diff mbox series

ASoC: dapm: fix bounds checker error in dapm_widget_list_create

Message ID 20241028-soc-dapm-bounds-checker-fix-v1-1-262b0394e89e@google.com (mailing list archive)
State Accepted
Commit 2ef9439f7a19fd3d43b288d38b1c6e55b668a4fe
Headers show
Series ASoC: dapm: fix bounds checker error in dapm_widget_list_create | expand

Commit Message

Aleksei Vetrov Oct. 28, 2024, 10:50 p.m. UTC
The widgets array in the snd_soc_dapm_widget_list has a __counted_by
attribute attached to it, which points to the num_widgets variable. This
attribute is used in bounds checking, and if it is not set before the
array is filled, then the bounds sanitizer will issue a warning or a
kernel panic if CONFIG_UBSAN_TRAP is set.

This patch sets the size of the widgets list calculated with
list_for_each as the initial value for num_widgets as it is used for
allocating memory for the array. It is updated with the actual number of
added elements after the array is filled.

Signed-off-by: Aleksei Vetrov <vvvvvv@google.com>
---
 sound/soc/soc-dapm.c | 2 ++
 1 file changed, 2 insertions(+)


---
base-commit: 81983758430957d9a5cb3333fe324fd70cf63e7e
change-id: 20241028-soc-dapm-bounds-checker-fix-5bae621455b2

Best regards,

Comments

Gustavo A. R. Silva Oct. 28, 2024, 10:58 p.m. UTC | #1
On 28/10/24 16:50, Aleksei Vetrov wrote:
> The widgets array in the snd_soc_dapm_widget_list has a __counted_by
> attribute attached to it, which points to the num_widgets variable. This
> attribute is used in bounds checking, and if it is not set before the
> array is filled, then the bounds sanitizer will issue a warning or a
> kernel panic if CONFIG_UBSAN_TRAP is set.
> 
> This patch sets the size of the widgets list calculated with
> list_for_each as the initial value for num_widgets as it is used for
> allocating memory for the array. It is updated with the actual number of
> added elements after the array is filled.

As in the previous patch, this should include the following tag
(and probably CC stable):

Fixes: 80e698e2df5b ("ASoC: soc-dapm: Annotate struct snd_soc_dapm_widget_list with __counted_by")

Thanks
Kees Cook Oct. 28, 2024, 11:45 p.m. UTC | #2
On Mon, Oct 28, 2024 at 04:58:58PM -0600, Gustavo A. R. Silva wrote:
> 
> 
> On 28/10/24 16:50, Aleksei Vetrov wrote:
> > The widgets array in the snd_soc_dapm_widget_list has a __counted_by
> > attribute attached to it, which points to the num_widgets variable. This
> > attribute is used in bounds checking, and if it is not set before the
> > array is filled, then the bounds sanitizer will issue a warning or a
> > kernel panic if CONFIG_UBSAN_TRAP is set.
> > 
> > This patch sets the size of the widgets list calculated with
> > list_for_each as the initial value for num_widgets as it is used for
> > allocating memory for the array. It is updated with the actual number of
> > added elements after the array is filled.
> 
> As in the previous patch, this should include the following tag
> (and probably CC stable):
> 
> Fixes: 80e698e2df5b ("ASoC: soc-dapm: Annotate struct snd_soc_dapm_widget_list with __counted_by")

Whoops! My mistake. :) Thanks for catching this one!

Reviewed-by: Kees Cook <kees@kernel.org>

-Kees

> 
> Thanks
> -- 
> Gustavo
> 
> > 
> > Signed-off-by: Aleksei Vetrov <vvvvvv@google.com>
> > ---
> >   sound/soc/soc-dapm.c | 2 ++
> >   1 file changed, 2 insertions(+)
> > 
> > diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
> > index c34934c31ffec3970b34b24dcaa0826dfb7d8e86..99521c784a9b16a232a558029a2f3e88bd8ebfb1 100644
> > --- a/sound/soc/soc-dapm.c
> > +++ b/sound/soc/soc-dapm.c
> > @@ -1147,6 +1147,8 @@ static int dapm_widget_list_create(struct snd_soc_dapm_widget_list **list,
> >   	if (*list == NULL)
> >   		return -ENOMEM;
> > +	(*list)->num_widgets = size;
> > +
> >   	list_for_each_entry(w, widgets, work_list)
> >   		(*list)->widgets[i++] = w;
> > 
> > ---
> > base-commit: 81983758430957d9a5cb3333fe324fd70cf63e7e
> > change-id: 20241028-soc-dapm-bounds-checker-fix-5bae621455b2
> > 
> > Best regards,
> 
>
Amadeusz Sławiński Oct. 29, 2024, 9:50 a.m. UTC | #3
On 10/28/2024 11:50 PM, Aleksei Vetrov wrote:
> The widgets array in the snd_soc_dapm_widget_list has a __counted_by
> attribute attached to it, which points to the num_widgets variable. This
> attribute is used in bounds checking, and if it is not set before the
> array is filled, then the bounds sanitizer will issue a warning or a
> kernel panic if CONFIG_UBSAN_TRAP is set.
> 
> This patch sets the size of the widgets list calculated with
> list_for_each as the initial value for num_widgets as it is used for
> allocating memory for the array. It is updated with the actual number of
> added elements after the array is filled.
> 
> Signed-off-by: Aleksei Vetrov <vvvvvv@google.com>
> ---
>   sound/soc/soc-dapm.c | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
> index c34934c31ffec3970b34b24dcaa0826dfb7d8e86..99521c784a9b16a232a558029a2f3e88bd8ebfb1 100644
> --- a/sound/soc/soc-dapm.c
> +++ b/sound/soc/soc-dapm.c
> @@ -1147,6 +1147,8 @@ static int dapm_widget_list_create(struct snd_soc_dapm_widget_list **list,
>   	if (*list == NULL)
>   		return -ENOMEM;
>   
> +	(*list)->num_widgets = size;
> +
>   	list_for_each_entry(w, widgets, work_list)
>   		(*list)->widgets[i++] = w;
>   

and after that there is (*list)->num_widgets = i;

Can this be somehow simplified to remove 'i', if it set before assignment?
Takashi Iwai Oct. 29, 2024, 10:30 a.m. UTC | #4
On Tue, 29 Oct 2024 10:50:21 +0100,
Amadeusz Sławiński wrote:
> 
> On 10/28/2024 11:50 PM, Aleksei Vetrov wrote:
> > The widgets array in the snd_soc_dapm_widget_list has a __counted_by
> > attribute attached to it, which points to the num_widgets variable. This
> > attribute is used in bounds checking, and if it is not set before the
> > array is filled, then the bounds sanitizer will issue a warning or a
> > kernel panic if CONFIG_UBSAN_TRAP is set.
> > 
> > This patch sets the size of the widgets list calculated with
> > list_for_each as the initial value for num_widgets as it is used for
> > allocating memory for the array. It is updated with the actual number of
> > added elements after the array is filled.
> > 
> > Signed-off-by: Aleksei Vetrov <vvvvvv@google.com>
> > ---
> >   sound/soc/soc-dapm.c | 2 ++
> >   1 file changed, 2 insertions(+)
> > 
> > diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
> > index c34934c31ffec3970b34b24dcaa0826dfb7d8e86..99521c784a9b16a232a558029a2f3e88bd8ebfb1 100644
> > --- a/sound/soc/soc-dapm.c
> > +++ b/sound/soc/soc-dapm.c
> > @@ -1147,6 +1147,8 @@ static int dapm_widget_list_create(struct snd_soc_dapm_widget_list **list,
> >   	if (*list == NULL)
> >   		return -ENOMEM;
> >   +	(*list)->num_widgets = size;
> > +
> >   	list_for_each_entry(w, widgets, work_list)
> >   		(*list)->widgets[i++] = w;
> >   
> 
> and after that there is (*list)->num_widgets = i;
> 
> Can this be somehow simplified to remove 'i', if it set before assignment?

That line can be removed after this change, I suppose.
The size is calculated from the list at the beginning, and it must be
the exact size.


thanks,

Takashi
Amadeusz Sławiński Oct. 29, 2024, 12:11 p.m. UTC | #5
On 10/29/2024 11:30 AM, Takashi Iwai wrote:
> On Tue, 29 Oct 2024 10:50:21 +0100,
> Amadeusz Sławiński wrote:
>>
>> On 10/28/2024 11:50 PM, Aleksei Vetrov wrote:
>>> The widgets array in the snd_soc_dapm_widget_list has a __counted_by
>>> attribute attached to it, which points to the num_widgets variable. This
>>> attribute is used in bounds checking, and if it is not set before the
>>> array is filled, then the bounds sanitizer will issue a warning or a
>>> kernel panic if CONFIG_UBSAN_TRAP is set.
>>>
>>> This patch sets the size of the widgets list calculated with
>>> list_for_each as the initial value for num_widgets as it is used for
>>> allocating memory for the array. It is updated with the actual number of
>>> added elements after the array is filled.
>>>
>>> Signed-off-by: Aleksei Vetrov <vvvvvv@google.com>
>>> ---
>>>    sound/soc/soc-dapm.c | 2 ++
>>>    1 file changed, 2 insertions(+)
>>>
>>> diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
>>> index c34934c31ffec3970b34b24dcaa0826dfb7d8e86..99521c784a9b16a232a558029a2f3e88bd8ebfb1 100644
>>> --- a/sound/soc/soc-dapm.c
>>> +++ b/sound/soc/soc-dapm.c
>>> @@ -1147,6 +1147,8 @@ static int dapm_widget_list_create(struct snd_soc_dapm_widget_list **list,
>>>    	if (*list == NULL)
>>>    		return -ENOMEM;
>>>    +	(*list)->num_widgets = size;
>>> +
>>>    	list_for_each_entry(w, widgets, work_list)
>>>    		(*list)->widgets[i++] = w;
>>>    
>>
>> and after that there is (*list)->num_widgets = i;
>>
>> Can this be somehow simplified to remove 'i', if it set before assignment?
> 
> That line can be removed after this change, I suppose.
> The size is calculated from the list at the beginning, and it must be
> the exact size.
> 

Actually looking at this again, first iteration iterates through all 
widgets, while second one, only through work_list, which looks to me 
like it allocates more memory than needed in most cases.
Takashi Iwai Oct. 29, 2024, 12:21 p.m. UTC | #6
On Tue, 29 Oct 2024 13:11:32 +0100,
Amadeusz Sławiński wrote:
> 
> On 10/29/2024 11:30 AM, Takashi Iwai wrote:
> > On Tue, 29 Oct 2024 10:50:21 +0100,
> > Amadeusz Sławiński wrote:
> >> 
> >> On 10/28/2024 11:50 PM, Aleksei Vetrov wrote:
> >>> The widgets array in the snd_soc_dapm_widget_list has a __counted_by
> >>> attribute attached to it, which points to the num_widgets variable. This
> >>> attribute is used in bounds checking, and if it is not set before the
> >>> array is filled, then the bounds sanitizer will issue a warning or a
> >>> kernel panic if CONFIG_UBSAN_TRAP is set.
> >>> 
> >>> This patch sets the size of the widgets list calculated with
> >>> list_for_each as the initial value for num_widgets as it is used for
> >>> allocating memory for the array. It is updated with the actual number of
> >>> added elements after the array is filled.
> >>> 
> >>> Signed-off-by: Aleksei Vetrov <vvvvvv@google.com>
> >>> ---
> >>>    sound/soc/soc-dapm.c | 2 ++
> >>>    1 file changed, 2 insertions(+)
> >>> 
> >>> diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
> >>> index c34934c31ffec3970b34b24dcaa0826dfb7d8e86..99521c784a9b16a232a558029a2f3e88bd8ebfb1 100644
> >>> --- a/sound/soc/soc-dapm.c
> >>> +++ b/sound/soc/soc-dapm.c
> >>> @@ -1147,6 +1147,8 @@ static int dapm_widget_list_create(struct snd_soc_dapm_widget_list **list,
> >>>    	if (*list == NULL)
> >>>    		return -ENOMEM;
> >>>    +	(*list)->num_widgets = size;
> >>> +
> >>>    	list_for_each_entry(w, widgets, work_list)
> >>>    		(*list)->widgets[i++] = w;
> >>>    
> >> 
> >> and after that there is (*list)->num_widgets = i;
> >> 
> >> Can this be somehow simplified to remove 'i', if it set before assignment?
> > 
> > That line can be removed after this change, I suppose.
> > The size is calculated from the list at the beginning, and it must be
> > the exact size.
> > 
> 
> Actually looking at this again, first iteration iterates through all
> widgets, while second one, only through work_list, which looks to me
> like it allocates more memory than needed in most cases.

Oh, you're right.  I don't know why two different loops are used,
though...


Takashi
Mark Brown Oct. 29, 2024, 12:46 p.m. UTC | #7
On Mon, 28 Oct 2024 22:50:30 +0000, Aleksei Vetrov wrote:
> The widgets array in the snd_soc_dapm_widget_list has a __counted_by
> attribute attached to it, which points to the num_widgets variable. This
> attribute is used in bounds checking, and if it is not set before the
> array is filled, then the bounds sanitizer will issue a warning or a
> kernel panic if CONFIG_UBSAN_TRAP is set.
> 
> This patch sets the size of the widgets list calculated with
> list_for_each as the initial value for num_widgets as it is used for
> allocating memory for the array. It is updated with the actual number of
> added elements after the array is filled.
> 
> [...]

Applied to

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next

Thanks!

[1/1] ASoC: dapm: fix bounds checker error in dapm_widget_list_create
      commit: 2ef9439f7a19fd3d43b288d38b1c6e55b668a4fe

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark
Aleksei Vetrov Oct. 29, 2024, 1:37 p.m. UTC | #8
On Mon, Oct 28, 2024 at 04:58:58PM -0600, Gustavo A. R. Silva wrote:
> 
> As in the previous patch, this should include the following tag
> (and probably CC stable):
> 
> Fixes: 80e698e2df5b ("ASoC: soc-dapm: Annotate struct snd_soc_dapm_widget_list with __counted_by")

Thank you very much for this suggestion! I didn't understand how Fixes
tag works until your comment, but I've just read about Linux stable
process and it makes sense now.

Sent v2.

--
Aleksei Vetrov
Aleksei Vetrov Oct. 29, 2024, 1:47 p.m. UTC | #9
On Tue, Oct 29, 2024 at 01:37:09PM +0000, Aleksei Vetrov wrote:
> On Mon, Oct 28, 2024 at 04:58:58PM -0600, Gustavo A. R. Silva wrote:
> > 
> > As in the previous patch, this should include the following tag
> > (and probably CC stable):
> > 
> > Fixes: 80e698e2df5b ("ASoC: soc-dapm: Annotate struct snd_soc_dapm_widget_list with __counted_by")
> 
> Thank you very much for this suggestion! I didn't understand how Fixes
> tag works until your comment, but I've just read about Linux stable
> process and it makes sense now.
> 
> Sent v2.

Actually, my reply above meant to be for the nl80211 fix
(https://lore.kernel.org/r/20241028-nl80211_parse_sched_scan-bounds-checker-fix-v1-1-bb640be0ebb7@google.com).

For this fix I couldn't send v2, because it has been already applied by
Mark Brown. Guess I would need to send a separate message to the stable
team asking them to pick this patch from git.

--
Aleksei Vetrov
Mark Brown Oct. 29, 2024, 2:08 p.m. UTC | #10
On Tue, Oct 29, 2024 at 01:37:05PM +0000, Aleksei Vetrov wrote:

> Sent v2.

That doesn't seem to have shown up here?
Aleksei Vetrov Oct. 29, 2024, 3:14 p.m. UTC | #11
On Tue, Oct 29, 2024 at 02:08:32PM +0000, Mark Brown wrote:
> That doesn't seem to have shown up here?

Sorry for the mix up, I've accidentally replied in the wrong thread.
As I said in https://lore.kernel.org/all/ZyDndtgj5vKo-wvB@google.com/:

> Actually, my reply above meant to be for the nl80211 fix
> (https://lore.kernel.org/r/20241028-nl80211_parse_sched_scan-bounds-checker-fix-v1-1-bb640be0ebb7@google.com).

> For this fix I couldn't send v2, because it has been already applied by
> Mark Brown. Guess I would need to send a separate message to the stable
> team asking them to pick this patch from git.

Cheers
--
Aleksei Vetrov
Mark Brown Oct. 29, 2024, 6:15 p.m. UTC | #12
On Tue, Oct 29, 2024 at 03:14:53PM +0000, Aleksei Vetrov wrote:
> On Tue, Oct 29, 2024 at 02:08:32PM +0000, Mark Brown wrote:

> > For this fix I couldn't send v2, because it has been already applied by
> > Mark Brown. Guess I would need to send a separate message to the stable
> > team asking them to pick this patch from git.

Yeah, ping the stable team (or there's a good chance if it mentions
something that sounds vaugely like it might be a fix they'll backport it
anyway).
diff mbox series

Patch

diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
index c34934c31ffec3970b34b24dcaa0826dfb7d8e86..99521c784a9b16a232a558029a2f3e88bd8ebfb1 100644
--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -1147,6 +1147,8 @@  static int dapm_widget_list_create(struct snd_soc_dapm_widget_list **list,
 	if (*list == NULL)
 		return -ENOMEM;
 
+	(*list)->num_widgets = size;
+
 	list_for_each_entry(w, widgets, work_list)
 		(*list)->widgets[i++] = w;