| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 18 Jul 2018 11:52:45 +0000
From: "He, Bo" <bo.he@...el.com>
To: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"alsa-devel@...a-project.org" <alsa-devel@...a-project.org>,
"perex@...ex.cz" <perex@...ex.cz>,
"tiwai@...e.com" <tiwai@...e.com>
CC: "Zhang, Jun" <jun.zhang@...el.com>,
"Zhang, Yanmin" <yanmin.zhang@...el.com>
Subject: [PATCH] ALSA: core: fix unsigned int pages overflow when comapred
we see the below kernel panic on stress suspend resume test in
snd_malloc_sgbuf_pages(), snd_dma_alloc_pages_fallback() alloc
chunk maybe larger than the left pages due to the pages alignment,
which will cause the pages overflow.
while (pages > 0) {
...
pages -= chunk;
}
the patch is change the pages from unsigned int to int to fix the issue.
BUG: unable to handle kernel paging request at ffff88000deb4000
IP: [<ffffffff81404fa9>] memset_erms+0x9/0x10
Call Trace:
[<ffffffff818f222f>] snd_dma_alloc_pages+0xff/0x210
[<ffffffff818f23af>] snd_dma_alloc_pages_fallback+0x6f/0x90
[<ffffffff818f2b85>] snd_malloc_sgbuf_pages+0x145/0x370
[<ffffffff818f229e>] snd_dma_alloc_pages+0x16e/0x210
[<ffffffffc011930d>] hdac_ext_dma_alloc_pages+0x1d/0x40 [snd_hda_ext_core]
[<ffffffffc010729a>] snd_hdac_dsp_prepare+0xca/0x1c0 [snd_hda_core]
[<ffffffffc01880f9>] skl_dsp_prepare+0x99/0xf0 [snd_soc_skl]
[<ffffffffc0162a7e>] bxt_load_base_firmware+0x9e/0x5c0 [snd_soc_skl_ipc]
[<ffffffffc01630ec>] bxt_set_dsp_D0+0x14c/0x300 [snd_soc_skl_ipc]
[<ffffffffc015f9c3>] skl_dsp_get_core+0x43/0xd0 [snd_soc_skl_ipc]
[<ffffffffc015fa60>] skl_dsp_wake+0x10/0x20 [snd_soc_skl_ipc]
[<ffffffffc0188e3e>] skl_resume_dsp+0x7e/0x140 [snd_soc_skl]
[<ffffffffc0183c4a>] skl_resume+0xda/0x170 [snd_soc_skl]
[<ffffffff81452726>] pci_pm_resume+0x76/0xe0
[<ffffffff816616da>] dpm_run_callback+0x5a/0x180
[<ffffffff81661e3c>] device_resume+0xdc/0x2c0
[<ffffffff81663818>] dpm_resume+0x118/0x310
[<ffffffff81663e11>] dpm_resume_end+0x11/0x20
[<ffffffff810f8bcc>] suspend_devices_and_enter+0x11c/0x2b0
[<ffffffff810f90bd>] pm_suspend+0x35d/0x3d0
[<ffffffff810f78a6>] state_store+0x66/0x90
[<ffffffff813f80e2>] kobj_attr_store+0x12/0x20
[<ffffffff812a37bc>] sysfs_kf_write+0x3c/0x50
[<ffffffff812a2cbd>] kernfs_fop_write+0x11d/0x1a0
[<ffffffff8121dfaa>] __vfs_write+0x3a/0x150
[<ffffffff8121f2b1>] vfs_write+0xb1/0x1a0
[<ffffffff81220898>] SyS_write+0x58/0xc0
[<ffffffff81001fca>] do_syscall_64+0x6a/0xe0
[<ffffffff81b06560>] entry_SYSCALL_64_after_swapgs+0x5d/0xd7
Signed-off-by: he, bo <bo.he@...el.com>
Signed-off-by: zhang jun <jun.zhang@...el.com>
---
sound/core/sgbuf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/core/sgbuf.c b/sound/core/sgbuf.c
index 84fffab..33449ee 100644
--- a/sound/core/sgbuf.c
+++ b/sound/core/sgbuf.c
@@ -68,7 +68,8 @@ void *snd_malloc_sgbuf_pages(struct device *device,
size_t *res_size)
{
struct snd_sg_buf *sgbuf;
- unsigned int i, pages, chunk, maxpages;
+ unsigned int i, chunk, maxpages;
+ int pages;
struct snd_dma_buffer tmpb;
struct snd_sg_page *table;
struct page **pgtable;
--
2.7.4
Powered by blists - more mailing lists