| Message ID | 20241126-asoc-mtk-dummy-panic-v1-1-42d53e168d2e@collabora.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | ASoC: mediatek: Check num_codecs is not zero to avoid panic during probe | expand |
Hi > Following commit 13f58267cda3 ("ASoC: soc.h: don't create dummy > Component via COMP_DUMMY()"), COMP_DUMMY() became an array with zero > length, and only gets populated with the dummy struct after the card is > registered. Since the sound card driver's probe happens before the card > registration, accessing any of the members of a dummy component during > probe will result in undefined behavior. > > This can be observed in the mt8188 and mt8195 machine sound drivers. By > omitting a dai link subnode in the sound card's node in the Devicetree, > the default uninitialized dummy codec is used, and when its dai_name > pointer gets passed to strcmp() it results in a null pointer dereference > and a kernel panic. > > In addition to that, set_card_codec_info() in the generic helpers file, > mtk-soundcard-driver.c, will populate a dai link with a dummy codec when > a dai link node is present in DT but with no codec property. > > The result is that at probe time, a dummy codec can either be > uninitialized with num_codecs = 0, or be an initialized dummy codec, > with num_codecs = 1 and dai_name = "snd-soc-dummy-dai". In order to > accommodate for both situations, check that num_codecs is not zero > before accessing the codecs' fields but still check for the codec's dai > name against "snd-soc-dummy-dai" as needed. > > While at it, also drop the check that dai_name is not null in the mt8192 > driver, introduced in commit 4d4e1b6319e5 ("ASoC: mediatek: mt8192: > Check existence of dai_name before dereferencing"), as it is actually > redundant given the preceding num_codecs != 0 check. > > Fixes: 13f58267cda3 ("ASoC: soc.h: don't create dummy Component via COMP_DUMMY()") > Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com> Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> Thank you for your help !! Best regards --- Kuninori Morimoto
On Wed, Nov 27, 2024 at 4:10 AM Nícolas F. R. A. Prado <nfraprado@collabora.com> wrote: > > Following commit 13f58267cda3 ("ASoC: soc.h: don't create dummy > Component via COMP_DUMMY()"), COMP_DUMMY() became an array with zero > length, and only gets populated with the dummy struct after the card is > registered. Since the sound card driver's probe happens before the card > registration, accessing any of the members of a dummy component during > probe will result in undefined behavior. > > This can be observed in the mt8188 and mt8195 machine sound drivers. By > omitting a dai link subnode in the sound card's node in the Devicetree, > the default uninitialized dummy codec is used, and when its dai_name > pointer gets passed to strcmp() it results in a null pointer dereference > and a kernel panic. > > In addition to that, set_card_codec_info() in the generic helpers file, > mtk-soundcard-driver.c, will populate a dai link with a dummy codec when > a dai link node is present in DT but with no codec property. > > The result is that at probe time, a dummy codec can either be > uninitialized with num_codecs = 0, or be an initialized dummy codec, > with num_codecs = 1 and dai_name = "snd-soc-dummy-dai". In order to > accommodate for both situations, check that num_codecs is not zero > before accessing the codecs' fields but still check for the codec's dai > name against "snd-soc-dummy-dai" as needed. > > While at it, also drop the check that dai_name is not null in the mt8192 > driver, introduced in commit 4d4e1b6319e5 ("ASoC: mediatek: mt8192: > Check existence of dai_name before dereferencing"), as it is actually > redundant given the preceding num_codecs != 0 check. > > Fixes: 13f58267cda3 ("ASoC: soc.h: don't create dummy Component via COMP_DUMMY()") > Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com> Reviewed-by: Fei Shao <fshao@chromium.org> I noticed the same issue on MT8188, so it's really nice to see this fix. Many thanks! Regards, Fei
On Tue, 2024-11-26 at 15:09 -0500, Nícolas F. R. A. Prado wrote: > > Following commit 13f58267cda3 ("ASoC: soc.h: don't create dummy > Component via COMP_DUMMY()"), COMP_DUMMY() became an array with zero > length, and only gets populated with the dummy struct after the card > is > registered. Since the sound card driver's probe happens before the > card > registration, accessing any of the members of a dummy component > during > probe will result in undefined behavior. > > This can be observed in the mt8188 and mt8195 machine sound drivers. > By > omitting a dai link subnode in the sound card's node in the > Devicetree, > the default uninitialized dummy codec is used, and when its dai_name > pointer gets passed to strcmp() it results in a null pointer > dereference > and a kernel panic. > > In addition to that, set_card_codec_info() in the generic helpers > file, > mtk-soundcard-driver.c, will populate a dai link with a dummy codec > when > a dai link node is present in DT but with no codec property. > > The result is that at probe time, a dummy codec can either be > uninitialized with num_codecs = 0, or be an initialized dummy codec, > with num_codecs = 1 and dai_name = "snd-soc-dummy-dai". In order to > accommodate for both situations, check that num_codecs is not zero > before accessing the codecs' fields but still check for the codec's > dai > name against "snd-soc-dummy-dai" as needed. > > While at it, also drop the check that dai_name is not null in the > mt8192 > driver, introduced in commit 4d4e1b6319e5 ("ASoC: mediatek: mt8192: > Check existence of dai_name before dereferencing"), as it is actually > redundant given the preceding num_codecs != 0 check. > > Fixes: 13f58267cda3 ("ASoC: soc.h: don't create dummy Component via > COMP_DUMMY()") > Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com> > --- > Acked-by: Trevor Wu <trevor.wu@mediatek.com> Thank you for the patch. Thanks, Trevor
diff --git a/sound/soc/mediatek/mt8188/mt8188-mt6359.c b/sound/soc/mediatek/mt8188/mt8188-mt6359.c index 08ae962afeb92965109b303439419bc6e7c2a896..4eed90d13a53262f0df99384494c6992b0341471 100644 --- a/sound/soc/mediatek/mt8188/mt8188-mt6359.c +++ b/sound/soc/mediatek/mt8188/mt8188-mt6359.c @@ -1279,10 +1279,12 @@ static int mt8188_mt6359_soc_card_probe(struct mtk_soc_card_data *soc_card_data, for_each_card_prelinks(card, i, dai_link) { if (strcmp(dai_link->name, "DPTX_BE") == 0) { - if (strcmp(dai_link->codecs->dai_name, "snd-soc-dummy-dai")) + if (dai_link->num_codecs && + strcmp(dai_link->codecs->dai_name, "snd-soc-dummy-dai")) dai_link->init = mt8188_dptx_codec_init; } else if (strcmp(dai_link->name, "ETDM3_OUT_BE") == 0) { - if (strcmp(dai_link->codecs->dai_name, "snd-soc-dummy-dai")) + if (dai_link->num_codecs && + strcmp(dai_link->codecs->dai_name, "snd-soc-dummy-dai")) dai_link->init = mt8188_hdmi_codec_init; } else if (strcmp(dai_link->name, "DL_SRC_BE") == 0 || strcmp(dai_link->name, "UL_SRC_BE") == 0) { @@ -1294,6 +1296,9 @@ static int mt8188_mt6359_soc_card_probe(struct mtk_soc_card_data *soc_card_data, strcmp(dai_link->name, "ETDM2_OUT_BE") == 0 || strcmp(dai_link->name, "ETDM1_IN_BE") == 0 || strcmp(dai_link->name, "ETDM2_IN_BE") == 0) { + if (!dai_link->num_codecs) + continue; + if (!strcmp(dai_link->codecs->dai_name, MAX98390_CODEC_DAI)) { /* * The TDM protocol settings with fixed 4 slots are defined in diff --git a/sound/soc/mediatek/mt8192/mt8192-mt6359-rt1015-rt5682.c b/sound/soc/mediatek/mt8192/mt8192-mt6359-rt1015-rt5682.c index db00704e206d6d3f500a5c8533e0159f16cf77b4..943f8116840373a563f5f10a7bd0f5870c331b67 100644 --- a/sound/soc/mediatek/mt8192/mt8192-mt6359-rt1015-rt5682.c +++ b/sound/soc/mediatek/mt8192/mt8192-mt6359-rt1015-rt5682.c @@ -1099,7 +1099,7 @@ static int mt8192_mt6359_legacy_probe(struct mtk_soc_card_data *soc_card_data) dai_link->ignore = 0; } - if (dai_link->num_codecs && dai_link->codecs[0].dai_name && + if (dai_link->num_codecs && strcmp(dai_link->codecs[0].dai_name, RT1015_CODEC_DAI) == 0) dai_link->ops = &mt8192_rt1015_i2s_ops; } @@ -1127,7 +1127,7 @@ static int mt8192_mt6359_soc_card_probe(struct mtk_soc_card_data *soc_card_data, int i; for_each_card_prelinks(card, i, dai_link) - if (dai_link->num_codecs && dai_link->codecs[0].dai_name && + if (dai_link->num_codecs && strcmp(dai_link->codecs[0].dai_name, RT1015_CODEC_DAI) == 0) dai_link->ops = &mt8192_rt1015_i2s_ops; } diff --git a/sound/soc/mediatek/mt8195/mt8195-mt6359.c b/sound/soc/mediatek/mt8195/mt8195-mt6359.c index 2832ef78eaed7283eaad822931ce0b515fa44d0a..8ebf6c7502aa3dedd213471b8968e2958f28c4a3 100644 --- a/sound/soc/mediatek/mt8195/mt8195-mt6359.c +++ b/sound/soc/mediatek/mt8195/mt8195-mt6359.c @@ -1380,10 +1380,12 @@ static int mt8195_mt6359_soc_card_probe(struct mtk_soc_card_data *soc_card_data, for_each_card_prelinks(card, i, dai_link) { if (strcmp(dai_link->name, "DPTX_BE") == 0) { - if (strcmp(dai_link->codecs->dai_name, "snd-soc-dummy-dai")) + if (dai_link->num_codecs && + strcmp(dai_link->codecs->dai_name, "snd-soc-dummy-dai")) dai_link->init = mt8195_dptx_codec_init; } else if (strcmp(dai_link->name, "ETDM3_OUT_BE") == 0) { - if (strcmp(dai_link->codecs->dai_name, "snd-soc-dummy-dai")) + if (dai_link->num_codecs && + strcmp(dai_link->codecs->dai_name, "snd-soc-dummy-dai")) dai_link->init = mt8195_hdmi_codec_init; } else if (strcmp(dai_link->name, "DL_SRC_BE") == 0 || strcmp(dai_link->name, "UL_SRC1_BE") == 0 || @@ -1396,6 +1398,9 @@ static int mt8195_mt6359_soc_card_probe(struct mtk_soc_card_data *soc_card_data, strcmp(dai_link->name, "ETDM2_OUT_BE") == 0 || strcmp(dai_link->name, "ETDM1_IN_BE") == 0 || strcmp(dai_link->name, "ETDM2_IN_BE") == 0) { + if (!dai_link->num_codecs) + continue; + if (!strcmp(dai_link->codecs->dai_name, MAX98390_CODEC_DAI)) { if (!(codec_init & MAX98390_CODEC_INIT)) { dai_link->init = mt8195_max98390_init;
Following commit 13f58267cda3 ("ASoC: soc.h: don't create dummy Component via COMP_DUMMY()"), COMP_DUMMY() became an array with zero length, and only gets populated with the dummy struct after the card is registered. Since the sound card driver's probe happens before the card registration, accessing any of the members of a dummy component during probe will result in undefined behavior. This can be observed in the mt8188 and mt8195 machine sound drivers. By omitting a dai link subnode in the sound card's node in the Devicetree, the default uninitialized dummy codec is used, and when its dai_name pointer gets passed to strcmp() it results in a null pointer dereference and a kernel panic. In addition to that, set_card_codec_info() in the generic helpers file, mtk-soundcard-driver.c, will populate a dai link with a dummy codec when a dai link node is present in DT but with no codec property. The result is that at probe time, a dummy codec can either be uninitialized with num_codecs = 0, or be an initialized dummy codec, with num_codecs = 1 and dai_name = "snd-soc-dummy-dai". In order to accommodate for both situations, check that num_codecs is not zero before accessing the codecs' fields but still check for the codec's dai name against "snd-soc-dummy-dai" as needed. While at it, also drop the check that dai_name is not null in the mt8192 driver, introduced in commit 4d4e1b6319e5 ("ASoC: mediatek: mt8192: Check existence of dai_name before dereferencing"), as it is actually redundant given the preceding num_codecs != 0 check. Fixes: 13f58267cda3 ("ASoC: soc.h: don't create dummy Component via COMP_DUMMY()") Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com> --- sound/soc/mediatek/mt8188/mt8188-mt6359.c | 9 +++++++-- sound/soc/mediatek/mt8192/mt8192-mt6359-rt1015-rt5682.c | 4 ++-- sound/soc/mediatek/mt8195/mt8195-mt6359.c | 9 +++++++-- 3 files changed, 16 insertions(+), 6 deletions(-) --- base-commit: b852e1e7a0389ed6168ef1d38eb0bad71a6b11e8 change-id: 20241126-asoc-mtk-dummy-panic-1f7961fcecdb Best regards,