese-standard-lts #9
    [   48.591272] Hardware name: Intel Corporation Elkhart Lake Embedded Platform/ElkhartLake LPDDR4x T3 CRB, BIOS EHLSFWI1.R00.4251.A01.2206130432 06/13/2022
    [   48.593010] Call Trace:
    [   48.593648]  <TASK>
    [   48.593852]  dump_stack_lvl+0x34/0x48
    [   48.594404]  print_address_description.constprop.0+0x1f/0x140
    [   48.595174]  ? hdac_hda_dai_hw_params+0x20a/0x22b [snd_soc_hdac_hda]
    [   48.595868]  ? hdac_hda_dai_hw_params+0x20a/0x22b [snd_soc_hdac_hda]
    [   48.596519]  kasan_report.cold+0x7f/0x11b
    [   48.597003]  ? hdac_hda_dai_hw_params+0x20a/0x22b [snd_soc_hdac_hda]
    [   48.597885]  hdac_hda_dai_hw_params+0x20a/0x22b [snd_soc_hdac_hda]
    
    HDAC_LAST_DAI_ID is last index id, pcm buffer array size should
    be +1 to avoid out of bound access.
    
    Fixes: 608b8c36c371 ("ASoC: hdac_hda: add support for HDMI/DP as a HDA codec")
    Reviewed-by: Kai Vehmanen <kai.vehmanen@xxxxxxxxxxxxxxx>
    Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@xxxxxxxxxxxxxxx>
    Signed-off-by: Junxiao Chang <junxiao.chang@xxxxxxxxx>
    Signed-off-by: Furong Zhou <furong.zhou@xxxxxxxxx>
    Link: https://lore.kernel.org/r/20221109234023.3111035-1-junxiao.chang@xxxxxxxxx
    Signed-off-by: Mark Brown <broonie@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/sound/soc/codecs/hdac_hda.h b/sound/soc/codecs/hdac_hda.h
index fc19c34ca00e..b65560981abb 100644
--- a/sound/soc/codecs/hdac_hda.h
+++ b/sound/soc/codecs/hdac_hda.h
@@ -14,7 +14,7 @@ enum {
 	HDAC_HDMI_1_DAI_ID,
 	HDAC_HDMI_2_DAI_ID,
 	HDAC_HDMI_3_DAI_ID,
-	HDAC_LAST_DAI_ID = HDAC_HDMI_3_DAI_ID,
+	HDAC_DAI_ID_NUM
 };
 
 struct hdac_hda_pcm {
@@ -24,7 +24,7 @@ struct hdac_hda_pcm {
 
 struct hdac_hda_priv {
 	struct hda_codec *codec;
-	struct hdac_hda_pcm pcm[HDAC_LAST_DAI_ID];
+	struct hdac_hda_pcm pcm[HDAC_DAI_ID_NUM];
 	bool need_display_power;
 };
 






