lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 13 Mar 2017 14:41:28 -0700
From:   Brian Norris <briannorris@...omium.org>
To:     Kuninori Morimoto <kuninori.morimoto.gx@...esas.com>
Cc:     Liam Girdwood <lgirdwood@...il.com>,
        Mark Brown <broonie@...nel.org>, linux-kernel@...r.kernel.org,
        Jaroslav Kysela <perex@...ex.cz>,
        Takashi Iwai <tiwai@...e.com>, alsa-devel@...a-project.org
Subject: Re: [PATCH for-4.11] ASoC: don't dereference NULL pcm_{new,free}

On Mon, Mar 13, 2017 at 03:46:00AM +0000, Kuninori Morimoto wrote:
> > There are 4 drivers calling that:
> > 
> >   snd_soc_dummy_probe
> >   rt5514_spi_probe
> >   2 instances of snd_dmaengine_pcm_register, via rockchip_i2s_probe
> > 
> > Only the latter two seem to run the assignment here:
> > 
> > 	if (platform_drv->pcm_new)
> > 		platform->component.pcm_new = snd_soc_platform_drv_pcm_new;
> > 
> > Both snd_soc_dummy_probe and rt5514_spi_probe find ->pcm_new NULL here.
> 
> Hmm...
> 
> The crasher was snd_dmaengine_pcm_register's platform ?

No, actually it wasn't. It was spi2.0, which was a dummy, from
snd_soc_dummy_probe(). But somehow snd_soc_platform_drv_pcm_new() got
called for it...

> This means, in your current kernel, dmaengine platform dosn't call
> its .pcm_new (= dmaengine_pcm_new) somehow ?

I believe not. I'm still thoroughly confused though :)

> I'm wondering why ->pcm_new became NULL which exists on probe timing ?
> Can you check component and driver by this patch ?
> This is very rough but enough for debug

I added this (along with a bunch of debugging, including a form of my
current patch, to avoid still crashing on the NULL pointer). Trimmed
log (with some of the framework's dev_dbg() enabled):

[    2.521638] snd-soc-dummy snd-soc-dummy: codec register snd-soc-dummy
[    2.523532] da7219 8-001a: codec register 8-001a
[    2.523850] max98357a max98357a: codec register max98357a
[    2.530256] rt5514 1-0057: codec register 1-0057
[    2.531615] -------add name: ff880000.i2s, ffffff800888a598
[    2.531976] -------add name: ff8a0000.i2s, ffffff800888a598
[    2.532706] rk3399-gru-sound sound: ASoC: binding MAX98357A
[    2.532721] rk3399-gru-sound sound: ASoC: binding RT5514
[    2.532736] rk3399-gru-sound sound: ASoC: binding DA7219
[    2.532745] rk3399-gru-sound sound: ASoC: binding RT5514 DSP
[    2.537327] rk3399-gru-sound sound: ASoC: probe rk3399-gru-sound dai link 0 late -2
[    2.537332] rk3399-gru-sound sound: ASoC: probe rk3399-gru-sound dai link 1 late -2
[    2.537336] rk3399-gru-sound sound: ASoC: probe rk3399-gru-sound dai link 2 late -2
[    2.537340] rk3399-gru-sound sound: ASoC: probe rk3399-gru-sound dai link 3 late -2
[    2.537344] rk3399-gru-sound sound: ASoC: probe rk3399-gru-sound dai link 0 late -1
[    2.537347] rk3399-gru-sound sound: ASoC: probe rk3399-gru-sound dai link 1 late -1
[    2.537351] rk3399-gru-sound sound: ASoC: probe rk3399-gru-sound dai link 2 late -1
[    2.537354] rk3399-gru-sound sound: ASoC: probe rk3399-gru-sound dai link 3 late -1
[    2.537358] rk3399-gru-sound sound: ASoC: probe rk3399-gru-sound dai link 0 late 0
[    2.537362] rk3399-gru-sound sound: ASoC: probe rk3399-gru-sound dai link 1 late 0
[    2.537365] rk3399-gru-sound sound: ASoC: probe rk3399-gru-sound dai link 2 late 0
[    2.537369] rk3399-gru-sound sound: ASoC: probe rk3399-gru-sound dai link 3 late 0
[    2.537373] rk3399-gru-sound sound: ASoC: probe rk3399-gru-sound dai link 0 late 1
[    2.537376] rk3399-gru-sound sound: ASoC: probe rk3399-gru-sound dai link 1 late 1
[    2.537380] rk3399-gru-sound sound: ASoC: probe rk3399-gru-sound dai link 2 late 1
[    2.537383] rk3399-gru-sound sound: ASoC: probe rk3399-gru-sound dai link 3 late 1
[    2.537387] rk3399-gru-sound sound: ASoC: probe rk3399-gru-sound dai link 0 late 2
[    2.537569] -------use name: ff880000.i2s, ffffff800888a598
[    3.543003] rk3399-gru-sound sound: HiFi <-> ff880000.i2s mapping ok
[    3.550150] rk3399-gru-sound sound: ASoC: probe rk3399-gru-sound dai link 1 late 2
[    3.558828] -------use name: ff880000.i2s, ffffff800888a598
[    3.746799] rk3399-gru-sound sound: rt5514-aif1 <-> ff880000.i2s mapping ok
[    3.754635] rk3399-gru-sound sound: ASoC: probe rk3399-gru-sound dai link 2 late 2
[    3.764970] -------use name: ff880000.i2s, ffffff800888a598
[    3.976496] rk3399-gru-sound sound: da7219-hifi <-> ff880000.i2s mapping ok
[    3.984292] rk3399-gru-sound sound: ASoC: probe rk3399-gru-sound dai link 3 late 2
[    3.992927] -------use name: spi2.0, ffffff80090aeb90
[    4.170426] *** pcm_new was NULL ***
[    4.174426] rk3399-gru-sound sound: snd-soc-dummy-dai <-> spi2.0 mapping ok
[    4.186804] input: rk3399-gru-sound Headset Jack as /devices/platform/sound/sound/card0/input5

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ