| Message ID | 20241028-soc-dapm-bounds-checker-fix-v1-1-262b0394e89e@google.com (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | 2ef9439f7a19fd3d43b288d38b1c6e55b668a4fe |
| Headers | show |
| Series | ASoC: dapm: fix bounds checker error in dapm_widget_list_create | expand |
On 28/10/24 16:50, Aleksei Vetrov wrote: > The widgets array in the snd_soc_dapm_widget_list has a __counted_by > attribute attached to it, which points to the num_widgets variable. This > attribute is used in bounds checking, and if it is not set before the > array is filled, then the bounds sanitizer will issue a warning or a > kernel panic if CONFIG_UBSAN_TRAP is set. > > This patch sets the size of the widgets list calculated with > list_for_each as the initial value for num_widgets as it is used for > allocating memory for the array. It is updated with the actual number of > added elements after the array is filled. As in the previous patch, this should include the following tag (and probably CC stable): Fixes: 80e698e2df5b ("ASoC: soc-dapm: Annotate struct snd_soc_dapm_widget_list with __counted_by") Thanks
On Mon, Oct 28, 2024 at 04:58:58PM -0600, Gustavo A. R. Silva wrote: > > > On 28/10/24 16:50, Aleksei Vetrov wrote: > > The widgets array in the snd_soc_dapm_widget_list has a __counted_by > > attribute attached to it, which points to the num_widgets variable. This > > attribute is used in bounds checking, and if it is not set before the > > array is filled, then the bounds sanitizer will issue a warning or a > > kernel panic if CONFIG_UBSAN_TRAP is set. > > > > This patch sets the size of the widgets list calculated with > > list_for_each as the initial value for num_widgets as it is used for > > allocating memory for the array. It is updated with the actual number of > > added elements after the array is filled. > > As in the previous patch, this should include the following tag > (and probably CC stable): > > Fixes: 80e698e2df5b ("ASoC: soc-dapm: Annotate struct snd_soc_dapm_widget_list with __counted_by") Whoops! My mistake. :) Thanks for catching this one! Reviewed-by: Kees Cook <kees@kernel.org> -Kees > > Thanks > -- > Gustavo > > > > > Signed-off-by: Aleksei Vetrov <vvvvvv@google.com> > > --- > > sound/soc/soc-dapm.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c > > index c34934c31ffec3970b34b24dcaa0826dfb7d8e86..99521c784a9b16a232a558029a2f3e88bd8ebfb1 100644 > > --- a/sound/soc/soc-dapm.c > > +++ b/sound/soc/soc-dapm.c > > @@ -1147,6 +1147,8 @@ static int dapm_widget_list_create(struct snd_soc_dapm_widget_list **list, > > if (*list == NULL) > > return -ENOMEM; > > + (*list)->num_widgets = size; > > + > > list_for_each_entry(w, widgets, work_list) > > (*list)->widgets[i++] = w; > > > > --- > > base-commit: 81983758430957d9a5cb3333fe324fd70cf63e7e > > change-id: 20241028-soc-dapm-bounds-checker-fix-5bae621455b2 > > > > Best regards, > >
On 10/28/2024 11:50 PM, Aleksei Vetrov wrote: > The widgets array in the snd_soc_dapm_widget_list has a __counted_by > attribute attached to it, which points to the num_widgets variable. This > attribute is used in bounds checking, and if it is not set before the > array is filled, then the bounds sanitizer will issue a warning or a > kernel panic if CONFIG_UBSAN_TRAP is set. > > This patch sets the size of the widgets list calculated with > list_for_each as the initial value for num_widgets as it is used for > allocating memory for the array. It is updated with the actual number of > added elements after the array is filled. > > Signed-off-by: Aleksei Vetrov <vvvvvv@google.com> > --- > sound/soc/soc-dapm.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c > index c34934c31ffec3970b34b24dcaa0826dfb7d8e86..99521c784a9b16a232a558029a2f3e88bd8ebfb1 100644 > --- a/sound/soc/soc-dapm.c > +++ b/sound/soc/soc-dapm.c > @@ -1147,6 +1147,8 @@ static int dapm_widget_list_create(struct snd_soc_dapm_widget_list **list, > if (*list == NULL) > return -ENOMEM; > > + (*list)->num_widgets = size; > + > list_for_each_entry(w, widgets, work_list) > (*list)->widgets[i++] = w; > and after that there is (*list)->num_widgets = i; Can this be somehow simplified to remove 'i', if it set before assignment?
On Tue, 29 Oct 2024 10:50:21 +0100, Amadeusz Sławiński wrote: > > On 10/28/2024 11:50 PM, Aleksei Vetrov wrote: > > The widgets array in the snd_soc_dapm_widget_list has a __counted_by > > attribute attached to it, which points to the num_widgets variable. This > > attribute is used in bounds checking, and if it is not set before the > > array is filled, then the bounds sanitizer will issue a warning or a > > kernel panic if CONFIG_UBSAN_TRAP is set. > > > > This patch sets the size of the widgets list calculated with > > list_for_each as the initial value for num_widgets as it is used for > > allocating memory for the array. It is updated with the actual number of > > added elements after the array is filled. > > > > Signed-off-by: Aleksei Vetrov <vvvvvv@google.com> > > --- > > sound/soc/soc-dapm.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c > > index c34934c31ffec3970b34b24dcaa0826dfb7d8e86..99521c784a9b16a232a558029a2f3e88bd8ebfb1 100644 > > --- a/sound/soc/soc-dapm.c > > +++ b/sound/soc/soc-dapm.c > > @@ -1147,6 +1147,8 @@ static int dapm_widget_list_create(struct snd_soc_dapm_widget_list **list, > > if (*list == NULL) > > return -ENOMEM; > > + (*list)->num_widgets = size; > > + > > list_for_each_entry(w, widgets, work_list) > > (*list)->widgets[i++] = w; > > > > and after that there is (*list)->num_widgets = i; > > Can this be somehow simplified to remove 'i', if it set before assignment? That line can be removed after this change, I suppose. The size is calculated from the list at the beginning, and it must be the exact size. thanks, Takashi
On 10/29/2024 11:30 AM, Takashi Iwai wrote: > On Tue, 29 Oct 2024 10:50:21 +0100, > Amadeusz Sławiński wrote: >> >> On 10/28/2024 11:50 PM, Aleksei Vetrov wrote: >>> The widgets array in the snd_soc_dapm_widget_list has a __counted_by >>> attribute attached to it, which points to the num_widgets variable. This >>> attribute is used in bounds checking, and if it is not set before the >>> array is filled, then the bounds sanitizer will issue a warning or a >>> kernel panic if CONFIG_UBSAN_TRAP is set. >>> >>> This patch sets the size of the widgets list calculated with >>> list_for_each as the initial value for num_widgets as it is used for >>> allocating memory for the array. It is updated with the actual number of >>> added elements after the array is filled. >>> >>> Signed-off-by: Aleksei Vetrov <vvvvvv@google.com> >>> --- >>> sound/soc/soc-dapm.c | 2 ++ >>> 1 file changed, 2 insertions(+) >>> >>> diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c >>> index c34934c31ffec3970b34b24dcaa0826dfb7d8e86..99521c784a9b16a232a558029a2f3e88bd8ebfb1 100644 >>> --- a/sound/soc/soc-dapm.c >>> +++ b/sound/soc/soc-dapm.c >>> @@ -1147,6 +1147,8 @@ static int dapm_widget_list_create(struct snd_soc_dapm_widget_list **list, >>> if (*list == NULL) >>> return -ENOMEM; >>> + (*list)->num_widgets = size; >>> + >>> list_for_each_entry(w, widgets, work_list) >>> (*list)->widgets[i++] = w; >>> >> >> and after that there is (*list)->num_widgets = i; >> >> Can this be somehow simplified to remove 'i', if it set before assignment? > > That line can be removed after this change, I suppose. > The size is calculated from the list at the beginning, and it must be > the exact size. > Actually looking at this again, first iteration iterates through all widgets, while second one, only through work_list, which looks to me like it allocates more memory than needed in most cases.
On Tue, 29 Oct 2024 13:11:32 +0100, Amadeusz Sławiński wrote: > > On 10/29/2024 11:30 AM, Takashi Iwai wrote: > > On Tue, 29 Oct 2024 10:50:21 +0100, > > Amadeusz Sławiński wrote: > >> > >> On 10/28/2024 11:50 PM, Aleksei Vetrov wrote: > >>> The widgets array in the snd_soc_dapm_widget_list has a __counted_by > >>> attribute attached to it, which points to the num_widgets variable. This > >>> attribute is used in bounds checking, and if it is not set before the > >>> array is filled, then the bounds sanitizer will issue a warning or a > >>> kernel panic if CONFIG_UBSAN_TRAP is set. > >>> > >>> This patch sets the size of the widgets list calculated with > >>> list_for_each as the initial value for num_widgets as it is used for > >>> allocating memory for the array. It is updated with the actual number of > >>> added elements after the array is filled. > >>> > >>> Signed-off-by: Aleksei Vetrov <vvvvvv@google.com> > >>> --- > >>> sound/soc/soc-dapm.c | 2 ++ > >>> 1 file changed, 2 insertions(+) > >>> > >>> diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c > >>> index c34934c31ffec3970b34b24dcaa0826dfb7d8e86..99521c784a9b16a232a558029a2f3e88bd8ebfb1 100644 > >>> --- a/sound/soc/soc-dapm.c > >>> +++ b/sound/soc/soc-dapm.c > >>> @@ -1147,6 +1147,8 @@ static int dapm_widget_list_create(struct snd_soc_dapm_widget_list **list, > >>> if (*list == NULL) > >>> return -ENOMEM; > >>> + (*list)->num_widgets = size; > >>> + > >>> list_for_each_entry(w, widgets, work_list) > >>> (*list)->widgets[i++] = w; > >>> > >> > >> and after that there is (*list)->num_widgets = i; > >> > >> Can this be somehow simplified to remove 'i', if it set before assignment? > > > > That line can be removed after this change, I suppose. > > The size is calculated from the list at the beginning, and it must be > > the exact size. > > > > Actually looking at this again, first iteration iterates through all > widgets, while second one, only through work_list, which looks to me > like it allocates more memory than needed in most cases. Oh, you're right. I don't know why two different loops are used, though... Takashi
On Mon, 28 Oct 2024 22:50:30 +0000, Aleksei Vetrov wrote: > The widgets array in the snd_soc_dapm_widget_list has a __counted_by > attribute attached to it, which points to the num_widgets variable. This > attribute is used in bounds checking, and if it is not set before the > array is filled, then the bounds sanitizer will issue a warning or a > kernel panic if CONFIG_UBSAN_TRAP is set. > > This patch sets the size of the widgets list calculated with > list_for_each as the initial value for num_widgets as it is used for > allocating memory for the array. It is updated with the actual number of > added elements after the array is filled. > > [...] Applied to https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next Thanks! [1/1] ASoC: dapm: fix bounds checker error in dapm_widget_list_create commit: 2ef9439f7a19fd3d43b288d38b1c6e55b668a4fe All being well this means that it will be integrated into the linux-next tree (usually sometime in the next 24 hours) and sent to Linus during the next merge window (or sooner if it is a bug fix), however if problems are discovered then the patch may be dropped or reverted. You may get further e-mails resulting from automated or manual testing and review of the tree, please engage with people reporting problems and send followup patches addressing any issues that are reported if needed. If any updates are required or you are submitting further changes they should be sent as incremental updates against current git, existing patches will not be replaced. Please add any relevant lists and maintainers to the CCs when replying to this mail. Thanks, Mark
On Mon, Oct 28, 2024 at 04:58:58PM -0600, Gustavo A. R. Silva wrote: > > As in the previous patch, this should include the following tag > (and probably CC stable): > > Fixes: 80e698e2df5b ("ASoC: soc-dapm: Annotate struct snd_soc_dapm_widget_list with __counted_by") Thank you very much for this suggestion! I didn't understand how Fixes tag works until your comment, but I've just read about Linux stable process and it makes sense now. Sent v2. -- Aleksei Vetrov
On Tue, Oct 29, 2024 at 01:37:09PM +0000, Aleksei Vetrov wrote: > On Mon, Oct 28, 2024 at 04:58:58PM -0600, Gustavo A. R. Silva wrote: > > > > As in the previous patch, this should include the following tag > > (and probably CC stable): > > > > Fixes: 80e698e2df5b ("ASoC: soc-dapm: Annotate struct snd_soc_dapm_widget_list with __counted_by") > > Thank you very much for this suggestion! I didn't understand how Fixes > tag works until your comment, but I've just read about Linux stable > process and it makes sense now. > > Sent v2. Actually, my reply above meant to be for the nl80211 fix (https://lore.kernel.org/r/20241028-nl80211_parse_sched_scan-bounds-checker-fix-v1-1-bb640be0ebb7@google.com). For this fix I couldn't send v2, because it has been already applied by Mark Brown. Guess I would need to send a separate message to the stable team asking them to pick this patch from git. -- Aleksei Vetrov
On Tue, Oct 29, 2024 at 01:37:05PM +0000, Aleksei Vetrov wrote:
> Sent v2.
That doesn't seem to have shown up here?
On Tue, Oct 29, 2024 at 02:08:32PM +0000, Mark Brown wrote: > That doesn't seem to have shown up here? Sorry for the mix up, I've accidentally replied in the wrong thread. As I said in https://lore.kernel.org/all/ZyDndtgj5vKo-wvB@google.com/: > Actually, my reply above meant to be for the nl80211 fix > (https://lore.kernel.org/r/20241028-nl80211_parse_sched_scan-bounds-checker-fix-v1-1-bb640be0ebb7@google.com). > For this fix I couldn't send v2, because it has been already applied by > Mark Brown. Guess I would need to send a separate message to the stable > team asking them to pick this patch from git. Cheers -- Aleksei Vetrov
On Tue, Oct 29, 2024 at 03:14:53PM +0000, Aleksei Vetrov wrote: > On Tue, Oct 29, 2024 at 02:08:32PM +0000, Mark Brown wrote: > > For this fix I couldn't send v2, because it has been already applied by > > Mark Brown. Guess I would need to send a separate message to the stable > > team asking them to pick this patch from git. Yeah, ping the stable team (or there's a good chance if it mentions something that sounds vaugely like it might be a fix they'll backport it anyway).
diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c index c34934c31ffec3970b34b24dcaa0826dfb7d8e86..99521c784a9b16a232a558029a2f3e88bd8ebfb1 100644 --- a/sound/soc/soc-dapm.c +++ b/sound/soc/soc-dapm.c @@ -1147,6 +1147,8 @@ static int dapm_widget_list_create(struct snd_soc_dapm_widget_list **list, if (*list == NULL) return -ENOMEM; + (*list)->num_widgets = size; + list_for_each_entry(w, widgets, work_list) (*list)->widgets[i++] = w;
The widgets array in the snd_soc_dapm_widget_list has a __counted_by attribute attached to it, which points to the num_widgets variable. This attribute is used in bounds checking, and if it is not set before the array is filled, then the bounds sanitizer will issue a warning or a kernel panic if CONFIG_UBSAN_TRAP is set. This patch sets the size of the widgets list calculated with list_for_each as the initial value for num_widgets as it is used for allocating memory for the array. It is updated with the actual number of added elements after the array is filled. Signed-off-by: Aleksei Vetrov <vvvvvv@google.com> --- sound/soc/soc-dapm.c | 2 ++ 1 file changed, 2 insertions(+) --- base-commit: 81983758430957d9a5cb3333fe324fd70cf63e7e change-id: 20241028-soc-dapm-bounds-checker-fix-5bae621455b2 Best regards,