1. 18 Mar, 2022 1 commit
    • Takashi Iwai's avatar
      ALSA: oss: Fix PCM OSS buffer allocation overflow · efb6402c
      Takashi Iwai authored
      We've got syzbot reports hitting INT_MAX overflow at vmalloc()
      allocation that is called from snd_pcm_plug_alloc().  Although we
      apply the restrictions to input parameters, it's based only on the
      hw_params of the underlying PCM device.  Since the PCM OSS layer
      allocates a temporary buffer for the data conversion, the size may
      become unexpectedly large when more channels or higher rates is given;
      in the reported case, it went over INT_MAX, hence it hits WARN_ON().
      
      This patch is an attempt to avoid such an overflow and an allocation
      for too large buffers.  First off, it adds the limit of 1MB as the
      upper bound for period bytes.  This must be large enough for all use
      cases, and we really don't want to handle a larger temporary buffer
      than this size.  The size check is performed at two places, where the
      original period bytes is calculated and where the plugin buffer size
      is calculated.
      
      In addition, the driver uses array_size() and array3_size() for
      multiplications to catch overflows for the converted period size and
      buffer bytes.
      
      Reported-by: syzbot+72732c532ac1454eeee9@syzkaller.appspotmail.com
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/00000000000085b1b305da5a66f3@google.com
      Link: https://lore.kernel.org/r/20220318082036.29699-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      efb6402c
  2. 14 Mar, 2022 2 commits
  3. 12 Mar, 2022 1 commit
  4. 11 Mar, 2022 1 commit
  5. 10 Mar, 2022 1 commit
    • Takashi Iwai's avatar
      Merge tag 'asoc-fix-v5.17-rc7' of... · 09354ebe
      Takashi Iwai authored
      Merge tag 'asoc-fix-v5.17-rc7' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
      
      ASoC: Potential fixes for v5.17
      
      Rather more fixes here than I'm comfortable with, we've had several
      vendors noticing issues late in the release cycle all of which are valid
      and reasonable fixes but it adds up to a much larger change set than I'd
      like.  Several of the AMD fixes look like cleanups from the subject
      lines but are actually fixing user visible problems as well.
      
      If you were to merge this for 5.18 rather than 5.17 it wouldn't be the
      end of the world, stable will probably backport everything anyway.
      09354ebe
  6. 08 Mar, 2022 1 commit
  7. 07 Mar, 2022 3 commits
  8. 05 Mar, 2022 2 commits
  9. 04 Mar, 2022 1 commit
    • Takashi Sakamoto's avatar
      ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction · bf0cd60b
      Takashi Sakamoto authored
      AV/C deferred transaction was supported at a commit 00a7bb81 ("ALSA:
      firewire-lib: Add support for deferred transaction") while 'deferrable'
      flag can be uninitialized for non-control/notify AV/C transactions.
      UBSAN reports it:
      
      kernel: ================================================================================
      kernel: UBSAN: invalid-load in /build/linux-aa0B4d/linux-5.15.0/sound/firewire/fcp.c:363:9
      kernel: load of value 158 is not a valid value for type '_Bool'
      kernel: CPU: 3 PID: 182227 Comm: irq/35-firewire Tainted: P           OE     5.15.0-18-generic #18-Ubuntu
      kernel: Hardware name: Gigabyte Technology Co., Ltd. AX370-Gaming 5/AX370-Gaming 5, BIOS F42b 08/01/2019
      kernel: Call Trace:
      kernel:  <IRQ>
      kernel:  show_stack+0x52/0x58
      kernel:  dump_stack_lvl+0x4a/0x5f
      kernel:  dump_stack+0x10/0x12
      kernel:  ubsan_epilogue+0x9/0x45
      kernel:  __ubsan_handle_load_invalid_value.cold+0x44/0x49
      kernel:  fcp_response.part.0.cold+0x1a/0x2b [snd_firewire_lib]
      kernel:  fcp_response+0x28/0x30 [snd_firewire_lib]
      kernel:  fw_core_handle_request+0x230/0x3d0 [firewire_core]
      kernel:  handle_ar_packet+0x1d9/0x200 [firewire_ohci]
      kernel:  ? handle_ar_packet+0x1d9/0x200 [firewire_ohci]
      kernel:  ? transmit_complete_callback+0x9f/0x120 [firewire_core]
      kernel:  ar_context_tasklet+0xa8/0x2e0 [firewire_ohci]
      kernel:  tasklet_action_common.constprop.0+0xea/0xf0
      kernel:  tasklet_action+0x22/0x30
      kernel:  __do_softirq+0xd9/0x2e3
      kernel:  ? irq_finalize_oneshot.part.0+0xf0/0xf0
      kernel:  do_softirq+0x75/0xa0
      kernel:  </IRQ>
      kernel:  <TASK>
      kernel:  __local_bh_enable_ip+0x50/0x60
      kernel:  irq_forced_thread_fn+0x7e/0x90
      kernel:  irq_thread+0xba/0x190
      kernel:  ? irq_thread_fn+0x60/0x60
      kernel:  kthread+0x11e/0x140
      kernel:  ? irq_thread_check_affinity+0xf0/0xf0
      kernel:  ? set_kthread_struct+0x50/0x50
      kernel:  ret_from_fork+0x22/0x30
      kernel:  </TASK>
      kernel: ================================================================================
      
      This commit fixes the bug. The bug has no disadvantage for the non-
      control/notify AV/C transactions since the flag has an effect for AV/C
      response with INTERIM (0x0f) status which is not used for the transactions
      in AV/C general specification.
      
      Fixes: 00a7bb81 ("ALSA: firewire-lib: Add support for deferred transaction")
      Signed-off-by: default avatarTakashi Sakamoto <o-takashi@sakamocchi.jp>
      Link: https://lore.kernel.org/r/20220304125647.78430-1-o-takashi@sakamocchi.jpSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      bf0cd60b
  10. 02 Mar, 2022 1 commit
  11. 24 Feb, 2022 9 commits
  12. 23 Feb, 2022 8 commits
  13. 17 Feb, 2022 3 commits
  14. 16 Feb, 2022 2 commits
  15. 14 Feb, 2022 4 commits