summaryrefslogtreecommitdiff
path: root/sound/core
AgeCommit message (Collapse)Author
2019-04-16ALSA: core: Fix card races between register and disconnectTakashi Iwai
There is a small race window in the card disconnection code that allows the registration of another card with the very same card id. This leads to a warning in procfs creation as caught by syzkaller. The problem is that we delete snd_cards and snd_cards_lock entries at the very beginning of the disconnection procedure. This makes the slot available to be assigned for another card object while the disconnection procedure is being processed. Then it becomes possible to issue a procfs registration with the existing file name although we check the conflict beforehand. The fix is simply to move the snd_cards and snd_cards_lock clearances at the end of the disconnection procedure. The references to these entries are merely either from the global proc files like /proc/asound/cards or from the card registration / disconnection, so it should be fine to shift at the very end. Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-16ALSA: info: Fix racy addition/deletion of nodesTakashi Iwai
The ALSA proc helper manages the child nodes in a linked list, but its addition and deletion is done without any lock. This leads to a corruption if they are operated concurrently. Usually this isn't a problem because the proc entries are added sequentially in the driver probe procedure itself. But the card registrations are done often asynchronously, and the crash could be actually reproduced with syzkaller. This patch papers over it by protecting the link addition and deletion with the parent's mutex. There is "access" mutex that is used for the file access, and this can be reused for this purpose as well. Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-05ALSA: seq: Fix OOB-reads from strlcpyZubin Mithra
When ioctl calls are made with non-null-terminated userspace strings, strlcpy causes an OOB-read from within strlen. Fix by changing to use strscpy instead. Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-25ALSA: pcm: Don't suspend stream in unrecoverable PCM stateTakashi Iwai
Currently PCM core sets each opened stream forcibly to SUSPENDED state via snd_pcm_suspend_all() call, and the user-space is responsible for re-triggering the resume manually either via snd_pcm_resume() or prepare call. The scheme works fine usually, but there are corner cases where the stream can't be resumed by that call: the streams still in OPEN state before finishing hw_params. When they are suspended, user-space cannot perform resume or prepare because they haven't been set up yet. The only possible recovery is to re-open the device, which isn't nice at all. Similarly, when a stream is in DISCONNECTED state, it makes no sense to change it to SUSPENDED state. Ditto for in SETUP state; which you can re-prepare directly. So, this patch addresses these issues by filtering the PCM streams to be suspended by checking the PCM state. When a stream is in either OPEN, SETUP or DISCONNECTED as well as already SUSPENDED, the suspend action is skipped. To be noted, this problem was originally reported for the PCM runtime PM on HD-audio. And, the runtime PM problem itself was already addressed (although not intended) by the code refactoring commits 3d21ef0b49f8 ("ALSA: pcm: Suspend streams globally via device type PM ops") and 17bc4815de58 ("ALSA: pci: Remove superfluous snd_pcm_suspend*() calls"). These commits eliminated the snd_pcm_suspend*() calls from the runtime PM suspend callback code path, hence the racy OPEN state won't appear while runtime PM. (FWIW, the race window is between snd_pcm_open_substream() and the first power up in azx_pcm_open().) Although the runtime PM issue was already "fixed", the same problem is still present for the system PM, hence this patch is still needed. And for stable trees, this patch alone should suffice for fixing the runtime PM problem, too. Reported-and-tested-by: Jon Hunter <jonathanh@nvidia.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-22ALSA: pcm: Fix possible OOB access in PCM oss pluginsTakashi Iwai
The PCM OSS emulation converts and transfers the data on the fly via "plugins". The data is converted over the dynamically allocated buffer for each plugin, and recently syzkaller caught OOB in this flow. Although the bisection by syzbot pointed out to the commit 65766ee0bf7f ("ALSA: oss: Use kvzalloc() for local buffer allocations"), this is merely a commit to replace vmalloc() with kvmalloc(), hence it can't be the cause. The further debug action revealed that this happens in the case where a slave PCM doesn't support only the stereo channels while the OSS stream is set up for a mono channel. Below is a brief explanation: At each OSS parameter change, the driver sets up the PCM hw_params again in snd_pcm_oss_change_params_lock(). This is also the place where plugins are created and local buffers are allocated. The problem is that the plugins are created before the final hw_params is determined. Namely, two snd_pcm_hw_param_near() calls for setting the period size and periods may influence on the final result of channels, rates, etc, too, while the current code has already created plugins beforehand with the premature values. So, the plugin believes that channels=1, while the actual I/O is with channels=2, which makes the driver reading/writing over the allocated buffer size. The fix is simply to move the plugin allocation code after the final hw_params call. Reported-by: syzbot+d4503ae45b65c5bc1194@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-21ALSA: seq: oss: Fix Spectre v1 vulnerabilityGustavo A. R. Silva
dev is indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: sound/core/seq/oss/seq_oss_synth.c:626 snd_seq_oss_synth_make_info() warn: potential spectre issue 'dp->synths' [w] (local cap) Fix this by sanitizing dev before using it to index dp->synths. Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/ Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-21ALSA: rawmidi: Fix potential Spectre v1 vulnerabilityGustavo A. R. Silva
info->stream is indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: sound/core/rawmidi.c:604 __snd_rawmidi_info_select() warn: potential spectre issue 'rmidi->streams' [r] (local cap) Fix this by sanitizing info->stream before using it to index rmidi->streams. Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/ Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-13ALSA: pcm: Comment why read blocks when PCM is not runningRicardo Biehl Pasquali
This avoids bringing back the problem introduced by 62ba568f7aef ("ALSA: pcm: Return 0 when size < start_threshold in capture") and fixed in 00a399cad1a0 ("ALSA: pcm: Revert capture stream behavior change in blocking mode"), which prevented the user from starting capture from another thread. Signed-off-by: Ricardo Biehl Pasquali <pasqualirb@gmail.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-13Merge branch 'for-linus' into for-nextTakashi Iwai
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-11ALSA: PCM: check if ops are defined before suspending PCMRanjani Sridharan
BE dai links only have internal PCM's and their substream ops may not be set. Suspending these PCM's will result in their ops->trigger() being invoked and cause a kernel oops. So skip suspending PCM's if their ops are NULL. [ NOTE: this change is required now for following the recent PCM core change to get rid of snd_pcm_suspend() call. Since DPCM BE takes the runtime carried from FE while keeping NULL ops, it can hit this bug. See details at: https://github.com/thesofproject/linux/pull/582 -- tiwai ] Signed-off-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com> Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-08ALSA: pcm: Revert capture stream behavior change in blocking modeTakashi Iwai
In the commit 62ba568f7aef ("ALSA: pcm: Return 0 when size < start_threshold in capture"), we changed the behavior of __snd_pcm_lib_xfer() to return immediately with 0 when a capture stream has a high start_threshold. This was intended to be a correction of the behavior consistency and looked harmless, but this was the culprit of the recent breakage reported by syzkaller, which was fixed by the commit e190161f96b8 ("ALSA: pcm: Fix tight loop of OSS capture stream"). At the time for the OSS fix, I didn't touch the behavior for ALSA native API, as assuming that this behavior actually is good. But this turned out to be also broken actually for a similar deployment, e.g. one thread goes to a write loop in blocking mode while another thread controls the start/stop of the stream manually. Overall, the original commit is harmful, and it brings less merit to keep that behavior. Let's revert it. Fixes: 62ba568f7aef ("ALSA: pcm: Return 0 when size < start_threshold in capture") Fixes: e190161f96b8 ("ALSA: pcm: Fix tight loop of OSS capture stream") Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-08ALSA: pcm: Define snd_pcm_lib_preallocate_*() as returning voidTakashi Iwai
Now all callers no longer check the return value from snd_pcm_lib_preallocate_pages() and co, let's make them to return void, so that any new code won't fall into the same pitfall. Reviewed-by: Jaroslav Kysela <perex@perex.cz> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-06ALSA: info: Move card id proc creation into info.cTakashi Iwai
The creation of card's id proc file can be moved gracefully into info.c. Also, the assignment of card->proc_id is superfluous and can be dropped. So let's do it. Basically this is no functional change but code refactoring, but one potential behavior change is that now it returns properly the error code from snd_info_card_register(), which is a good thing (tm). Reviewed-by: Jaroslav Kysela <perex@perex.cz> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-06ALSA: info: Minor optimizationTakashi Iwai
Just a minor code optimization to reduce the source code size slightly. No functional changes. Reviewed-by: Jaroslav Kysela <perex@perex.cz> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-06ALSA: info: Drop unused snd_info_entry.card fieldTakashi Iwai
It's referred only in snd_card_id_read() which can receive the card object via private_data. Reviewed-by: Jaroslav Kysela <perex@perex.cz> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-06ALSA: info: Add standard helpers for card proc file entriesTakashi Iwai
Two new helper functions are added here for cleaning up the existing lengthy calls. Reviewed-by: Jaroslav Kysela <perex@perex.cz> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-06ALSA: compress: Remove superfluous snd_info_register() callsTakashi Iwai
The calls of snd_info_register() are superfluous and should be avoided at the procfs creation time. They are called at the end of the whole initialization via snd_card_register(). This patch drops such superfluous calls. Reviewed-by: Jaroslav Kysela <perex@perex.cz> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-06ALSA: pcm: Remove superfluous snd_info_register() callsTakashi Iwai
The calls of snd_info_register() are superfluous and should be avoided at the procfs creation time. They are called at the end of the whole initialization via snd_card_register(). This patch drops such superfluous calls, as well as cleaning up the calls of substream proc entries with a common helper. Reviewed-by: Jaroslav Kysela <perex@perex.cz> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-05ALSA: info: Always register entries recursivelyTakashi Iwai
Make sure that all children entries are registered by a single call of snd_info_register(). OTOH, don't register if a parent isn't registered yet. This allows us to create the whole procfs tree in a shot at the last stage of card registration phase in a later patch. Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-05ALSA: core: Don't allow NULL device for memory allocationTakashi Iwai
Since we covered all callers with NULL device pointer, let's catch the remaining calls with NULL and warn explicitly. Acked-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-31ALSA: pcm: remove a superfluous function declarationGuennadi Liakhovetski
Declaration of snd_pcm_drop() in sound/core/pcm_native.c is superfluous since the function isn't called before being defined. Remove the declaration. Signed-off-by: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-29Merge branch 'for-linus' into for-nextTakashi Iwai
Pull 5.0 branch for further development of USB-audio quirks Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-25ALSA: pcm: Fix tight loop of OSS capture streamTakashi Iwai
When the trigger=off is passed for a PCM OSS stream, it sets the start_threshold of the given substream to the boundary size, so that it won't be automatically started. This can be problematic for a capture stream, unfortunately, as detected by syzkaller. The scenario is like the following: - In __snd_pcm_lib_xfer() that is invoked from snd_pcm_oss_read() loop, we have a check whether the stream was already started or the stream can be auto-started. - The function at this check returns 0 with trigger=off since we explicitly disable the auto-start. - The loop continues and repeats calling __snd_pcm_lib_xfer() tightly, which may lead to an RCU stall. This patch fixes the bug by simply allowing the wait for non-started stream in the case of OSS capture. For native usages, it's supposed to be done by the caller side (which is user-space), hence it returns zero like before. (In theory, __snd_pcm_lib_xfer() could wait even for the native API usage cases, too; but I'd like to stay in a safer side for not breaking the existing stuff for now.) Reported-by: syzbot+fbe0496f92a0ce7b786c@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-25ALSA: pcm: Use the common error path in __snd_pcm_lib_xfer()Takashi Iwai
An open-coded error path in __snd_pcm_lib_xfer() can be replaced with the simple goto to the common error path. This also makes the error handling more consistent, i.e. when some samples have been already processed, return that size instead of the error code. Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-24Merge branch 'topic/pcm-lock-refactor' into for-nextTakashi Iwai
Pull PCM lock refactoring. Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-24ALSA: proc: Avoid possible leaks of snd_info_entry objectsTakashi Iwai
This patch changes the parent pointer assignment of snd_info_entry object to be always non-NULL. More specifically,check the parent argument in snd_info_create_module_entry() & co, and assign snd_proc_root if NULL is passed there. This assures that the proc object is always freed when the root is freed, so avoid possible memory leaks. For example, some error paths (e.g. snd_info_register() error at snd_minor_info_init()) may leave snd_info_entry object although the proc file itself is freed. Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-24ALSA: pcm: Simplify proc file destructionTakashi Iwai
The proc files are recursively freed by calling with the root snd_info_entry object, so we don't have to keep each object for releasing one by one. Move the release of the PCM stream proc root at the beginning, so that we can remove the redundant code and resource. Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-24ALSA: pcm: Drop unused snd_pcm_substream.file fieldTakashi Iwai
It's assigned but nowhere used. Let's remove it. Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-23ALSA: pcm: Cleanup snd_pcm_stream_lock() & coTakashi Iwai
After the previous code refactoring, the PCM stream locking code became nothing but the PCM group lock with self_group object. Use the existing helper function for simplifying the code. Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-23ALSA: pcm: Remove down_write() hack for snd_pcm_link_rwsemTakashi Iwai
Remove the hackish down_write_nonfifo() that was introduced as a workaround of rwsem deadlock. It used to be a problem for non-atomic PCM streams that take the rwsem for the locking and hit the high lock contention. Since the current PCM locking refactoring, we'll no longer hit it as the hot code-paths don't take global locks. Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-23ALSA: pcm: More fine-grained PCM link lockingTakashi Iwai
We have currently two global locks, a rwlock and a rwsem, that are used for managing linking the PCM streams. Due to these global locks, once when a linked stream is used, the lock granularity suffers a lot. This patch attempts to eliminate the former global lock for atomic ops. The latter rwsem needs remaining because of the loosy way of the loop calls in snd_pcm_action_nonatomic(), as well as for avoiding the deadlock at linking. However, these are used far rarely, actually only by two actions (prepare and reset), where both are no timing critical ones. So this can be still seen as a good improvement. The basic strategy to eliminate the rwlock is to assure group->lock at adding or removing a stream to / from the group. Since we already takes the group lock whenever taking the all substream locks under the group, this shouldn't be a big problem. The reference to group pointer in snd_pcm_substream object is protected by the stream lock itself. However, there are still pitfalls: a race window at re-locking and the lifecycle of group object. The former is a small race window for dereferencing the substream group object opened while snd_pcm_action() performs re-locking to avoid ABBA deadlocks. This includes the unlink of group during that window, too. And the latter is the kfree performed after all streams are removed from the group while it's still dereferenced. For addressing these corner cases, two new tricks are introduced: - After re-locking, the group assigned to the stream is checked again; if the group is changed, we retry the whole procedure. - Introduce a refcount to snd_pcm_group object, so that it's freed only when it's empty and really no one refers to it. (Some readers might wonder why not RCU for the latter. RCU in this case would cost more than refcounting, unfortunately. We take the group lock sooner or later, hence the performance improvement by RCU would be negligible. Meanwhile, because we need to deal with schedulable context depending on the pcm->nonatomic flag, it'll become dynamic RCU/SRCU switch, and the grace period may become too long.) Along with these changes, there are a significant amount of code refactoring. The complex group re-lock & ref code is factored out to snd_pcm_stream_group_ref() function, for example. Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-21ALSA: pcm: Avoid confusing loop in snd_pcm_unlink()Takashi Iwai
The snd_pcm_group_for_each_entry() loop found in snd_pcm_unlink() is only for taking the first list entry. Use list_first_entry() to make clearer. Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-21ALSA: pcm: Make PCM linked list consistent while re-groupingTakashi Iwai
Make a common helper to re-assign the PCM link using list_move() instead of open code with manual list_del() and list_add_tail(). This assures the consistency and we can get rid of snd_pcm_group.count field -- its purpose is only to check whether the list is singular, and we can know it by list_is_singular() call now. Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-21ALSA: pcm: Unify snd_pcm_group initializationTakashi Iwai
There are multiple open codes that initialize the same object. Create a common helper function instead. Also, use kzalloc() to be safer at creating a group object, and move the initialization out of the critical section. Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-21ALSA: pcm: Call snd_card_unref() inside in_pcm_file()Takashi Iwai
The snd_card_unref() call in snd_pcm_link() looks suspicious through a quick glance, but it's a correct usage; this is needed just because the file descriptor check in is_pcm_file() calls the helper snd_lookup_minor_data() that keeps the card refcount. Despite of the correctness, the code still looks confusing. Basically, keeping the card ref for the whole code isn't needed as fdget() blocks the release of the opened file. Hence it's more understandable if snd_card_unref() is moved into is_pcm_file(), then the caller doesn't have to take care after the call. Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-18Merge tag 'asoc-fix-v5.0-rc2' of ↵Takashi Iwai
https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Fixes for v5.0 Quite a big batch of fixes here. There's a couple of things going on, the main one is that we found some issues with not deferring probe when we should, causing us to skip some driver initialization. The fixes for this then in turn exposed some issues with how we were searching for components which had previously gone unnoticed due to the original issue. There's also been the normal driver specific stuff and there's been what looks like several batches of automated scanning for issues which have generated quite a large set of smaller fixes for potential crashes and missed error handling.
2019-01-15ALSA: pcm: Make snd_pcm_suspend() local staticTakashi Iwai
snd_pcm_suspend() is no longer called from outside, so let's make it local static. Also drop a superfluous NULL check there. Reviewed-by: Jaroslav Kysela <perex@perex.cz> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-15ALSA: pcm: Suspend streams globally via device type PM opsTakashi Iwai
Until now we rely on each driver calling snd_pcm_suspend*() explicitly at its own PM handling. However, this can be done far more easily by setting the PM ops to each actual snd_pcm device object. This patch adds the device_type object for PCM stream and assigns to each PCM stream object. The type contains only the PM ops for system suspend; we don't need to deal with the resume in general. The suspend hook simply calls snd_pcm_suspend_all() for the given PCM streams. This implies that the PM order is correctly put, i.e. PCM is suspended before the main (or codec) driver, which should be true in general. If a special ordering is needed, you'd need to adjust the device PM order manually later. This patch introduces a new flag, snd_pcm.no_device_suspend, too. With this flag set, the PCM device object won't invoke snd_pcm_suspend_all() by itself. This is needed for ASoC who wants to manage the PM call orders in its serialized way, and the flag is set in soc_new_pcm() as default. For the non-ASoC world, we can get rid of the manual snd_pcm_suspend calls. This will be done in the later patches. Reviewed-by: Jaroslav Kysela <perex@perex.cz> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-03Remove 'type' argument from access_ok() functionLinus Torvalds
Nobody has actually used the type (VERIFY_READ vs VERIFY_WRITE) argument of the user address range verification function since we got rid of the old racy i386-only code to walk page tables by hand. It existed because the original 80386 would not honor the write protect bit when in kernel mode, so you had to do COW by hand before doing any user access. But we haven't supported that in a long time, and these days the 'type' argument is a purely historical artifact. A discussion about extending 'user_access_begin()' to do the range checking resulted this patch, because there is no way we're going to move the old VERIFY_xyz interface to that model. And it's best done at the end of the merge window when I've done most of my merges, so let's just get this done once and for all. This patch was mostly done with a sed-script, with manual fix-ups for the cases that weren't of the trivial 'access_ok(VERIFY_xyz' form. There were a couple of notable cases: - csky still had the old "verify_area()" name as an alias. - the iter_iov code had magical hardcoded knowledge of the actual values of VERIFY_{READ,WRITE} (not that they mattered, since nothing really used it) - microblaze used the type argument for a debug printout but other than those oddities this should be a total no-op patch. I tried to fix up all architectures, did fairly extensive grepping for access_ok() uses, and the changes are trivial, but I may have missed something. Any missed conversion should be trivially fixable, though. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-01-03ALSA: compress: prevent potential divide by zero bugsDan Carpenter
The problem is seen in the q6asm_dai_compr_set_params() function: ret = q6asm_map_memory_regions(dir, prtd->audio_client, prtd->phys, (prtd->pcm_size / prtd->periods), ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ prtd->periods); In this code prtd->pcm_size is the buffer_size and prtd->periods comes from params->buffer.fragments. If we allow the number of fragments to be zero then it results in a divide by zero bug. One possible fix would be to use prtd->pcm_count directly instead of using the division to re-calculate it. But I decided that it doesn't really make sense to allow zero fragments. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mark Brown <broonie@kernel.org>
2018-12-18Merge tag 'asoc-v4.21' of ↵Takashi Iwai
git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-next ASoC: Updates for v4.21 Not much work on the core this time around but we've seen quite a bit of driver work, including on the generic DT drivers. There's also a large part of the diff from a merge of the DaVinci and OMAP directories, along with some active development there: - Preparatory work from Morimoto-san for merging the audio-graph and audio-graph-scu cards. - A merge of the TI OMAP and DaVinci directories, the OMAP product line has been merged into the DaVinci product line so there is now a lot of IP sharing which meant that the split directories just got in the way. This has pulled in a few architecture changes as well. - A big cleanup of the Maxim MAX9867 driver from Ladislav Michl. - Support for Asahi Kaesi AKM4118, AMD ACP3x, Intel platforms with RT5660, Meson AXG S/PDIF inputs, several Qualcomm IPs and Xilinx I2S controllers.
2018-12-18Merge branch 'asoc-4.21' into asoc-nextMark Brown
2018-12-14ALSA: compress: make use of runtime buffer for copySrinivas Kandagatla
Default copy function uses kmalloc to allocate buffers, lets check if the runtime buffers are setup before making this allocations. This can be useful if the buffers are dma buffers. Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> Acked-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Mark Brown <broonie@kernel.org>
2018-12-13ALSA: pcm: Fix potential Spectre v1 vulnerabilityGustavo A. R. Silva
stream is indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: sound/core/pcm.c:140 snd_pcm_control_ioctl() warn: potential spectre issue 'pcm->streams' [r] (local cap) Fix this by sanitizing stream before using it to index pcm->streams Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Cc: stable@vger.kernel.org Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-12-07Merge branch 'for-linus' into for-nextTakashi Iwai
Back-merge for applying the more HD-audio quirks on top of the latest code. Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-11-29ALSA: pcm: Fix starvation on down_write_nonblock()Chanho Min
Commit 67ec1072b053 ("ALSA: pcm: Fix rwsem deadlock for non-atomic PCM stream") fixes deadlock for non-atomic PCM stream. But, This patch causes antother stuck. If writer is RT thread and reader is a normal thread, the reader thread will be difficult to get scheduled. It may not give chance to release readlocks and writer gets stuck for a long time if they are pinned to single cpu. The deadlock described in the previous commit is because the linux rwsem queues like a FIFO. So, we might need non-FIFO writelock, not non-block one. My suggestion is that the writer gives reader a chance to be scheduled by using the minimum msleep() instaed of spinning without blocking by writer. Also, The *_nonblock may be changed to *_nonfifo appropriately to this concept. In terms of performance, when trylock is failed, this minimum periodic msleep will have the same performance as the tick-based schedule()/wake_up_q(). [ Although this has a fairly high performance penalty, the relevant code path became already rare due to the previous commit ("ALSA: pcm: Call snd_pcm_unlink() conditionally at closing"). That is, now this unconditional msleep appears only when using linked streams, and this must be a rare case. So we accept this as a quick workaround until finding a more suitable one -- tiwai ] Fixes: 67ec1072b053 ("ALSA: pcm: Fix rwsem deadlock for non-atomic PCM stream") Suggested-by: Wonmin Jung <wonmin.jung@lge.com> Signed-off-by: Chanho Min <chanho.min@lge.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-11-29ALSA: pcm: Call snd_pcm_unlink() conditionally at closingTakashi Iwai
Currently the PCM core calls snd_pcm_unlink() always unconditionally at closing a stream. However, since snd_pcm_unlink() invokes the global rwsem down, the lock can be easily contended. More badly, when a thread runs in a high priority RT-FIFO, it may stall at spinning. Basically the call of snd_pcm_unlink() is required only for the linked streams that are already rare occasion. For normal use cases, this code path is fairly superfluous. As an optimization (and also as a workaround for the RT problem above in normal situations without linked streams), this patch adds a check before calling snd_pcm_unlink() and calls it only when needed. Reported-by: Chanho Min <chanho.min@lge.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-11-24ALSA: control: Consolidate helpers for adding and replacing ctl elementsTakashi Iwai
Both snd_ctl_add() and snd_ctl_replace() process the things in a fairly similar way, and indeed the most of the codes can be unified. This patch is a refactoring to consolidate the both functions to call a single helper with an extra "mode" argument. There should be no functional difference, except for one additional sanity check applied now to snd_ctl_replace() (which was rather overlooking, IMO), too. Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-11-24ALSA: control: Fix race between adding and removing a user elementTakashi Iwai
The procedure for adding a user control element has some window opened for race against the concurrent removal of a user element. This was caught by syzkaller, hitting a KASAN use-after-free error. This patch addresses the bug by wrapping the whole procedure to add a user control element with the card->controls_rwsem, instead of only around the increment of card->user_ctl_count. This required a slight code refactoring, too. The function snd_ctl_add() is split to two parts: a core function to add the control element and a part calling it. The former is called from the function for adding a user control element inside the controls_rwsem. One change to be noted is that snd_ctl_notify() for adding a control element gets called inside the controls_rwsem as well while it was called outside the rwsem. But this should be OK, as snd_ctl_notify() takes another (finer) rwlock instead of rwsem, and the call of snd_ctl_notify() inside rwsem is already done in another code path. Reported-by: syzbot+dc09047bce3820621ba2@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-11-09ALSA: oss: Use kvzalloc() for local buffer allocationsTakashi Iwai
PCM OSS layer may allocate a few temporary buffers, one for the core read/write and another for the conversions via plugins. Currently both are allocated via vmalloc(). But as the allocation size is equivalent with the PCM period size, the required size might be quite small, depending on the application. This patch replaces these vmalloc() calls with kvzalloc() for covering small period sizes better. Also, we use "z"-alloc variant here for addressing the possible uninitialized access reported by syzkaller. Reported-by: syzbot+1cb36954e127c98dd037@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>