- 29 Sep, 2016 1 commit
-
-
Takashi Iwai authored
-
- 27 Sep, 2016 1 commit
-
-
Takashi Iwai authored
HP Spectre x360 with CX20724 codec has two speaker outputs while the BIOS sets up only the bottom one (NID 0x17) and disables the top one (NID 0x1d). This patch adds a fixup simply defining the proper pincfg for NID 0x1d so that the top speaker works as is. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=169071 Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 26 Sep, 2016 1 commit
-
-
Hui Wang authored
We have two new Dell laptop models, they have the same ALC255 pin definition, but not in the pin quirk table yet, as a result, the headset microphone can't work. After adding the definition in the table, the headset microphone works well. Cc: <stable@vger.kernel.org> Signed-off-by: Hui Wang <hui.wang@canonical.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 25 Sep, 2016 2 commits
-
-
Takashi Sakamoto authored
Currently, usb-line6 module exports an array of MIDI manufacturer ID and usb-pod module uses it. However, the declaration is not the definition in common header. The difference is explicit length of array. Although compiler calculates it and everything goes well, it's better to use the same representation between definition and declaration. This commit fills the length of array for usb-line6 module. As a small good sub-effect, this commit suppress below warnings from static analysis by sparse v0.5.0. sound/usb/line6/driver.c:274:43: error: cannot size expression sound/usb/line6/driver.c:275:16: error: cannot size expression sound/usb/line6/driver.c:276:16: error: cannot size expression sound/usb/line6/driver.c:277:16: error: cannot size expression Fixes: 705ececd ("Staging: add line6 usb driver") Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Sakamoto authored
In commit bf1d1c9b ("ALSA: tlv: add DECLARE_TLV_DB_RANGE()"), the new macro was added so that "dB range information can be specified without having to count the items manually for TLV_DB_RANGE_HEAD()". In short, TLV_DB_RANGE_HEAD macro was obsoleted. In commit 46e860f7 ("ALSA: rename TLV-related macros so that they're friendly to user applications"), TLV-related macros are exposed for applications in user land to get content of data structured by Type/Length/Value shape. The commit managed to expose TLV-related macros as many as possible, while obsoleted TLV_DB_RANGE_HEAD() was included to the list of exposed macros. This situation brings some confusions to application developers because they might think all exposed macros have their own purpose and useful for applications. For the reason, this commit moves TLV_DB_RANGE_HEAD macro from UAPI header to a header for kernel land, again. The above commit is done within the same development period for kernel 4.9, thus not published yet. This commit might certainly brings no confusions to user land. Reference: commit bf1d1c9b ("ALSA: tlv: add DECLARE_TLV_DB_RANGE()") Reference: commit 46e860f7 ("ALSA: rename TLV-related macros so that they're friendly to user applications") Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 23 Sep, 2016 1 commit
-
-
Anssi Hannula authored
The DragonFly quirk added in 42e3121d ("ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly") applies a custom dB map on the volume control when its range is reported as 0..50 (0 .. 0.2dB). However, there exists at least one other variant (hw v1.0c, as opposed to the tested v1.2) which reports a different non-sensical volume range (0..53) and the custom map is therefore not applied for that device. This results in all of the volume change appearing close to 100% on mixer UIs that utilize the dB TLV information. Add a fallback case where no dB TLV is reported at all if the control range is not 0..50 but still 0..N where N <= 1000 (3.9 dB). Also restrict the quirk to only apply to the volume control as there is also a mute control which would match the check otherwise. Fixes: 42e3121d ("ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly") Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi> Reported-by: David W <regulars@d-dub.org.uk> Tested-by: David W <regulars@d-dub.org.uk> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 21 Sep, 2016 2 commits
-
-
Takashi Iwai authored
The pointer callbacks of ali5451 driver may return the value at the boundary occasionally, and it results in the kernel warning like snd_ali5451 0000:00:06.0: BUG: , pos = 16384, buffer size = 16384, period size = 1024 It seems that folding the position offset is enough for fixing the warning and no ill-effect has been seen by that. Reported-by: Enrico Mioso <mrkiko.rs@gmail.com> Tested-by: Enrico Mioso <mrkiko.rs@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Valdis Kletnieks authored
ERROR: "snd_hwdep_new" [sound/usb/line6/snd-usb-line6.ko] undefined! scripts/Makefile.modpost:91: recipe for target '__modpost' failed make[1]: *** [__modpost] Error 1 Fixes: a16039cb ('ALSA: line6: Add hwdep interface to access the POD control messages') Signed-off-by: Valdis Kletnieks <valdis.kletnieks@vt.edu> Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 20 Sep, 2016 1 commit
-
-
kbuild test robot authored
sound/usb/line6/driver.c:484:2-7: WARNING: NULL check before freeing functions like kfree, debugfs_remove, debugfs_remove_recursive or usb_free_urb is not needed. Maybe consider reorganizing relevant code to avoid passing NULL values. NULL check before some freeing functions is not needed. Based on checkpatch warning "kfree(NULL) is safe this check is probably not required" and kfreeaddr.cocci by Julia Lawall. Generated by: scripts/coccinelle/free/ifnullfree.cocci CC: Andrej Krutak <dev@andree.sk> Signed-off-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 19 Sep, 2016 12 commits
-
-
Andrej Krutak authored
We must do it this way, because e.g. POD X3 won't play any sound unless the host listens on the bulk EP, so we cannot export it only via libusb. The driver currently doesn't use the bulk EP messages in other way, in future it could e.g. sense/modify volume(s). Signed-off-by: Andrej Krutak <dev@andree.sk> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Andrej Krutak authored
Only initialize PCM for POD HD devices that support it. No POD HD seems to support MIDI, thus drop the initialization. Signed-off-by: Andrej Krutak <dev@andree.sk> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Andrej Krutak authored
Not all line6 devices use the control port. Signed-off-by: Andrej Krutak <dev@andree.sk> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Andrej Krutak authored
Signed-off-by: Andrej Krutak <dev@andree.sk> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Andrej Krutak authored
This includes audio in/out and basic initialization via control EP (emulates what original driver does). The initialization is done similarly to original POD, firmware and serial IDs are read and exported via sysfs. Signed-off-by: Andrej Krutak <dev@andree.sk> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Andrej Krutak authored
Not all PODs use MIDI via USB data interface, thus allow avoiding that code and instead using direct processing. Signed-off-by: Andrej Krutak <dev@andree.sk> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Andrej Krutak authored
POD X3 can initialize similarly to older PODs, but it doesn't have the MIDI interface. Instead, configuration is done via proprietary bulk EP messages. Signed-off-by: Andrej Krutak <dev@andree.sk> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Andrej Krutak authored
E.g. POD X3 seems to require playback data to be sent to it to generate capture data. Otherwise the device stalls and doesn't send any more capture data until it's reset. Signed-off-by: Andrej Krutak <dev@andree.sk> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Andrej Krutak authored
Changes bytes_per_frame to bytes_per_channel. Signed-off-by: Andrej Krutak <dev@andree.sk> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Andrej Krutak authored
Splits max_packet_size to max_packet_size_in/out (e.g. for different channel counts). Signed-off-by: Andrej Krutak <dev@andree.sk> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Andrej Krutak authored
This has two parts: * intervals_per_second setup (high speed needs 8000, instead of 1000) * iso_buffers setup (count of iso buffers depends on USB speed, 2 is not enough for high speed) Signed-off-by: Andrej Krutak <dev@andree.sk> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Andrej Krutak authored
This basically changes LINE6_ISO_BUFFERS constant to a configurable iso_buffers property. Signed-off-by: Andrej Krutak <dev@andree.sk> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 16 Sep, 2016 3 commits
-
-
Colin Ian King authored
Fix a missing \n in a pr_debug message and move the \n to the end of a pr_err message. Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Colin Ian King authored
Trival fix, some dev_err messages are missing a \n, so add it. Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Colin Ian King authored
Trival fix, the dev_err message is missing a \n so add it. Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 15 Sep, 2016 2 commits
-
-
Takashi Sakamoto authored
In a previous commit, some macros newly appeared to UAPI header for TLV packet. These macros have short names and they easily bring name conflist to applications. The conflict can be avoided to rename them with a proper prefix. For this purpose, this commit renames these macros with prefix 'SNDRV_CTL_TLVD_'. Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Sakamoto authored
In ALSA control interface, each element set can have threshold level information. This information is transferred between drivers/applications, in a shape of tlv packet. The layout of this packet is defined in 'uapi/sound/asound.h' (struct snd_ctl_tlv): struct snd_ctl_tlv { unsigned int numid; unsigned int length; unsigned int tlv[0]; }; Data in the payload (struct snd_ctl_tlv.tlv) is expected to be filled according to our own protocol. This protocol is described in 'include/sound/tlv.h'. A layout of the payload is expected as: struct snd_ctl_tlv.tlv[0]: one of SNDRV_CTL_TLVT_XXX struct snd_ctl_tlv.tlv[1]: Length of data struct snd_ctl_tlv.tlv[2...]: data Unfortunately, the macro is not exported to user land yet, thus applications cannot get to know the protocol. Additionally, ALSA control core has a feature called as 'user-defined' element set. This allows applications to add/remove arbitrary element sets with elements to control devices. Elements in the element set can be operated by the same way as the ones added by in-kernel implementation. For threshold level information of 'user-defined' element set, applications need to register the information to an element set. However, as described above, layout of the payload is closed in kernel land. This is quite inconvenient, too. This commit moves the protocol to UAPI header for TLV. Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 13 Sep, 2016 1 commit
-
-
Takashi Sakamoto authored
When checking value of request for copy operation, current implementation compares shifted value to macros, while these macros are already shifted. As a result, it never performs to copy from/to user space. This commit fixes the bug. Fixes: 8ce8eb60('ALSA: seq: add an alternative way to handle ioctl requests' Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 12 Sep, 2016 1 commit
-
-
Julia Lawall authored
For structure types defined in the same file or local header files, find top-level static structure declarations that have the following properties: 1. Never reassigned. 2. Address never taken 3. Not passed to a top-level macro call 4. No pointer or array-typed field passed to a function or stored in a variable. Declare structures having all of these properties as const. Done using Coccinelle. Based on a suggestion by Joe Perches <joe@perches.com>. Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 11 Sep, 2016 2 commits
-
-
Takashi Iwai authored
Back-merge from for-linus just to make the further development easier.
-
Hui Wang authored
One of the laptops has the codec ALC256 on it, applying the ALC255_FIXUP_DELL1_MIC_NO_PRESENCE can fix the problem, the rest of laptops have the codec ALC295 on them, they are similar to machines with ALC225, applying the ALC269_FIXUP_DELL1_MIC_NO_PRESENCE can fix the problem. Cc: <stable@vger.kernel.org> Signed-off-by: Hui Wang <hui.wang@canonical.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 09 Sep, 2016 1 commit
-
-
Takashi Iwai authored
Realtek codec driver expects an implicit rule where either the codec SSID or the pincfg NID 0x1d contains the some information encoded in some bits. One of the expected information is there is the availability of PC beep, and the driver doesn't build up the PC beep control if this is *supposed* to be disabled there. Meanwhile, Lenovo doesn't seem to follow this requirement (yes it's non-standard after all), and the BIOS sets just the normal SSID and the pincfg values. This resulted in the lack of PC beep on a few machines, purely with a lucky or unlucky number. It didn't bother most people, but some people still demand the PC beep, as found in bug reports. This patch just adds the fixup chain to Lenovo machines to skip the SKU checks. Then the beep control will show up in the mixer, and user can still decide to enable / disable it via the standard mixer interface. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=156311Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 08 Sep, 2016 2 commits
-
-
Takashi Iwai authored
When a seq-virmidi driver is initialized, it registers a rawmidi instance with its callback to create an associated seq kernel client. Currently it's done throughly in rawmidi's register_mutex context. Recently it was found that this may lead to a deadlock another rawmidi device that is being attached with the sequencer is accessed, as both open with the same register_mutex. This was actually triggered by syzkaller, as Dmitry Vyukov reported: ====================================================== [ INFO: possible circular locking dependency detected ] 4.8.0-rc1+ #11 Not tainted ------------------------------------------------------- syz-executor/7154 is trying to acquire lock: (register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341 but task is already holding lock: (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&grp->list_mutex){++++.+}: [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746 [<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22 [< inline >] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:681 [<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890 sound/core/seq/seq_clientmgr.c:822 [<ffffffff85006e96>] > snd_seq_kernel_client_dispatch+0x126/0x170 sound/core/seq/seq_clientmgr.c:2418 [<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0 sound/core/seq/seq_system.c:101 [<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330 sound/core/seq/seq_clientmgr.c:2297 [< inline >] snd_virmidi_dev_attach_seq sound/core/seq/seq_virmidi.c:383 [<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750 sound/core/seq/seq_virmidi.c:450 [<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40 sound/core/rawmidi.c:1645 [<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0 sound/core/device.c:164 [< inline >] __snd_device_register sound/core/device.c:162 [<ffffffff84f8235d>] snd_device_register_all+0xad/0x110 sound/core/device.c:212 [<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749 [<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590 sound/drivers/virmidi.c:123 [<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170 drivers/base/platform.c:564 ...... -> #0 (register_mutex#5){+.+.+.}: [< inline >] check_prev_add kernel/locking/lockdep.c:1829 [< inline >] check_prevs_add kernel/locking/lockdep.c:1939 [< inline >] validate_chain kernel/locking/lockdep.c:2266 [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335 [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746 [< inline >] __mutex_lock_common kernel/locking/mutex.c:521 [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621 [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341 [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 sound/core/seq/seq_midi.c:188 [< inline >] subscribe_port sound/core/seq/seq_ports.c:427 [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 sound/core/seq/seq_ports.c:510 [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 sound/core/seq/seq_ports.c:579 [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 sound/core/seq/seq_clientmgr.c:1480 [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 sound/core/seq/seq_clientmgr.c:2225 [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 sound/core/seq/seq_clientmgr.c:2440 [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 sound/core/seq/oss/seq_oss_midi.c:375 [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 sound/core/seq/oss/seq_oss_synth.c:281 [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 sound/core/seq/oss/seq_oss_init.c:274 [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138 [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639 ...... other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&grp->list_mutex); lock(register_mutex#5); lock(&grp->list_mutex); lock(register_mutex#5); *** DEADLOCK *** ====================================================== The fix is to simply move the registration parts in snd_rawmidi_dev_register() to the outside of the register_mutex lock. The lock is needed only to manage the linked list, and it's not necessarily to cover the whole initialization process. Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Iwai authored
When a user timer instance is continued without the explicit start beforehand, the system gets eventually zero-division error like: divide error: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN CPU: 1 PID: 27320 Comm: syz-executor Not tainted 4.8.0-rc3-next-20160825+ #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff88003c9b2280 task.stack: ffff880027280000 RIP: 0010:[<ffffffff858e1a6c>] [< inline >] ktime_divns include/linux/ktime.h:195 RIP: 0010:[<ffffffff858e1a6c>] [<ffffffff858e1a6c>] snd_hrtimer_callback+0x1bc/0x3c0 sound/core/hrtimer.c:62 Call Trace: <IRQ> [< inline >] __run_hrtimer kernel/time/hrtimer.c:1238 [<ffffffff81504335>] __hrtimer_run_queues+0x325/0xe70 kernel/time/hrtimer.c:1302 [<ffffffff81506ceb>] hrtimer_interrupt+0x18b/0x420 kernel/time/hrtimer.c:1336 [<ffffffff8126d8df>] local_apic_timer_interrupt+0x6f/0xe0 arch/x86/kernel/apic/apic.c:933 [<ffffffff86e13056>] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:957 [<ffffffff86e1210c>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:487 <EOI> ..... Although a similar issue was spotted and a fix patch was merged in commit [6b760bb2: ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE], it seems covering only a part of iceberg. In this patch, we fix the issue a bit more drastically. Basically the continue of an uninitialized timer is supposed to be a fresh start, so we do it for user timers. For the direct snd_timer_continue() call, there is no way to pass the initial tick value, so we kick out for the uninitialized case. Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 07 Sep, 2016 1 commit
-
-
Masahiro Yamada authored
Remove unneeded variables and assignments. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 06 Sep, 2016 1 commit
-
-
Jeeja KP authored
When the stream is in suspended state some applications wait on "Stream Pipe Error" in response to snd_pcm_avail call to resume the stream. In the current implementation snd_pcm_avail() returns zero when the stream is in suspended state. This causes application to enter in infinite loop for frames to be available. "Stream pipe Error" code is getting returned for read/write call when the stream is in suspended state. Similarly update snd_pcm_avail to return -ESTRPIPE. Signed-off-by: Jeeja KP <jeeja.kp@intel.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 02 Sep, 2016 5 commits
-
-
Vegard Nossum authored
I got this with syzkaller: ================================================================== BUG: KASAN: null-ptr-deref on address 0000000000000020 Read of size 32 by task syz-executor/22519 CPU: 1 PID: 22519 Comm: syz-executor Not tainted 4.8.0-rc2+ #169 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2 014 0000000000000001 ffff880111a17a00 ffffffff81f9f141 ffff880111a17a90 ffff880111a17c50 ffff880114584a58 ffff880114584a10 ffff880111a17a80 ffffffff8161fe3f ffff880100000000 ffff880118d74a48 ffff880118d74a68 Call Trace: [<ffffffff81f9f141>] dump_stack+0x83/0xb2 [<ffffffff8161fe3f>] kasan_report_error+0x41f/0x4c0 [<ffffffff8161ff74>] kasan_report+0x34/0x40 [<ffffffff82c84b54>] ? snd_timer_user_read+0x554/0x790 [<ffffffff8161e79e>] check_memory_region+0x13e/0x1a0 [<ffffffff8161e9c1>] kasan_check_read+0x11/0x20 [<ffffffff82c84b54>] snd_timer_user_read+0x554/0x790 [<ffffffff82c84600>] ? snd_timer_user_info_compat.isra.5+0x2b0/0x2b0 [<ffffffff817d0831>] ? proc_fault_inject_write+0x1c1/0x250 [<ffffffff817d0670>] ? next_tgid+0x2a0/0x2a0 [<ffffffff8127c278>] ? do_group_exit+0x108/0x330 [<ffffffff8174653a>] ? fsnotify+0x72a/0xca0 [<ffffffff81674dfe>] __vfs_read+0x10e/0x550 [<ffffffff82c84600>] ? snd_timer_user_info_compat.isra.5+0x2b0/0x2b0 [<ffffffff81674cf0>] ? do_sendfile+0xc50/0xc50 [<ffffffff81745e10>] ? __fsnotify_update_child_dentry_flags+0x60/0x60 [<ffffffff8143fec6>] ? kcov_ioctl+0x56/0x190 [<ffffffff81e5ada2>] ? common_file_perm+0x2e2/0x380 [<ffffffff81746b0e>] ? __fsnotify_parent+0x5e/0x2b0 [<ffffffff81d93536>] ? security_file_permission+0x86/0x1e0 [<ffffffff816728f5>] ? rw_verify_area+0xe5/0x2b0 [<ffffffff81675355>] vfs_read+0x115/0x330 [<ffffffff81676371>] SyS_read+0xd1/0x1a0 [<ffffffff816762a0>] ? vfs_write+0x4b0/0x4b0 [<ffffffff82001c2c>] ? __this_cpu_preempt_check+0x1c/0x20 [<ffffffff8150455a>] ? __context_tracking_exit.part.4+0x3a/0x1e0 [<ffffffff816762a0>] ? vfs_write+0x4b0/0x4b0 [<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0 [<ffffffff810052fc>] ? syscall_return_slowpath+0x16c/0x1d0 [<ffffffff83c3276a>] entry_SYSCALL64_slow_path+0x25/0x25 ================================================================== There are a couple of problems that I can see: - ioctl(SNDRV_TIMER_IOCTL_SELECT), which potentially sets tu->queue/tu->tqueue to NULL on memory allocation failure, so read() would get a NULL pointer dereference like the above splat - the same ioctl() can free tu->queue/to->tqueue which means read() could potentially see (and dereference) the freed pointer We can fix both by taking the ioctl_lock mutex when dereferencing ->queue/->tqueue, since that's always held over all the ioctl() code. Just looking at the code I find it likely that there are more problems here such as tu->qhead pointing outside the buffer if the size is changed concurrently using SNDRV_TIMER_IOCTL_PARAMS. Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Julia Lawall authored
Check for snd_pcm_ops structures that are only stored in the ops field of a snd_soc_platform_driver structure or passed as the third argument to snd_pcm_set_ops. The corresponding field or parameter is declared const, so snd_pcm_ops structures that have this property can be declared as const also. The semantic patch that makes this change is as follows: (http://coccinelle.lip6.fr/) // <smpl> @r disable optional_qualifier@ identifier i; position p; @@ static struct snd_pcm_ops i@p = { ... }; @ok1@ identifier r.i; struct snd_soc_platform_driver e; position p; @@ e.ops = &i@p; @ok2@ identifier r.i; expression e1, e2; position p; @@ snd_pcm_set_ops(e1, e2, &i@p) @bad@ position p != {r.p,ok1.p,ok2.p}; identifier r.i; struct snd_pcm_ops e; @@ e@i@p @depends on !bad disable optional_qualifier@ identifier r.i; @@ static +const struct snd_pcm_ops i = { ... }; // </smpl> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> Acked-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Julia Lawall authored
Check for snd_pcm_ops structures that are only stored in the ops field of a snd_soc_platform_driver structure or passed as the third argument to snd_pcm_set_ops. The corresponding field or parameter is declared const, so snd_pcm_ops structures that have this property can be declared as const also. The semantic patch that makes this change is as follows: (http://coccinelle.lip6.fr/) // <smpl> @r disable optional_qualifier@ identifier i; position p; @@ static struct snd_pcm_ops i@p = { ... }; @ok1@ identifier r.i; struct snd_soc_platform_driver e; position p; @@ e.ops = &i@p; @ok2@ identifier r.i; expression e1, e2; position p; @@ snd_pcm_set_ops(e1, e2, &i@p) @bad@ position p != {r.p,ok1.p,ok2.p}; identifier r.i; struct snd_pcm_ops e; @@ e@i@p @depends on !bad disable optional_qualifier@ identifier r.i; @@ static +const struct snd_pcm_ops i = { ... }; // </smpl> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> Acked-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Julia Lawall authored
Check for snd_pcm_ops structures that are only stored in the ops field of a snd_soc_platform_driver structure or passed as the third argument to snd_pcm_set_ops. The corresponding field or parameter is declared const, so snd_pcm_ops structures that have this property can be declared as const also. The semantic patch that makes this change is as follows: (http://coccinelle.lip6.fr/) // <smpl> @r disable optional_qualifier@ identifier i; position p; @@ static struct snd_pcm_ops i@p = { ... }; @ok1@ identifier r.i; struct snd_soc_platform_driver e; position p; @@ e.ops = &i@p; @ok2@ identifier r.i; expression e1, e2; position p; @@ snd_pcm_set_ops(e1, e2, &i@p) @bad@ position p != {r.p,ok1.p,ok2.p}; identifier r.i; struct snd_pcm_ops e; @@ e@i@p @depends on !bad disable optional_qualifier@ identifier r.i; @@ static +const struct snd_pcm_ops i = { ... }; // </smpl> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Julia Lawall authored
Check for snd_pcm_ops structures that are only stored in the ops field of a snd_soc_platform_driver structure or passed as the third argument to snd_pcm_set_ops. The corresponding field or parameter is declared const, so snd_pcm_ops structures that have this property can be declared as const also. The semantic patch that makes this change is as follows: (http://coccinelle.lip6.fr/) // <smpl> @r disable optional_qualifier@ identifier i; position p; @@ static struct snd_pcm_ops i@p = { ... }; @ok1@ identifier r.i; struct snd_soc_platform_driver e; position p; @@ e.ops = &i@p; @ok2@ identifier r.i; expression e1, e2; position p; @@ snd_pcm_set_ops(e1, e2, &i@p) @bad@ position p != {r.p,ok1.p,ok2.p}; identifier r.i; struct snd_pcm_ops e; @@ e@i@p @depends on !bad disable optional_qualifier@ identifier r.i; @@ static +const struct snd_pcm_ops i = { ... }; // </smpl> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Acked-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-