1. 09 Sep, 2024 1 commit
  2. 06 Sep, 2024 2 commits
  3. 30 Aug, 2024 1 commit
  4. 29 Aug, 2024 2 commits
  5. 28 Aug, 2024 2 commits
  6. 26 Aug, 2024 6 commits
  7. 23 Aug, 2024 4 commits
    • Mohan Kumar's avatar
      ASoC: tegra: Fix CBB error during probe() · 6781b962
      Mohan Kumar authored
      When Tegra audio drivers are built as part of the kernel image,
      TIMEOUT_ERR is observed from cbb-fabric. Following is seen on
      Jetson AGX Orin during boot:
      
      [    8.012482] **************************************
      [    8.017423] CPU:0, Error:cbb-fabric, Errmon:2
      [    8.021922]    Error Code            : TIMEOUT_ERR
      [    8.025966]    Overflow              : Multiple TIMEOUT_ERR
      [    8.030644]
      [    8.032175]    Error Code            : TIMEOUT_ERR
      [    8.036217]    MASTER_ID             : CCPLEX
      [    8.039722]    Address               : 0x290a0a8
      [    8.043318]    Cache                 : 0x1 -- Bufferable
      [    8.047630]    Protection            : 0x2 -- Unprivileged, Non-Secure, Data Access
      [    8.054628]    Access_Type           : Write
      
      [    8.106130] WARNING: CPU: 0 PID: 124 at drivers/soc/tegra/cbb/tegra234-cbb.c:604 tegra234_cbb_isr+0x134/0x178
      
      [    8.240602] Call trace:
      [    8.243126]  tegra234_cbb_isr+0x134/0x178
      [    8.247261]  __handle_irq_event_percpu+0x60/0x238
      [    8.252132]  handle_irq_event+0x54/0xb8
      
      These errors happen when MVC device, which is a child of AHUB
      device, tries to access its device registers. This happens as
      part of call tegra210_mvc_reset_vol_settings() in MVC device
      probe().
      
      The root cause of this problem is, the child MVC device gets
      probed before the AHUB clock gets enabled. The AHUB clock is
      enabled in runtime PM resume of parent AHUB device and due to
      the wrong sequence of pm_runtime_enable() in AHUB driver,
      runtime PM resume doesn't happen for AHUB device when MVC makes
      register access.
      
      Fix this by calling pm_runtime_enable() for parent AHUB device
      before of_platform_populate() in AHUB driver. This ensures that
      clock becomes available when MVC makes register access.
      
      Fixes: 16e1bcc2 ("ASoC: tegra: Add Tegra210 based AHUB driver")
      Signed-off-by: default avatarMohan Kumar <mkumard@nvidia.com>
      Signed-off-by: default avatarRitu Chaudhary <rituc@nvidia.com>
      Signed-off-by: default avatarSameer Pujar <spujar@nvidia.com>
      Link: https://patch.msgid.link/20240823144342.4123814-3-spujar@nvidia.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      6781b962
    • robelin's avatar
      ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object · b4a90b54
      robelin authored
      When using kernel with the following extra config,
      
        - CONFIG_KASAN=y
        - CONFIG_KASAN_GENERIC=y
        - CONFIG_KASAN_INLINE=y
        - CONFIG_KASAN_VMALLOC=y
        - CONFIG_FRAME_WARN=4096
      
      kernel detects that snd_pcm_suspend_all() access a freed
      'snd_soc_pcm_runtime' object when the system is suspended, which
      leads to a use-after-free bug:
      
      [   52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270
      [   52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330
      
      [   52.047785] Call trace:
      [   52.047787]  dump_backtrace+0x0/0x3c0
      [   52.047794]  show_stack+0x34/0x50
      [   52.047797]  dump_stack_lvl+0x68/0x8c
      [   52.047802]  print_address_description.constprop.0+0x74/0x2c0
      [   52.047809]  kasan_report+0x210/0x230
      [   52.047815]  __asan_report_load1_noabort+0x3c/0x50
      [   52.047820]  snd_pcm_suspend_all+0x1a8/0x270
      [   52.047824]  snd_soc_suspend+0x19c/0x4e0
      
      The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before
      making any access. So we need to always set 'substream->runtime' to NULL
      everytime we kfree() it.
      
      Fixes: a72706ed ("ASoC: codec2codec: remove ephemeral variables")
      Signed-off-by: default avatarrobelin <robelin@nvidia.com>
      Signed-off-by: default avatarSameer Pujar <spujar@nvidia.com>
      Link: https://patch.msgid.link/20240823144342.4123814-2-spujar@nvidia.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      b4a90b54
    • Hans de Goede's avatar
      ASoC: Intel: soc-acpi-cht: Make Lenovo Yoga Tab 3 X90F DMI match less strict · 839a4ec0
      Hans de Goede authored
      There are 2G and 4G RAM versions of the Lenovo Yoga Tab 3 X90F and it
      turns out that the 2G version has a DMI product name of
      "CHERRYVIEW D1 PLATFORM" where as the 4G version has
      "CHERRYVIEW C0 PLATFORM". The sys-vendor + product-version check are
      unique enough that the product-name check is not necessary.
      
      Drop the product-name check so that the existing DMI match for the 4G
      RAM version also matches the 2G RAM version.
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Reviewed-by: default avatarPierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
      Link: https://patch.msgid.link/20240823074305.16873-1-hdegoede@redhat.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      839a4ec0
    • Hans de Goede's avatar
      ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder · 0cc65482
      Hans de Goede authored
      Since commit 13f58267 ("ASoC: soc.h: don't create dummy Component
      via COMP_DUMMY()") dummy codecs declared like this:
      
      SND_SOC_DAILINK_DEF(dummy,
              DAILINK_COMP_ARRAY(COMP_DUMMY()));
      
      expand to:
      
      static struct snd_soc_dai_link_component dummy[] = {
      };
      
      Which means that dummy is a zero sized array and thus dais[i].codecs should
      not be dereferenced *at all* since it points to the address of the next
      variable stored in the data section as the "dummy" variable has an address
      but no size, so even dereferencing dais[0] is already an out of bounds
      array reference.
      
      Which means that the if (dais[i].codecs->name) check added in
      commit 7d99a70b ("ASoC: Intel: Boards: Fix NULL pointer deref
      in BYT/CHT boards") relies on that the part of the next variable which
      the name member maps to just happens to be NULL.
      
      Which apparently so far it usually is, except when it isn't
      and then it results in crashes like this one:
      
      [   28.795659] BUG: unable to handle page fault for address: 0000000000030011
      ...
      [   28.795780] Call Trace:
      [   28.795787]  <TASK>
      ...
      [   28.795862]  ? strcmp+0x18/0x40
      [   28.795872]  0xffffffffc150c605
      [   28.795887]  platform_probe+0x40/0xa0
      ...
      [   28.795979]  ? __pfx_init_module+0x10/0x10 [snd_soc_sst_bytcr_wm5102]
      
      Really fix things this time around by checking dais.num_codecs != 0.
      
      Fixes: 7d99a70b ("ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Reviewed-by: default avatarPierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
      Link: https://patch.msgid.link/20240823074217.14653-1-hdegoede@redhat.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      0cc65482
  8. 22 Aug, 2024 2 commits
  9. 21 Aug, 2024 2 commits
  10. 16 Aug, 2024 1 commit
  11. 15 Aug, 2024 1 commit
  12. 14 Aug, 2024 2 commits
  13. 13 Aug, 2024 4 commits
  14. 08 Aug, 2024 10 commits