1. 02 Oct, 2017 2 commits
    • Takashi Iwai's avatar
      ALSA: usx2y: Suppress kernel warning at page allocation failures · 7682e399
      Takashi Iwai authored
      The usx2y driver allocates the stream read/write buffers in continuous
      pages depending on the stream setup, and this may spew the kernel
      warning messages with a stack trace like:
        WARNING: CPU: 1 PID: 1846 at mm/page_alloc.c:3883
        __alloc_pages_slowpath+0x1ef2/0x2d70
        Modules linked in:
        CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted
        ....
      
      It may confuse user as if it were any serious error, although this is
      no fatal error and the driver handles the error case gracefully.
      Since the driver has already some sanity check of the given size (128
      and 256 pages), it can't pass any crazy value.  So it's merely page
      fragmentation.
      
      This patch adds __GFP_NOWARN to each caller for suppressing such
      kernel warnings.  The original issue was spotted by syzkaller.
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      7682e399
    • Takashi Sakamoto's avatar
      Revert "ALSA: echoaudio: purge contradictions between dimension matrix members... · 51db452d
      Takashi Sakamoto authored
      Revert "ALSA: echoaudio: purge contradictions between dimension matrix members and total number of members"
      
      This reverts commit 275353bb to fix a regression which can abort
      'alsactl' program in alsa-utils due to assertion in alsa-lib.
      
      alsactl: control.c:2513: snd_ctl_elem_value_get_integer: Assertion `idx < sizeof(obj->value.integer.value) / sizeof(obj->value.integer.value[0])' failed.
      
      alsactl: control.c:2976: snd_ctl_elem_value_get_integer: Assertion `idx < ARRAY_SIZE(obj->value.integer.value)' failed.
      
      This commit is a band-aid. In a point of usage of ALSA control interface,
      the drivers still bring an issue that they prevent userspace applications
      to have a consistent way to parse each levels of the dimension information
      via ALSA control interface.
      
      Let me investigate this issue. Current implementation of the drivers
      have three control element sets with dimension information:
       * 'Monitor Mixer Volume' (type: integer)
       * 'VMixer Volume' (type: integer)
       * 'VU-meters' (type: boolean)
      
      Although the number of elements named as 'Monitor Mixer Volume' differs
      depending on drivers in this group, it can be calculated by macros
      defined by each driver (= (BX_NUM - BX_ANALOG_IN) * BX_ANALOG_IN). Each
      of the elements has one member for value and has dimension information
      with 2 levels (= BX_ANALOG_IN * (BX_NUM - BX_ANALOG_IN)). For these
      elements, userspace applications are expected to handle the dimension
      information so that all of the elements construct a matrix where the
      number of rows and columns are represented by the dimension information.
      
      The same way is applied to elements named as 'VMixer Volume'. The number
      of these elements can also be calculated by macros defined by each
      drivers (= PX_ANALOG_IN * BX_ANALOG_IN). Each of the element has one
      member for value and has dimension information with 2 levels
      (= BX_ANALOG_IN * PX_ANALOG_IN). All of the elements construct a matrix
      with the dimension information.
      
      An element named as 'VU-meters' gets a different way in a point of
      dimension information. The element includes 96 members for value. The
      element has dimension information with 3 levels (= 3 or 2 * 16 * 2). For
      this element, userspace applications are expected to handle the dimension
      information so that all of the members for value construct a matrix
      where the number of rows and columns are represented by the dimension
      information. This is different from the way for the former.
      
      As a summary, the drivers were not designed to produce a consistent way to
      parse the dimension information. This makes it hard for general userspace
      applications such as amixer to parse the information by a consistent way,
      and actually no userspace applications except for 'echomixer' utilize the
      dimension information. Additionally, no drivers excluding this group use
      the information.
      
      The reverted commit was written based on the latter way. A commit
      860c1994 ('ALSA: control: add dimension validator for userspace
      elements') is written based on the latter way, too. The patch should be
      reconsider too in the same time to re-define a consistent way to parse the
      dimension information.
      Reported-by: default avatarMark Hills <mark@xwax.org>
      Reported-by: default avatarS. Christian Collins <s.chriscollins@gmail.com>
      Fixes: 275353bb ('ALSA: echoaudio: purge contradictions between dimension matrix members and total number of members')
      Cc: <stable@vger.kernel.org> # v4.8+
      Signed-off-by: default avatarTakashi Sakamoto <o-takashi@sakamocchi.jp>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      51db452d
  2. 22 Sep, 2017 2 commits
    • Takashi Iwai's avatar
      ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor · bfc81a8b
      Takashi Iwai authored
      When a USB-audio device receives a maliciously adjusted or corrupted
      buffer descriptor, the USB-audio driver may access an out-of-bounce
      value at its parser.  This was detected by syzkaller, something like:
      
        BUG: KASAN: slab-out-of-bounds in usb_audio_probe+0x27b2/0x2ab0
        Read of size 1 at addr ffff88006b83a9e8 by task kworker/0:1/24
        CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc1-42251-gebb2c243 #224
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        Workqueue: usb_hub_wq hub_event
        Call Trace:
         __dump_stack lib/dump_stack.c:16
         dump_stack+0x292/0x395 lib/dump_stack.c:52
         print_address_description+0x78/0x280 mm/kasan/report.c:252
         kasan_report_error mm/kasan/report.c:351
         kasan_report+0x22f/0x340 mm/kasan/report.c:409
         __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
         snd_usb_create_streams sound/usb/card.c:248
         usb_audio_probe+0x27b2/0x2ab0 sound/usb/card.c:605
         usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
         really_probe drivers/base/dd.c:413
         driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
         __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
         bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
         __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
         device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
         bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
         device_add+0xd0b/0x1660 drivers/base/core.c:1835
         usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
         generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
         usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
         really_probe drivers/base/dd.c:413
         driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
         __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
         bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
         __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
         device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
         bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
         device_add+0xd0b/0x1660 drivers/base/core.c:1835
         usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
         hub_port_connect drivers/usb/core/hub.c:4903
         hub_port_connect_change drivers/usb/core/hub.c:5009
         port_event drivers/usb/core/hub.c:5115
         hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
         process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
         worker_thread+0x221/0x1850 kernel/workqueue.c:2253
         kthread+0x3a1/0x470 kernel/kthread.c:231
         ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
      
      This patch adds the checks of out-of-bounce accesses at appropriate
      places and bails out when it goes out of the given buffer.
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      bfc81a8b
    • Baolin Wang's avatar
      ALSA: pcm: Fix structure definition for X32 ABI · c9adcdbc
      Baolin Wang authored
      X32 ABI uses the 64bit timespec in addition to 64bit alignment of 64bit
      values. We have added compat ABI for these ioctls, but this patch adds
      one missing padding into 'struct snd_pcm_mmap_status_x32' to fix
      incompatibilities.
      Signed-off-by: default avatarBaolin Wang <baolin.wang@linaro.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      c9adcdbc
  3. 20 Sep, 2017 2 commits
  4. 19 Sep, 2017 1 commit
    • Meng Xu's avatar
      ALSA: asihpi: fix a potential double-fetch bug when copying puhm · e1af344d
      Meng Xu authored
      The hm->h.size is intended to hold the actual size of the hm struct
      that is copied from userspace and should always be <= sizeof(*hm).
      
      However, after copy_from_user(hm, puhm, hm->h.size), since userspace
      process has full control over the memory region pointed by puhm, it is
      possible that the value of hm->h.size is different from what is fetched-in
      previously (get_user(hm->h.size, (u16 __user *)puhm)). In other words,
      hm->h.size is overriden and the relation between hm->h.size and the hm
      struct is broken.
      
      This patch proposes to use a seperate variable, msg_size, to hold
      the value of the first fetch and override hm->h.size to msg_size
      after the second fetch to maintain the relation.
      Signed-off-by: default avatarMeng Xu <mengxu.gatech@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      e1af344d
  5. 18 Sep, 2017 1 commit
  6. 12 Sep, 2017 2 commits
    • Takashi Iwai's avatar
      ALSA: seq: Cancel pending autoload work at unbinding device · fc27fe7e
      Takashi Iwai authored
      ALSA sequencer core has a mechanism to load the enumerated devices
      automatically, and it's performed in an off-load work.  This seems
      causing some race when a sequencer is removed while the pending
      autoload work is running.  As syzkaller spotted, it may lead to some
      use-after-free:
        BUG: KASAN: use-after-free in snd_rawmidi_dev_seq_free+0x69/0x70
        sound/core/rawmidi.c:1617
        Write of size 8 at addr ffff88006c611d90 by task kworker/2:1/567
      
        CPU: 2 PID: 567 Comm: kworker/2:1 Not tainted 4.13.0+ #29
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        Workqueue: events autoload_drivers
        Call Trace:
         __dump_stack lib/dump_stack.c:16 [inline]
         dump_stack+0x192/0x22c lib/dump_stack.c:52
         print_address_description+0x78/0x280 mm/kasan/report.c:252
         kasan_report_error mm/kasan/report.c:351 [inline]
         kasan_report+0x230/0x340 mm/kasan/report.c:409
         __asan_report_store8_noabort+0x1c/0x20 mm/kasan/report.c:435
         snd_rawmidi_dev_seq_free+0x69/0x70 sound/core/rawmidi.c:1617
         snd_seq_dev_release+0x4f/0x70 sound/core/seq_device.c:192
         device_release+0x13f/0x210 drivers/base/core.c:814
         kobject_cleanup lib/kobject.c:648 [inline]
         kobject_release lib/kobject.c:677 [inline]
         kref_put include/linux/kref.h:70 [inline]
         kobject_put+0x145/0x240 lib/kobject.c:694
         put_device+0x25/0x30 drivers/base/core.c:1799
         klist_devices_put+0x36/0x40 drivers/base/bus.c:827
         klist_next+0x264/0x4a0 lib/klist.c:403
         next_device drivers/base/bus.c:270 [inline]
         bus_for_each_dev+0x17e/0x210 drivers/base/bus.c:312
         autoload_drivers+0x3b/0x50 sound/core/seq_device.c:117
         process_one_work+0x9fb/0x1570 kernel/workqueue.c:2097
         worker_thread+0x1e4/0x1350 kernel/workqueue.c:2231
         kthread+0x324/0x3f0 kernel/kthread.c:231
         ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:425
      
      The fix is simply to assure canceling the autoload work at removing
      the device.
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      fc27fe7e
    • Markus Elfring's avatar
      ALSA: firewire: Use common error handling code in snd_motu_stream_start_duplex() · f16e666b
      Markus Elfring authored
      Add a jump target so that a bit of exception handling can be better reused
      at the end of this function.
      
      This issue was detected by using the Coccinelle software.
      Signed-off-by: default avatarMarkus Elfring <elfring@users.sourceforge.net>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      f16e666b
  7. 07 Sep, 2017 10 commits
  8. 04 Sep, 2017 11 commits
  9. 03 Sep, 2017 1 commit
    • Wang YanQing's avatar
      ALSA: hda: Fix regression of hdmi eld control created based on invalid pcm · 1f7f51a6
      Wang YanQing authored
      Commit fb087eaa ("ALSA: hda - hdmi eld control created based on pcm")
      forget to filter out invalid pcm numbers, if there is only one invalid pcm
      number, then this issue causes we create eld control for invalid pcm silently,
      but when there are more than one invalid pcm numbers, then this issue bring
      probe error looks like below dmesg:
      "
      kernel: [    1.647283] snd_hda_intel 0000:00:03.0: bound 0000:00:02.0 (ops 0xc2967540)
      kernel: [    1.651192] snd_hda_intel 0000:00:03.0: Too many HDMI devices
      kernel: [    1.651195] snd_hda_intel 0000:00:03.0: Consider building the kernel with CONFIG_SND_DYNAMIC_MINORS=y
      kernel: [    1.651197] snd_hda_intel 0000:00:03.0: Too many HDMI devices
      kernel: [    1.651199] snd_hda_intel 0000:00:03.0: Consider building the kernel with CONFIG_SND_DYNAMIC_MINORS=y
      kernel: [    1.651201] snd_hda_intel 0000:00:03.0: Too many HDMI devices
      kernel: [    1.651203] snd_hda_intel 0000:00:03.0: Consider building the kernel with CONFIG_SND_DYNAMIC_MINORS=y
      kernel: [    1.651676] snd_hda_intel 0000:00:03.0: control 3:0:0:ELD:0 is already present
      kernel: [    1.651787] snd_hda_codec_hdmi: probe of hdaudioC0D0 failed with error -16
      "
      
      This patch add invalid pcm number filter before calling hdmi_create_eld_ctl.
      
      Fixes: fb087eaa ("ALSA: hda - hdmi eld control created based on pcm")
      Signed-off-by: default avatarWang YanQing <udknight@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      1f7f51a6
  10. 01 Sep, 2017 8 commits