1. 19 Jul, 2016 2 commits
    • Christophe JAILLET's avatar
      ALSA: echoaudio: Fix memory allocation · 029161e9
      Christophe JAILLET authored
      [ Upstream commit 9c6795a9 ]
      
      'commpage_bak' is allocated with 'sizeof(struct echoaudio)' bytes.
      We then copy 'sizeof(struct comm_page)' bytes in it.
      On my system, smatch complains because one is 2960 and the other is 3072.
      
      This would result in memory corruption or a oops.
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      029161e9
    • Bob Copeland's avatar
      ALSA: hda - fix read before array start · 1f96a54c
      Bob Copeland authored
      [ Upstream commit 81e43960 ]
      
      UBSAN reports the following warning from accessing path->path[-1]
      in set_path_power():
      
      [   16.078040] ================================================================================
      [   16.078124] UBSAN: Undefined behaviour in sound/pci/hda/hda_generic.c:3981:17
      [   16.078198] index -1 is out of range for type 'hda_nid_t [10]'
      [   16.078270] CPU: 2 PID: 1738 Comm: modprobe Not tainted 4.7.0-rc1-wt+ #47
      [   16.078274] Hardware name: LENOVO 3443CTO/3443CTO, BIOS G6ET23WW (1.02 ) 08/14/2012
      [   16.078278]  ffff8800cb246000 ffff8800cb3638b8 ffffffff815c4fe3 0000000000000032
      [   16.078286]  ffff8800cb3638e0 ffffffffffffffff ffff8800cb3638d0 ffffffff8162443d
      [   16.078294]  ffffffffa0894200 ffff8800cb363920 ffffffff81624af7 0000000000000292
      [   16.078302] Call Trace:
      [   16.078311]  [<ffffffff815c4fe3>] dump_stack+0x86/0xd3
      [   16.078317]  [<ffffffff8162443d>] ubsan_epilogue+0xd/0x40
      [   16.078324]  [<ffffffff81624af7>] __ubsan_handle_out_of_bounds+0x67/0x70
      [   16.078335]  [<ffffffffa087665f>] set_path_power+0x1bf/0x230 [snd_hda_codec_generic]
      [   16.078344]  [<ffffffffa087880d>] add_pin_power_ctls+0x8d/0xc0 [snd_hda_codec_generic]
      [   16.078352]  [<ffffffffa087f190>] ? pin_power_down_callback+0x20/0x20 [snd_hda_codec_generic]
      [   16.078360]  [<ffffffffa0878947>] add_all_pin_power_ctls+0x107/0x150 [snd_hda_codec_generic]
      [   16.078370]  [<ffffffffa08842b3>] snd_hda_gen_parse_auto_config+0x2d73/0x49e0 [snd_hda_codec_generic]
      [   16.078376]  [<ffffffff81173360>] ? trace_hardirqs_on_caller+0x1b0/0x2c0
      [   16.078390]  [<ffffffffa089df27>] alc_parse_auto_config+0x147/0x310 [snd_hda_codec_realtek]
      [   16.078402]  [<ffffffffa08a332a>] patch_alc269+0x23a/0x560 [snd_hda_codec_realtek]
      [   16.078417]  [<ffffffffa0838644>] hda_codec_driver_probe+0xa4/0x1a0 [snd_hda_codec]
      [   16.078424]  [<ffffffff817bbac1>] driver_probe_device+0x101/0x380
      [   16.078430]  [<ffffffff817bbdf9>] __driver_attach+0xb9/0x100
      [   16.078438]  [<ffffffff817bbd40>] ? driver_probe_device+0x380/0x380
      [   16.078444]  [<ffffffff817b8d20>] bus_for_each_dev+0x70/0xc0
      [   16.078449]  [<ffffffff817bb087>] driver_attach+0x27/0x50
      [   16.078454]  [<ffffffff817ba956>] bus_add_driver+0x166/0x2c0
      [   16.078460]  [<ffffffffa0369000>] ? 0xffffffffa0369000
      [   16.078465]  [<ffffffff817bd13d>] driver_register+0x7d/0x130
      [   16.078477]  [<ffffffffa083816f>] __hda_codec_driver_register+0x6f/0x90 [snd_hda_codec]
      [   16.078488]  [<ffffffffa036901e>] realtek_driver_init+0x1e/0x1000 [snd_hda_codec_realtek]
      [   16.078493]  [<ffffffff8100215e>] do_one_initcall+0x4e/0x1d0
      [   16.078499]  [<ffffffff8119f54d>] ? rcu_read_lock_sched_held+0x6d/0x80
      [   16.078504]  [<ffffffff813701b1>] ? kmem_cache_alloc_trace+0x391/0x560
      [   16.078510]  [<ffffffff812bb314>] ? do_init_module+0x28/0x273
      [   16.078515]  [<ffffffff812bb387>] do_init_module+0x9b/0x273
      [   16.078522]  [<ffffffff811e3782>] load_module+0x20b2/0x3410
      [   16.078527]  [<ffffffff811df140>] ? m_show+0x210/0x210
      [   16.078533]  [<ffffffff813b2b26>] ? kernel_read+0x66/0xe0
      [   16.078541]  [<ffffffff811e4cfa>] SYSC_finit_module+0xba/0xc0
      [   16.078547]  [<ffffffff811e4d1e>] SyS_finit_module+0xe/0x10
      [   16.078552]  [<ffffffff81a860fc>] entry_SYSCALL_64_fastpath+0x1f/0xbd
      [   16.078556] ================================================================================
      
      Fix by checking path->depth before use.
      Signed-off-by: default avatarBob Copeland <me@bobcopeland.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      1f96a54c
  2. 13 Jul, 2016 1 commit
  3. 12 Jul, 2016 1 commit
    • Hugh Dickins's avatar
      tmpfs: fix regression hang in fallocate undo · 116c75f6
      Hugh Dickins authored
      [ Upstream commit 7f556567 ]
      
      The well-spotted fallocate undo fix is good in most cases, but not when
      fallocate failed on the very first page.  index 0 then passes lend -1
      to shmem_undo_range(), and that has two bad effects: (a) that it will
      undo every fallocation throughout the file, unrestricted by the current
      range; but more importantly (b) it can cause the undo to hang, because
      lend -1 is treated as truncation, which makes it keep on retrying until
      every page has gone, but those already fully instantiated will never go
      away.  Big thank you to xfstests generic/269 which demonstrates this.
      
      Fixes: b9b4bb26 ("tmpfs: don't undo fallocate past its last page")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      116c75f6
  4. 11 Jul, 2016 36 commits