Age | Commit message (Collapse) | Author |
|
syzkaller fuzzer spotted a potential use-after-free case in snd-dummy
driver when hrtimer is used as backend:
> ==================================================================
> BUG: KASAN: use-after-free in rb_erase+0x1b17/0x2010 at addr ffff88005e5b6f68
> Read of size 8 by task syz-executor/8984
> =============================================================================
> BUG kmalloc-192 (Not tainted): kasan: bad access detected
> -----------------------------------------------------------------------------
>
> Disabling lock debugging due to kernel taint
> INFO: Allocated in 0xbbbbbbbbbbbbbbbb age=18446705582212484632
> ....
> [< none >] dummy_hrtimer_create+0x49/0x1a0 sound/drivers/dummy.c:464
> ....
> INFO: Freed in 0xfffd8e09 age=18446705496313138713 cpu=2164287125 pid=-1
> [< none >] dummy_hrtimer_free+0x68/0x80 sound/drivers/dummy.c:481
> ....
> Call Trace:
> [<ffffffff8179e59e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:333
> [< inline >] rb_set_parent include/linux/rbtree_augmented.h:111
> [< inline >] __rb_erase_augmented include/linux/rbtree_augmented.h:218
> [<ffffffff82ca5787>] rb_erase+0x1b17/0x2010 lib/rbtree.c:427
> [<ffffffff82cb02e8>] timerqueue_del+0x78/0x170 lib/timerqueue.c:86
> [<ffffffff814d0c80>] __remove_hrtimer+0x90/0x220 kernel/time/hrtimer.c:903
> [< inline >] remove_hrtimer kernel/time/hrtimer.c:945
> [<ffffffff814d23da>] hrtimer_try_to_cancel+0x22a/0x570 kernel/time/hrtimer.c:1046
> [<ffffffff814d2742>] hrtimer_cancel+0x22/0x40 kernel/time/hrtimer.c:1066
> [<ffffffff85420531>] dummy_hrtimer_stop+0x91/0xb0 sound/drivers/dummy.c:417
> [<ffffffff854228bf>] dummy_pcm_trigger+0x17f/0x1e0 sound/drivers/dummy.c:507
> [<ffffffff85392170>] snd_pcm_do_stop+0x160/0x1b0 sound/core/pcm_native.c:1106
> [<ffffffff85391b26>] snd_pcm_action_single+0x76/0x120 sound/core/pcm_native.c:956
> [<ffffffff85391e01>] snd_pcm_action+0x231/0x290 sound/core/pcm_native.c:974
> [< inline >] snd_pcm_stop sound/core/pcm_native.c:1139
> [<ffffffff8539754d>] snd_pcm_drop+0x12d/0x1d0 sound/core/pcm_native.c:1784
> [<ffffffff8539d3be>] snd_pcm_common_ioctl1+0xfae/0x2150 sound/core/pcm_native.c:2805
> [<ffffffff8539ee91>] snd_pcm_capture_ioctl1+0x2a1/0x5e0 sound/core/pcm_native.c:2976
> [<ffffffff8539f2ec>] snd_pcm_kernel_ioctl+0x11c/0x160 sound/core/pcm_native.c:3020
> [<ffffffff853d9a44>] snd_pcm_oss_sync+0x3a4/0xa30 sound/core/oss/pcm_oss.c:1693
> [<ffffffff853da27d>] snd_pcm_oss_release+0x1ad/0x280 sound/core/oss/pcm_oss.c:2483
> .....
A workaround is to call hrtimer_cancel() in dummy_hrtimer_sync() which
is called certainly before other blocking ops.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Currently the selected timer backend is referred at any moment from
the running PCM callbacks. When the backend is switched, it's
possible to lead to inconsistency from the running backend. This was
pointed by syzkaller fuzzer, and the commit [7ee96216c31a: ALSA:
dummy: Disable switching timer backend via sysfs] disabled the dynamic
switching for avoiding the crash.
This patch improves the handling of timer backend switching. It keeps
the reference to the selected backend during the whole operation of an
opened stream so that it won't be changed by other streams.
Together with this change, the hrtimer parameter is reenabled as
writable now.
NOTE: this patch also turned out to fix the still remaining race.
Namely, ops was still replaced dynamically at dummy_pcm_open:
static int dummy_pcm_open(struct snd_pcm_substream *substream)
{
....
dummy->timer_ops = &dummy_systimer_ops;
if (hrtimer)
dummy->timer_ops = &dummy_hrtimer_ops;
Since dummy->timer_ops is common among all streams, and when the
replacement happens during accesses of other streams, it may lead to a
crash. This was actually triggered by syzkaller fuzzer and KASAN.
This patch rewrites the code not to use the ops shared by all streams
any longer, too.
BugLink: http://lkml.kernel.org/r/CACT4Y+aZ+xisrpuM6cOXbL21DuM0yVxPYXf4cD4Md9uw0C3dBQ@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
ALSA dummy driver can switch the timer backend between system timer
and hrtimer via its hrtimer module option. This can be also switched
dynamically via sysfs, but it may lead to a memory corruption when
switching is done while a PCM stream is running; the stream instance
for the newly switched timer method tries to access the memory that
was allocated by another timer method although the sizes differ.
As the simplest fix, this patch just disables the switch via sysfs by
dropping the writable bit.
BugLink: http://lkml.kernel.org/r/CACT4Y+ZGEeEBntHW5WHn2GoeE0G_kRrCmUh6=dWyy-wfzvuJLg@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
The dummy_timer_ops structures are never modified, so declare them as
const.
Done with the help of Coccinelle.
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Although there shouldn't be a problem in practice (the compiler should
handle well), it's better to follow to the new Kconfig.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Add missing prefix to make some local data static.
Spotted by sparse:
sound/drivers/dummy.c:159:20: warning: symbol 'model_emu10k1' was not declared. Should it be static?
sound/drivers/dummy.c:165:20: warning: symbol 'model_rme9652' was not declared. Should it be static?
....
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Use setup_timer and mod_timer instead of structure assignments as it
is the preferred way to setup and set the timer.
Signed-off-by: Roman Kollar <rkollar@mail.muni.cz>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
A platform_driver does not need to set an owner, it will be populated by the
driver core.
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
|
|
Also remove superfluous snd_card_set_dev() calls.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
The usage of strict_strto*() is not preferred, because
strict_strto*() is obsolete. Thus, kstrto*() should be
used.
Signed-off-by: Jingoo Han <jg1.han@samsung.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
A few calls are still left in parport drivers after this commit, which
I'm not quite sure yet.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
CONFIG_HOTPLUG is going away as an option. As result the __dev*
markings will be going away.
Remove use of __devinit, __devexit_p, __devinitdata, __devinitconst,
and __devexit.
Signed-off-by: Bill Pemberton <wfp5p@virginia.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
To make the testing of deactivated mixer controls easier (and for people
with common hardware, possible), add a control that deactivates some
other controls.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
|
|
When CONFIG_PM is set but CONFIG_PM_SLEEP is unset,
SIMPLE_DEV_PM_OPS() ignores the given functions, and this leads to
compile warnings.
For avoiding this, simply check CONFIG_PM_SLEEP instead of CONFIG_PM.
Reported-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
module_param(bool) used to counter-intuitively take an int. In
fddd5201 (mid-2009) we allowed bool or int/unsigned int using a messy
trick.
It's time to remove the int/unsigned int option. For this version
it'll simply give a warning, but it'll break next kernel version.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
The implicit presence of module.h lured several users into
incorrectly thinking that they only needed/used modparam.h
but once we clean up the module.h presence, these will show
up as build failures, so fix 'em now.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
|
|
This is a cleanup for the dummy driver. The model kernel module parameter
is introduced to select the soundcard emulation.
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
|
|
Now up to 128 substreams are supported.
Reported-by: Adrian Bridgett <adrian@smop.co.uk>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
In pcm.c, if the NULL test on pcm is needed, then the dereference should be
after the NULL test.
In dummy.c and ali5451.c, the context of the calls to
snd_card_dummy_new_mixer and snd_ali_free_voice show that dummy and pvoice,
respectively cannot be NULL.
A simplified version of the semantic match that detects this problem is as
follows (http://coccinelle.lip6.fr/):
// <smpl>
@match exists@
expression x, E;
identifier fld;
@@
* x->fld
... when != \(x = E\|&x\)
* x == NULL
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Increase the limit of PCM substreams to 128. The default value is
unchanged; only the max accept value is increased.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Added the debug proc file to see or change the snd_pcm_hardware fields
to emulate. The parameters can be changed by writing to a proc file like:
# echo periods_min 4 > /proc/asound/card1/dummy_pcm
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Instead of allocating the real buffers, use a fake buffer and ignore
read/write in the dummy driver so that we can save the resources.
For mmap, a single page (unique to the direction, though) is reused
to all buffers.
When the app requires to read/write the real buffers, pass fake_buffer=0
module option at loading time. This will get back to the old behavior.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Fix the expire-time calculation in the systimer mode when the buffer
size isn't aligned to the period size.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
In the system-timer mode, snd-dummy driver issues each tick to update
the position. This is highly inefficient and even inaccurate if the
timer can't be triggered at each tick.
Now rewritten to wake up only at the period boundary. The position
is calculated from the current jiffies.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Allow snd-dummy driver to use high-res timer as its timing source
instead of the system timer. The new module option "hrtimer" is added
to turn on/off the high-res timer support. It can be switched even
dynamically via sysfs.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Convert from snd_card_new() to the new snd_card_create() function
in other sound subdirectories.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Fixed typos in disabled codes via #if 0.
Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
checkpatch.pl does not like assignment in if condition
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
|
|
The dummy driver uses runtime->private_free but still frees
its pcm structures on error paths.
This is esoteric because the error paths in question are
unreachable. Thus the bug is only a problem when someone
copies this code into other drivers.
Signed-off-by: Daniel R Thompson <daniel.thompson@st.com>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
|
|
Kill snd_assert() in other places, either removed or replaced with
if () with snd_BUG_ON().
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
|
|
bps is unsigned, a negative snd_pcm_format_width() return value is not noticed
Signed-off-by: Roel Kluin <12o3l@tiscali.nl>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
when the time interval for a period is smaller than kernel HZ, then
snd-aloop and snd-dummy cannot call snd_pcm_period_elapsed as fast enough
annymore. this happens for example with games. but the app still needs to
see, that the buffer actually did go further, which is provided by these
patches.
Signed-off-by: Ahmet İnan <ainan <at> mathematik.uni-freiburg.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Signed-off-by: Ahmet İnan <ainan <at> mathematik.uni-freiburg.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
This header file exists only for some hacks to adapt alsa-driver
tree. It's useless for building in the kernel. Let's move a few
lines in it to sound/core.h and remove it.
With this patch, sound/driver.h isn't removed but has just a single
compile warning to include it. This should be really killed in
future.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
|
|
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
|
|
Clean up codes using the new common snd_ctl_boolean_*_info() callbacks.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
Something about __init_or_module isn't working as expected (?).
CONFIG_HOTPLUG=y
CONFIG_MODULES=n
Fix shared init/exit code helper:
WARNING: sound/built-in.o(.exit.text+0x243): Section mismatch: reference to .init.text: (between 'alsa_card_mpu401_exit' and 'ac97_bus_exit')
WARNING: sound/built-in.o(.exit.text+0x21b): Section mismatch: reference to .init.text: (between 'alsa_card_dummy_exit' and 'alsa_card_serial_exit')
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
Fix __devinit and __devexit issues with sound drivers.
Resolves MODPOST warnings similar to:
WARNING: sound/drivers/snd-dummy.o - Section mismatch: reference to .init.text:snd_dummy_probe from .data.rel.local between 'snd_dummy_driver' (at offset 0x0) and 'snd_dummy_controls'
WARNING: sound/drivers/snd-mtpav.o - Section mismatch: reference to .init.text:snd_mtpav_probe from .data.rel.local between 'snd_mtpav_driver' (at offset 0x0) and 'snd_mtpav_input'
WARNING: sound/drivers/snd-virmidi.o - Section mismatch: reference to .init.text:snd_virmidi_probe from .data.rel.local after 'snd_virmidi_driver' (at offset 0x0)
Signed-off-by: Prarit Bhargava <prarit@redhat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
Mark TLV data as 'const'
Signed-of-by: Philipp Matthias Hahn <pmhahn@pmhahn.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
Added the dB scale information to dummy driver.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
Fixed some typos in snd-dummy driver.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
This second one unregisters the platform device again when the probe is
unsuccesful for sound/drivers, sound/arm/sa11xx-uda1341.c and
sound/ppc/powermac.c. This gets them all.
Signed-off-by: Rene Herman <rene.herman@keyaccess.nl>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
I previously only concerned myself with sound/isa. When I now checked
for more platform_device_register_simple() usages in ALSA I found a
couple more drivers that needed the same patches as already submitted
for all the ISA drivers.
This first one is the continue-on-iserr patch for sound/drivers. This
gets them all.
Signed-off-by: Rene Herman <rene.herman@keyaccess.nl>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Fix the check of enable module option in probe of platform_device drivers.
It shouldn't break the loop but just ignore if enable[i] is false.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Modules: Generic drivers
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
Call platform_device_unregister() for all platform devices that we've
registered.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
|
|
Fix possible races in timer callbacks.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Modules: Generic drivers
Rewrite the probe/remove code using platform_device.
Added the suspend/resume support, too.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|