1. 21 Jan, 2016 1 commit
    • Takashi Iwai's avatar
      ALSA: timer: Handle disconnection more safely · 230323da
      Takashi Iwai authored
      Currently ALSA timer device doesn't take the disconnection into
      account very well; it merely unlinks the timer device at disconnection
      callback but does nothing else.  Because of this, when an application
      accessing the timer device is disconnected, it may release the
      resource before actually closed.  In most cases, it results in a
      warning message indicating a leftover timer instance like:
         ALSA: timer xxxx is busy?
      But basically this is an open race.
      
      This patch tries to address it.  The strategy is like other ALSA
      devices: namely,
      - Manage card's refcount at each open/close
      - Wake up the pending tasks at disconnection
      - Check the shutdown flag appropriately at each possible call
      
      Note that this patch has one ugly hack to handle the wakeup of pending
      tasks.  It'd be cleaner to introduce a new disconnect op to
      snd_timer_instance ops.  But since it would lead to internal ABI
      breakage and it eventually increase my own work when backporting to
      stable kernels, I took a different path to implement locally in
      timer.c.  A cleanup patch will follow at next for 4.5 kernel.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=109431
      Cc: <stable@vger.kernel.org> # v3.15+
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      230323da
  2. 20 Jan, 2016 4 commits
  3. 18 Jan, 2016 5 commits
    • Takashi Iwai's avatar
      ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0 · c0bcdbdf
      Takashi Iwai authored
      When a TLV ioctl with numid zero is handled, the driver may spew a
      kernel warning with a stack trace at each call.  The check was
      intended obviously only for a kernel driver, but not for a user
      interaction.  Let's fix it.
      
      This was spotted by syzkaller fuzzer.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      c0bcdbdf
    • Nicolas Boichat's avatar
      ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode · 9586495d
      Nicolas Boichat authored
      This reverts one hunk of
      commit ef44a1ec ("ALSA: sound/core: use memdup_user()"), which
      replaced a number of kmalloc followed by memcpy with memdup calls.
      
      In this case, we are copying from a struct snd_seq_port_info32 to a
      struct snd_seq_port_info, but the latter is 4 bytes longer than the
      32-bit version, so we need to separate kmalloc and copy calls.
      
      Fixes: ef44a1ec ('ALSA: sound/core: use memdup_user()')
      Signed-off-by: default avatarNicolas Boichat <drinkcat@chromium.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      9586495d
    • Nicolas Boichat's avatar
      ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode · 43c54b8c
      Nicolas Boichat authored
      This reverts one hunk of
      commit ef44a1ec ("ALSA: sound/core: use memdup_user()"), which
      replaced a number of kmalloc followed by memcpy with memdup calls.
      
      In this case, we are copying from a struct snd_pcm_hw_params32 to
      a struct snd_pcm_hw_params, but the latter is 4 bytes longer than
      the 32-bit version, so we need to separate kmalloc and copy calls.
      
      This actually leads to an out-of-bounds memory access later on
      in sound/soc/soc-pcm.c:soc_pcm_hw_params() (detected using KASan).
      
      Fixes: ef44a1ec ('ALSA: sound/core: use memdup_user()')
      Signed-off-by: default avatarNicolas Boichat <drinkcat@chromium.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      43c54b8c
    • Takashi Iwai's avatar
      ALSA: hrtimer: Fix stall by hrtimer_cancel() · 2ba1fe7a
      Takashi Iwai authored
      hrtimer_cancel() waits for the completion from the callback, thus it
      must not be called inside the callback itself.  This was already a
      problem in the past with ALSA hrtimer driver, and the early commit
      [fcfdebe7: ALSA: hrtimer - Fix lock-up] tried to address it.
      
      However, the previous fix is still insufficient: it may still cause a
      lockup when the ALSA timer instance reprograms itself in its callback.
      Then it invokes the start function even in snd_timer_interrupt() that
      is called in hrtimer callback itself, results in a CPU stall.  This is
      no hypothetical problem but actually triggered by syzkaller fuzzer.
      
      This patch tries to fix the issue again.  Now we call
      hrtimer_try_to_cancel() at both start and stop functions so that it
      won't fall into a deadlock, yet giving some chance to cancel the queue
      if the functions have been called outside the callback.  The proper
      hrtimer_cancel() is called in anyway at closing, so this should be
      enough.
      Reported-and-tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      2ba1fe7a
    • Takashi Iwai's avatar
      ALSA: hda - Fix bass pin fixup for ASUS N550JX · db8948e6
      Takashi Iwai authored
      ASUS N550JX (PCI SSID 1043:13df) requires the same fixup for a bass
      speaker output pin as other N550 models.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=110001
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      db8948e6
  4. 15 Jan, 2016 3 commits
    • Takashi Iwai's avatar
      ALSA: timer: Code cleanup · c3b16813
      Takashi Iwai authored
      This is a minor code cleanup without any functional changes:
      - Kill keep_flag argument from _snd_timer_stop(), as all callers pass
        only it false.
      - Remove redundant NULL check in _snd_timer_stop().
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      c3b16813
    • Takashi Iwai's avatar
      ALSA: timer: Harden slave timer list handling · b5a663aa
      Takashi Iwai authored
      A slave timer instance might be still accessible in a racy way while
      operating the master instance as it lacks of locking.  Since the
      master operation is mostly protected with timer->lock, we should cope
      with it while changing the slave instance, too.  Also, some linked
      lists (active_list and ack_list) of slave instances aren't unlinked
      immediately at stopping or closing, and this may lead to unexpected
      accesses.
      
      This patch tries to address these issues.  It adds spin lock of
      timer->lock (either from master or slave, which is equivalent) in a
      few places.  For avoiding a deadlock, we ensure that the global
      slave_active_lock is always locked at first before each timer lock.
      
      Also, ack and active_list of slave instances are properly unlinked at
      snd_timer_stop() and snd_timer_close().
      
      Last but not least, remove the superfluous call of _snd_timer_stop()
      at removing slave links.  This is a noop, and calling it may confuse
      readers wrt locking.  Further cleanup will follow in a later patch.
      
      Actually we've got reports of use-after-free by syzkaller fuzzer, and
      this hopefully fixes these issues.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      b5a663aa
    • Takashi Iwai's avatar
      ALSA: hda - Add fixup for Dell Latitidue E6540 · cf52103a
      Takashi Iwai authored
      Another Dell model, another fixup entry: Latitude E6540 needs the same
      fixup as other Latitude E series as workaround for noise problems.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=104341
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      cf52103a
  5. 14 Jan, 2016 2 commits
  6. 13 Jan, 2016 3 commits
  7. 12 Jan, 2016 5 commits
    • Takashi Iwai's avatar
      ALSA: hda - Fix white noise on Dell Latitude E5550 · 98070576
      Takashi Iwai authored
      Dell Latitude E5550 (1028:062c) has a white noise problem like other
      Latitude E models, and it gets fixed by the very same quirk as well.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=110591
      Cc: <stable@vger.kernel.org> # v4.1+
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      98070576
    • Heiner Kallweit's avatar
      ALSA: hda_intel: add card number to irq description · de65360b
      Heiner Kallweit authored
      Currently the info in /proc/interrupts doesn't allow to figure out which
      interrupt belongs to which card (HDMI, PCH, ..).
      Therefore add card details to the interrupt description.
      With the patch the info in /proc/interrupts looks like this:
      
      PCI-MSI 442368-edge      snd_hda_intel:card1
      PCI-MSI 49152-edge      snd_hda_intel:card0
      
      NOTE: this patch adds the new irq_descr field snd_card struct that is
      filled automatically at a card object creation.  This can be used
      generically for other drivers as well.  The changes for others will
      follow later -- tiwai
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      de65360b
    • Takashi Iwai's avatar
      ALSA: seq: Fix race at timer setup and close · 3567eb6a
      Takashi Iwai authored
      ALSA sequencer code has an open race between the timer setup ioctl and
      the close of the client.  This was triggered by syzkaller fuzzer, and
      a use-after-free was caught there as a result.
      
      This patch papers over it by adding a proper queue->timer_mutex lock
      around the timer-related calls in the relevant code path.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      3567eb6a
    • Takashi Iwai's avatar
      ALSA: seq: Fix missing NULL check at remove_events ioctl · 030e2c78
      Takashi Iwai authored
      snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear()
      unconditionally even if there is no FIFO assigned, and this leads to
      an Oops due to NULL dereference.  The fix is just to add a proper NULL
      check.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      030e2c78
    • Takashi Iwai's avatar
      ALSA: usb-audio: Avoid calling usb_autopm_put_interface() at disconnect · 5c06d68b
      Takashi Iwai authored
      ALSA PCM may still have a leftover instance after disconnection and
      it delays its release.  The problem is that the PCM close code path of
      USB-audio driver has a call of snd_usb_autosuspend().  This involves
      with the call of usb_autopm_put_interface() and it may lead to a
      kernel Oops due to the NULL object like:
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000190
       IP: [<ffffffff815ae7ef>] usb_autopm_put_interface+0xf/0x30 PGD 0
       Call Trace:
        [<ffffffff8173bd94>] snd_usb_autosuspend+0x14/0x20
        [<ffffffff817461bc>] snd_usb_pcm_close.isra.14+0x5c/0x90
        [<ffffffff8174621f>] snd_usb_playback_close+0xf/0x20
        [<ffffffff816ef58a>] snd_pcm_release_substream.part.36+0x3a/0x90
        [<ffffffff816ef6b3>] snd_pcm_release+0xa3/0xb0
        [<ffffffff816debb0>] snd_disconnect_release+0xd0/0xe0
        [<ffffffff8114d417>] __fput+0x97/0x1d0
        [<ffffffff8114d589>] ____fput+0x9/0x10
        [<ffffffff8109e452>] task_work_run+0x72/0x90
        [<ffffffff81088510>] do_exit+0x280/0xa80
        [<ffffffff8108996a>] do_group_exit+0x3a/0xa0
        [<ffffffff8109261f>] get_signal+0x1df/0x540
        [<ffffffff81040903>] do_signal+0x23/0x620
        [<ffffffff8114c128>] ? do_readv_writev+0x128/0x200
        [<ffffffff810012e1>] prepare_exit_to_usermode+0x91/0xd0
        [<ffffffff810013ba>] syscall_return_slowpath+0x9a/0x120
        [<ffffffff817587cd>] ? __sys_recvmsg+0x5d/0x70
        [<ffffffff810d2765>] ? ktime_get_ts64+0x45/0xe0
        [<ffffffff8115dea0>] ? SyS_poll+0x60/0xf0
        [<ffffffff818d2327>] int_ret_from_sys_call+0x25/0x8f
      
      We have already a check of disconnection in snd_usb_autoresume(), but
      the check is missing its counterpart.  The fix is just to put the same
      check in snd_usb_autosuspend(), too.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=109431
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      5c06d68b
  8. 11 Jan, 2016 17 commits