MLK-22522: ASoC: fsl_sai: fix stack-out-of-bounds KASAN complain

Viorel Suman · rehsack · commit 43dfb5a8e2b8 · 2020-05-30T12:33:05.000+02:00
Fix the following KASAN reported issue: ================================================================== [ 11.580278] BUG: KASAN: stack-out-of-bounds in find_next_bit+0x3c/0xc0 [ 11.586815] Read of size 8 at addr ffffffc8c8d4f760 by task swapper/0/1 [ 11.593440] [ 11.594943] CPU: 4 PID: 1 Comm: swapper/0 Tainted: G W 4.19.35-05042-g. Freescale#157 [ 11.604259] Hardware name: Freescale i.MX8QM MEK (DT) [ 11.609323] Call trace: [ 11.611785] dump_backtrace+0x0/0x230 [ 11.615458] show_stack+0x14/0x20 [ 11.618787] dump_stack+0xbc/0xf4 [ 11.622118] print_address_description+0x60/0x270 [ 11.626830] kasan_report+0x230/0x360 [ 11.630505] __asan_load8+0x84/0xa8 [ 11.634005] find_next_bit+0x3c/0xc0 [ 11.637595] fsl_sai_calc_dl_off+0x1c/0x50 [ 11.641703] fsl_sai_read_dlcfg+0x184/0x368 [ 11.645898] fsl_sai_probe+0x3ec/0xb48 [ 11.649663] platform_drv_probe+0x70/0xd8 [ 11.653683] really_probe+0x24c/0x370 [ 11.657358] driver_probe_device+0x70/0x138 [ 11.661554] __driver_attach+0x124/0x128 [ 11.665489] bus_for_each_dev+0xe8/0x158 [ 11.669425] driver_attach+0x30/0x40 [ 11.673012] bus_add_driver+0x290/0x308 [ 11.676861] driver_register+0xbc/0x1d0 [ 11.680711] __platform_driver_register+0x7c/0x88 [ 11.685431] fsl_sai_driver_init+0x18/0x20 [ 11.689537] do_one_initcall+0xe8/0x5a8 [ 11.693387] kernel_init_freeable+0x6b0/0x760 [ 11.697759] kernel_init+0x10/0x120 [ 11.701255] ret_from_fork+0x10/0x18 .... ================================================================== [ 11.800186] Disabling lock debugging due to kernel taint Signed-off-by: Viorel Suman <viorel.suman@nxp.com> Reviewed-by: Shengjiu Wang <shengjiu.wang@nxp.com>
diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c
@@ -1259,12 +1259,12 @@ static const struct of_device_id fsl_sai_ids[] = {
 };
 MODULE_DEVICE_TABLE(of, fsl_sai_ids);
 
-static unsigned int fsl_sai_calc_dl_off(unsigned int* dl_mask)
+static unsigned int fsl_sai_calc_dl_off(unsigned long dl_mask)
 {
 	int fbidx, nbidx, offset;
 
-	fbidx = find_first_bit((const unsigned long *)dl_mask, 8);
-	nbidx = find_next_bit((const unsigned long *)dl_mask, 8, fbidx+1);
+	fbidx = find_first_bit(&dl_mask, 8);
+	nbidx = find_next_bit(&dl_mask, 8, fbidx + 1);
 	offset = nbidx - fbidx - 1;
 
 	return (offset < 0 || offset >= 7 ? 0 : offset);
@@ -1321,9 +1321,9 @@ static int fsl_sai_read_dlcfg(struct platform_device *pdev, char *pn,
 
 		cfg[i].pins = pins;
 		cfg[i].mask[0] = rx;
-		cfg[i].offset[0] = fsl_sai_calc_dl_off(&rx);
+		cfg[i].offset[0] = fsl_sai_calc_dl_off(rx);
 		cfg[i].mask[1] = tx;
-		cfg[i].offset[1] = fsl_sai_calc_dl_off(&tx);
+		cfg[i].offset[1] = fsl_sai_calc_dl_off(tx);
 	}
 
 	*rcfg = cfg;
