1. 11 Mar, 2018 1 commit
    • Takashi Iwai's avatar
      ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats() · 01c0b426
      Takashi Iwai authored
      snd_pcm_oss_get_formats() has an obvious use-after-free around
      snd_mask_test() calls, as spotted by syzbot.  The passed format_mask
      argument is a pointer to the hw_params object that is freed before the
      loop.  What a surprise that it has been present since the original
      code of decades ago...
      
      Reported-by: syzbot+4090700a4f13fccaf648@syzkaller.appspotmail.com
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      01c0b426
  2. 10 Mar, 2018 2 commits
    • Takashi Iwai's avatar
      ALSA: seq: Clear client entry before deleting else at closing · a2ff19f7
      Takashi Iwai authored
      When releasing a client, we need to clear the clienttab[] entry at
      first, then call snd_seq_queue_client_leave().  Otherwise, the
      in-flight cell in the queue might be picked up by the timer interrupt
      via snd_seq_check_queue() before calling snd_seq_queue_client_leave(),
      and it's delivered to another queue while the client is clearing
      queues.  This may eventually result in an uncleared cell remaining in
      a queue, and the later snd_seq_pool_delete() may need to wait for a
      long time until the event gets really processed.
      
      By moving the clienttab[] clearance at the beginning of release, any
      event delivery of a cell belonging to this client will fail at a later
      point, since snd_seq_client_ptr() returns NULL.  Thus the cell that
      was picked up by the timer interrupt will be returned immediately
      without further delivery, and the long stall of snd_seq_delete_pool()
      can be avoided, too.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      a2ff19f7
    • Takashi Iwai's avatar
      ALSA: seq: Fix possible UAF in snd_seq_check_queue() · d0f83306
      Takashi Iwai authored
      Although we've covered the races between concurrent write() and
      ioctl() in the previous patch series, there is still a possible UAF in
      the following scenario:
      
      A: user client closed		B: timer irq
        -> snd_seq_release()		  -> snd_seq_timer_interrupt()
          -> snd_seq_free_client()	    -> snd_seq_check_queue()
      				      -> cell = snd_seq_prioq_cell_peek()
            -> snd_seq_prioq_leave()
               .... removing all cells
            -> snd_seq_pool_done()
               .... vfree()
      				      -> snd_seq_compare_tick_time(cell)
      				         ... Oops
      
      So the problem is that a cell is peeked and accessed without any
      protection until it's retrieved from the queue again via
      snd_seq_prioq_cell_out().
      
      This patch tries to address it, also cleans up the code by a slight
      refactoring.  snd_seq_prioq_cell_out() now receives an extra pointer
      argument.  When it's non-NULL, the function checks the event timestamp
      with the given pointer.  The caller needs to pass the right reference
      either to snd_seq_tick or snd_seq_realtime depending on the event
      timestamp type.
      
      A good news is that the above change allows us to remove the
      snd_seq_prioq_cell_peek(), too, thus the patch actually reduces the
      code size.
      Reviewed-by: default avatarNicolai Stange <nstange@suse.de>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      d0f83306
  3. 08 Mar, 2018 6 commits
  4. 06 Mar, 2018 4 commits
  5. 02 Mar, 2018 1 commit
  6. 28 Feb, 2018 3 commits
    • Takashi Iwai's avatar
      ALSA: x86: Fix potential crash at error path · c77a6edb
      Takashi Iwai authored
      When LPE audio driver gets some error at probing, it may lead to a
      crash because of canceling the pending work in hdmi_lpe_audio_free(),
      since some of ports might be still not initialized.
      
      For assuring the proper free of each port, initialize all ports at the
      beginning of the probe.
      
      Fixes: b4eb0d52 ("ALSA: x86: Split snd_intelhad into card and PCM specific structures")
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      c77a6edb
    • Takashi Iwai's avatar
      ALSA: x86: Fix missing spinlock and mutex initializations · 35014406
      Takashi Iwai authored
      The commit change for supporting the multiple ports moved involved
      some code shuffling, and there the initializations of spinlock and
      mutex in snd_intelhad object were dropped mistakenly.
      
      This patch adds the missing initializations again for each port.
      
      Fixes: b4eb0d52 ("ALSA: x86: Split snd_intelhad into card and PCM specific structures")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      35014406
    • Richard Fitzgerald's avatar
      ALSA: control: Fix memory corruption risk in snd_ctl_elem_read · 5a23699a
      Richard Fitzgerald authored
      The patch "ALSA: control: code refactoring for ELEM_READ/ELEM_WRITE
      operations" introduced a potential for kernel memory corruption due
      to an incorrect if statement allowing non-readable controls to fall
      through and call the get function. For TLV controls a driver can omit
      SNDRV_CTL_ELEM_ACCESS_READ to ensure that only the TLV get function
      can be called. Instead the normal get() can be invoked unexpectedly
      and as the driver expects that this will only be called for controls
      <= 512 bytes, potentially try to copy >512 bytes into the 512 byte
      return array, so corrupting kernel memory.
      
      The problem is an attempt to refactor the snd_ctl_elem_read function
      to invert the logic so that it conditionally aborted if the control
      is unreadable instead of conditionally executing. But the if statement
      wasn't inverted correctly.
      
      The correct inversion of
      
          if (a && !b)
      
      is
          if (!a || b)
      
      Fixes: becf9e5d ("ALSA: control: code refactoring for ELEM_READ/ELEM_WRITE operations")
      Signed-off-by: default avatarRichard Fitzgerald <rf@opensource.cirrus.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      5a23699a
  7. 26 Feb, 2018 1 commit
    • Takashi Iwai's avatar
      ALSA: hda - Fix pincfg at resume on Lenovo T470 dock · 71db96dd
      Takashi Iwai authored
      We've added a quirk to enable the recent Lenovo dock support, where it
      overwrites the pin configs of NID 0x17 and 19, not only updating the
      pin config cache.  It works right after the boot, but the problem is
      that the pin configs are occasionally cleared when the machine goes to
      PM.  Meanwhile the quirk writes the pin configs only at the pre-probe,
      so this won't be applied any longer.
      
      For addressing that issue, this patch moves the code to overwrite the
      pin configs into HDA_FIXUP_ACT_INIT section so that it's always
      applied at both probe and resume time.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195161
      Fixes: 61fcf8ec ("ALSA: hda/realtek - Enable Thinkpad Dock device for ALC298 platform")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      71db96dd
  8. 24 Feb, 2018 2 commits
  9. 22 Feb, 2018 1 commit
    • Takashi Iwai's avatar
      ALSA: x86: hdmi: Add single_port option for compatible behavior · 7229b12f
      Takashi Iwai authored
      The recent support for the multiple PCM devices allowed user to use
      multiple HDMI/DP outputs, but at the same time, the PCM stream
      assignment has been changed, too.  Due to that, the former PCM#0
      (there was only one stream in the past) is likely assigned to a
      different one (e.g. PCM#2), and it ends up with the regression when
      user sticks with the fixed configuration using the device#0.
      
      Although the multiple monitor support shouldn't matter when user
      deploys the backend like PulseAudio that checks the jack detection
      state, the behavior change isn't always acceptable for some users.
      
      As a mitigation, this patch introduces an option to switch the
      behavior back to the old-good-days: when the new option,
      single_port=1, is passed, the driver creates only a single PCM device,
      and it's assigned to the first connected one, like the earlier
      versions did.  The option is turned off as default still to support
      the multiple monitors.
      
      Fixes: 8a2d6ae1 ("ALSA: x86: Register multiple PCM devices for the LPE audio card")
      Reported-and-tested-by: default avatarHubert Mantel <mantel@metadox.de>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      7229b12f
  10. 14 Feb, 2018 2 commits
    • Jan-Marek Glogowski's avatar
      ALSA: hda/realtek: PCI quirk for Fujitsu U7x7 · fdcc968a
      Jan-Marek Glogowski authored
      These laptops have a combined jack to attach headsets, the U727 on
      the left, the U757 on the right, but a headsets microphone doesn't
      work. Using hdajacksensetest I found that pin 0x19 changed the
      present state when plugging the headset, in addition to 0x21, but
      didn't have the correct configuration (shown as "Not connected").
      
      So this sets the configuration to the same values as the headphone
      pin 0x21 except for the device type microphone, which makes it
      work correctly. With the patch the configured pins for U727 are
      
      Pin 0x12 (Internal Mic, Mobile-In): present = No
      Pin 0x14 (Internal Speaker): present = No
      Pin 0x19 (Black Mic, Left side): present = No
      Pin 0x1d (Internal Aux): present = No
      Pin 0x21 (Black Headphone, Left side): present = No
      Signed-off-by: default avatarJan-Marek Glogowski <glogow@fbihome.de>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      fdcc968a
    • Takashi Iwai's avatar
      ALSA: seq: Fix racy pool initializations · d15d662e
      Takashi Iwai authored
      ALSA sequencer core initializes the event pool on demand by invoking
      snd_seq_pool_init() when the first write happens and the pool is
      empty.  Meanwhile user can reset the pool size manually via ioctl
      concurrently, and this may lead to UAF or out-of-bound accesses since
      the function tries to vmalloc / vfree the buffer.
      
      A simple fix is to just wrap the snd_seq_pool_init() call with the
      recently introduced client->ioctl_mutex; as the calls for
      snd_seq_pool_init() from other side are always protected with this
      mutex, we can avoid the race.
      Reported-by: default avatar范龙飞 <long7573@126.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      d15d662e
  11. 12 Feb, 2018 6 commits
  12. 11 Feb, 2018 9 commits
    • Linus Torvalds's avatar
      Linux 4.16-rc1 · 7928b2cb
      Linus Torvalds authored
      7928b2cb
    • Al Viro's avatar
      unify {de,}mangle_poll(), get rid of kernel-side POLL... · 7a163b21
      Al Viro authored
      except, again, POLLFREE and POLL_BUSY_LOOP.
      
      With this, we finally get to the promised end result:
      
       - POLL{IN,OUT,...} are plain integers and *not* in __poll_t, so any
         stray instances of ->poll() still using those will be caught by
         sparse.
      
       - eventpoll.c and select.c warning-free wrt __poll_t
      
       - no more kernel-side definitions of POLL... - userland ones are
         visible through the entire kernel (and used pretty much only for
         mangle/demangle)
      
       - same behavior as after the first series (i.e. sparc et.al. epoll(2)
         working correctly).
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      7a163b21
    • Linus Torvalds's avatar
      vfs: do bulk POLL* -> EPOLL* replacement · a9a08845
      Linus Torvalds authored
      This is the mindless scripted replacement of kernel use of POLL*
      variables as described by Al, done by this script:
      
          for V in IN OUT PRI ERR RDNORM RDBAND WRNORM WRBAND HUP RDHUP NVAL MSG; do
              L=`git grep -l -w POLL$V | grep -v '^t' | grep -v /um/ | grep -v '^sa' | grep -v '/poll.h$'|grep -v '^D'`
              for f in $L; do sed -i "-es/^\([^\"]*\)\(\<POLL$V\>\)/\\1E\\2/" $f; done
          done
      
      with de-mangling cleanups yet to come.
      
      NOTE! On almost all architectures, the EPOLL* constants have the same
      values as the POLL* constants do.  But they keyword here is "almost".
      For various bad reasons they aren't the same, and epoll() doesn't
      actually work quite correctly in some cases due to this on Sparc et al.
      
      The next patch from Al will sort out the final differences, and we
      should be all done.
      Scripted-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a9a08845
    • Linus Torvalds's avatar
      Merge branch 'work.poll2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · ee5daa13
      Linus Torvalds authored
      Pull more poll annotation updates from Al Viro:
       "This is preparation to solving the problems you've mentioned in the
        original poll series.
      
        After this series, the kernel is ready for running
      
            for V in IN OUT PRI ERR RDNORM RDBAND WRNORM WRBAND HUP RDHUP NVAL MSG; do
                  L=`git grep -l -w POLL$V | grep -v '^t' | grep -v /um/ | grep -v '^sa' | grep -v '/poll.h$'|grep -v '^D'`
                  for f in $L; do sed -i "-es/^\([^\"]*\)\(\<POLL$V\>\)/\\1E\\2/" $f; done
            done
      
        as a for bulk search-and-replace.
      
        After that, the kernel is ready to apply the patch to unify
        {de,}mangle_poll(), and then get rid of kernel-side POLL... uses
        entirely, and we should be all done with that stuff.
      
        Basically, that's what you suggested wrt KPOLL..., except that we can
        use EPOLL... instead - they already are arch-independent (and equal to
        what is currently kernel-side POLL...).
      
        After the preparations (in this series) switch to returning EPOLL...
        from ->poll() instances is completely mechanical and kernel-side
        POLL... can go away. The last step (killing kernel-side POLL... and
        unifying {de,}mangle_poll() has to be done after the
        search-and-replace job, since we need userland-side POLL... for
        unified {de,}mangle_poll(), thus the cherry-pick at the last step.
      
        After that we will have:
      
         - POLL{IN,OUT,...} *not* in __poll_t, so any stray instances of
           ->poll() still using those will be caught by sparse.
      
         - eventpoll.c and select.c warning-free wrt __poll_t
      
         - no more kernel-side definitions of POLL... - userland ones are
           visible through the entire kernel (and used pretty much only for
           mangle/demangle)
      
         - same behavior as after the first series (i.e. sparc et.al. epoll(2)
           working correctly)"
      
      * 'work.poll2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        annotate ep_scan_ready_list()
        ep_send_events_proc(): return result via esed->res
        preparation to switching ->poll() to returning EPOLL...
        add EPOLLNVAL, annotate EPOLL... and event_poll->event
        use linux/poll.h instead of asm/poll.h
        xen: fix poll misannotation
        smc: missing poll annotations
      ee5daa13
    • Linus Torvalds's avatar
      Merge tag 'xtensa-20180211' of git://github.com/jcmvbkbc/linux-xtensa · 3fc928dc
      Linus Torvalds authored
      Pull xtense fix from Max Filippov:
       "Build fix for xtensa architecture with KASAN enabled"
      
      * tag 'xtensa-20180211' of git://github.com/jcmvbkbc/linux-xtensa:
        xtensa: fix build with KASAN
      3fc928dc
    • Linus Torvalds's avatar
      Merge tag 'nios2-v4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/lftan/nios2 · 60d7a21a
      Linus Torvalds authored
      Pull nios2 update from Ley Foon Tan:
      
       - clean up old Kconfig options from defconfig
      
       - remove leading 0x and 0s from bindings notation in dts files
      
      * tag 'nios2-v4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/lftan/nios2:
        nios2: defconfig: Cleanup from old Kconfig options
        nios2: dts: Remove leading 0x and 0s from bindings notation
      60d7a21a
    • Max Filippov's avatar
      xtensa: fix build with KASAN · f8d0cbf2
      Max Filippov authored
      The commit 917538e2 ("kasan: clean up KASAN_SHADOW_SCALE_SHIFT
      usage") removed KASAN_SHADOW_SCALE_SHIFT definition from
      include/linux/kasan.h and added it to architecture-specific headers,
      except for xtensa. This broke the xtensa build with KASAN enabled.
      Define KASAN_SHADOW_SCALE_SHIFT in arch/xtensa/include/asm/kasan.h
      
      Reported by: kbuild test robot <fengguang.wu@intel.com>
      Fixes: 917538e2 ("kasan: clean up KASAN_SHADOW_SCALE_SHIFT usage")
      Acked-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarMax Filippov <jcmvbkbc@gmail.com>
      f8d0cbf2
    • Krzysztof Kozlowski's avatar
      nios2: defconfig: Cleanup from old Kconfig options · e0691ebb
      Krzysztof Kozlowski authored
      Remove old, dead Kconfig option INET_LRO. It is gone since
      commit 7bbf3cae ("ipv4: Remove inet_lro library").
      Signed-off-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
      Acked-by: default avatarLey Foon Tan <ley.foon.tan@intel.com>
      e0691ebb
    • Mathieu Malaterre's avatar
      nios2: dts: Remove leading 0x and 0s from bindings notation · 5d13c731
      Mathieu Malaterre authored
      Improve the DTS files by removing all the leading "0x" and zeros to fix the
      following dtc warnings:
      
      Warning (unit_address_format): Node /XXX unit name should not have leading "0x"
      
      and
      
      Warning (unit_address_format): Node /XXX unit name should not have leading 0s
      
      Converted using the following command:
      
      find . -type f \( -iname *.dts -o -iname *.dtsi \) -exec sed -E -i -e "s/@0x([0-9a-fA-F\.]+)\s?\{/@\L\1 \{/g" -e "s/@0+([0-9a-fA-F\.]+)\s?\{/@\L\1 \{/g" {} +
      
      For simplicity, two sed expressions were used to solve each warnings separately.
      
      To make the regex expression more robust a few other issues were resolved,
      namely setting unit-address to lower case, and adding a whitespace before the
      the opening curly brace:
      
      https://elinux.org/Device_Tree_Linux#Linux_conventions
      
      This is a follow up to commit 4c9847b7 ("dt-bindings: Remove leading 0x from bindings notation")
      Reported-by: default avatarDavid Daney <ddaney@caviumnetworks.com>
      Suggested-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarMathieu Malaterre <malat@debian.org>
      Acked-by: default avatarLey Foon Tan <ley.foon.tan@intel.com>
      5d13c731
  13. 10 Feb, 2018 2 commits
    • Linus Torvalds's avatar
      Merge tag 'pci-v4.16-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · d48fcbd8
      Linus Torvalds authored
      Pull PCI fix from Bjorn Helgaas:
       "Fix a POWER9/powernv INTx regression from the merge window (Alexey
        Kardashevskiy)"
      
      * tag 'pci-v4.16-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        powerpc/pci: Fix broken INTx configuration via OF
      d48fcbd8
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20180210' of git://git.kernel.dk/linux-block · 9454473c
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "A few fixes to round off the merge window on the block side:
      
         - a set of bcache fixes by way of Michael Lyle, from the usual bcache
           suspects.
      
         - add a simple-to-hook-into function for bpf EIO error injection.
      
         - fix blk-wbt that mischarectized flushes as reads. Improve the logic
           so that flushes and writes are accounted as writes, and only reads
           as reads. From me.
      
         - fix requeue crash in BFQ, from Paolo"
      
      * tag 'for-linus-20180210' of git://git.kernel.dk/linux-block:
        block, bfq: add requeue-request hook
        bcache: fix for data collapse after re-attaching an attached device
        bcache: return attach error when no cache set exist
        bcache: set writeback_rate_update_seconds in range [1, 60] seconds
        bcache: fix for allocator and register thread race
        bcache: set error_limit correctly
        bcache: properly set task state in bch_writeback_thread()
        bcache: fix high CPU occupancy during journal
        bcache: add journal statistic
        block: Add should_fail_bio() for bpf error injection
        blk-wbt: account flush requests correctly
      9454473c