- 30 Oct, 2017 1 commit
-
-
Randy Dunlap authored
Fix kernel-doc build error. A symbol that ends with an underscore character ('_') has special meaning in reST (reStructuredText), so add a '*' to prevent this error and to indicate that there are several of these values to choose from. ../sound/core/jack.c:312: ERROR: Unknown target name: "snd_jack_btn". Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 26 Oct, 2017 2 commits
-
-
Peisen authored
Add Clevo-P51 mode support for ALC1220. ALC1220 Clevo-p51 Speaker uses I2S output. We therefore want to make sure 0x14 (Headphones) and 0x1b (Speakers) use to stereo DAC 0x02. Signed-off-by: Peisen Hou <pshou@realtek.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Kees Cook authored
In preparation for unconditionally passing the struct timer_list pointer to all timer callbacks, switch to using the new timer_setup() and from_timer() to pass the timer pointer explicitly. These are all the "mechanical" changes remaining in the sound subsystem. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Mark Brown <broonie@kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 25 Oct, 2017 2 commits
-
-
Takashi Iwai authored
Currently the SB8 MIDI code sets up the timer object at each time before scheduling it at trigger callback, but basically this is superfluous once after set up. Also, the code misses the del_timer_sync() call that may leave a race condition for use-after-free. This patch addresses these issues, moving timer_setup() to snd_sb8dsp_midi(), and adding the del_timer_sync() call at snd_sb8dsp_midi_output_trigger() to make sure. Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Kees Cook authored
In preparation for unconditionally passing the struct timer_list pointer to all timer callbacks, switch to using the new timer_setup() and from_timer() to pass the timer pointer explicitly. [Re-use the existing chip->midi_substream_output instead of assigning a new field to struct snd_sb -- tiwai] Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 24 Oct, 2017 5 commits
-
-
Kees Cook authored
In preparation for unconditionally passing the struct timer_list pointer to all timer callbacks, switch to using the new timer_setup() and from_timer() to pass the timer pointer explicitly. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Kees Cook authored
In preparation for unconditionally passing the struct timer_list pointer to all timer callbacks, switch to using the new timer_setup() and from_timer() to pass the timer pointer explicitly. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Kees Cook authored
In preparation for unconditionally passing the struct timer_list pointer to all timer callbacks, switch to using the new timer_setup() and from_timer() to pass the timer pointer explicitly. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Iwai authored
Pull snd_card_disconnect_sync() extension for ASoC hot-unplug support. Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Rakesh Ughreja authored
On reading wrong capability pointer values driver may crash, so whenever driver discovers unknown HDA capability, log it as error and stop traversing the link list further. Signed-off-by: Rakesh Ughreja <rakesh.a.ughreja@intel.com> Acked-by: Vinod Koul <vinod.koul@intel.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 19 Oct, 2017 1 commit
-
-
Takashi Iwai authored
The refresh of HD-audio widget sysfs kobjects via snd_hdac_refresh_widget_sysfs() is slightly racy. The driver recreates the whole tree from scratch after deleting the whole. When CONFIG_DEBUG_KOBJECT_RELEASE option is used, kobject release doesn't happen immediately but delayed, while the re-creation of the same named kobject happens soon after invoking kobject_put(). This may end up with the conflicts of duplicated kobjects, as found in the bug report below. In this patch, we take another approach to refresh the tree: instead of recreating the whole tree, just add the new nodes and delete the non-existing nodes. Since the refresh happens only once at initialization, no longer race would happen. Along with the code change, merge snd_hdac_refresh_widget_sysfs() with the existing snd_hdac_refresh_widgets() with an additional bool flag for simplifying the code. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=197307Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 18 Oct, 2017 3 commits
-
-
Takashi Iwai authored
For allowing user to apply the existing quirk on a machine with a different SSID, add a new model string entry, alc700-ref. The quirk itself was introduced in the commit b84e8436: "ALSA: hda/realtek - Enable jack detection function for Intel ALC700") Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Iwai authored
So far we assumed that each driver implements the hotplug PCM handling properly, e.g. dealing with the pending PCM stream at disconnect callback. But most codes don't care, and it eventually leaves the PCM stream inconsistent state when an abrupt disconnection like sysfs unbind happens. This patch is simple but a big-hammer solution: invoke snd_pcm_stop() at the common PCM disconnect callback always when the stream is running. Tested-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Iwai authored
The internal PCM (aka DPCM backend PCM) doesn't need any registration procedure, thus currently we bail out immediately at dev_register callback. Similarly, its counterpart, dev_disconnect callback, is superfluous for the internal PCM. For simplifying and avoiding the conflicting disconnect call for internal PCM objects, this patch drops dev_register and dev_disconnect callbacks for the internal ops. The only uncertain thing by this action is whether skipping the PCM state change to SNDRV_PCM_STATE_DISCONNECT for the internal PCM is mandatory. Looking through the current implementations, this doesn't look so, hence dropping the whole dev_disconnect would make more sense. Tested-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 17 Oct, 2017 4 commits
-
-
Colin Ian King authored
The assignment to variable tmp is redundant as the value is never read and a new value is assigned to tmp in the following for-loop, so remove the assignment. Cleans up clang warning: Value stored to 'tmp' is never read Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Colin Ian King authored
The assignment to variable i is redundant as it is never read because it is updated a little later on. Remove this assignment. Cleans up clang warning: Value stored to 'i' is never read Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Kees Cook authored
In preparation for unconditionally passing the struct timer_list pointer to all timer callbacks, switch to using the new timer_setup() and from_timer() to pass the timer pointer explicitly. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Iwai authored
Back-merge for applying the timer API conversion patch for line6 driver that conflicts with the recent fix in upstream. Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 16 Oct, 2017 5 commits
-
-
Colin Ian King authored
The pointer card is being assigned a value but it is never used. Remove this redundant variable. Cleans up clang warning: Value stored to 'card' is never read Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Colin Ian King authored
Variable dpcm is never used and hence can be removed. Variable runtime is being assigned but is never read, so the assignment is redundant and can be removed. Cleans up two clang warnings: Value stored to 'dpcm' is never read Value stored to 'runtime' is never read Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Colin Ian King authored
The variable p2 is being assigned but never used, it is redundant and can be safely removed. Cleans up clang warning: Value stored to 'p2' is never read. Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Colin Ian King authored
Variable result is being assigned a value from a calculation however the variable is never read, so this redundant variable can be removed. Cleans up clang warning: Value stored to 'result' is never read Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Colin Ian King authored
An earlier commit removed the access to variable runtime and we are now left with unused variable that is redundant, so remove it. Cleans up the clang warning: Value stored to 'runtime' is never read Fixes: e11f0f90 ("ALSA: pcm: remove SNDRV_PCM_IOCTL1_INFO internal command") Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 13 Oct, 2017 2 commits
-
-
Dan Carpenter authored
If snd_hda_get_conn_list() fails then "conn" isn't initialized. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Jérémy Lefaure authored
Using the ARRAY_SIZE macro improves the readability of the code. Found with Coccinelle with the following semantic patch: @r depends on (org || report)@ type T; T[] E; position p; @@ ( (sizeof(E)@p /sizeof(*E)) | (sizeof(E)@p /sizeof(E[...])) | (sizeof(E)@p /sizeof(T)) ) Signed-off-by: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 11 Oct, 2017 13 commits
-
-
Takashi Iwai authored
caiaq driver doesn't kill the URB properly at its error path during the probe, which may lead to a use-after-free error later. This patch addresses it. Reported-by: Johan Hovold <johan@kernel.org> Reviewed-by: Johan Hovold <johan@kernel.org> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Iwai authored
Pulling the EP validity checks in USB audio drivers. It also adds a new helper in USB core, which was acked by Greg. Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Iwai authored
There are a few other places calling usb_submit_urb() with the URB composed from the fixed endpoint without validation. For avoiding the spurious kernel warnings, add the sanity checks to appropriate places. Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Iwai authored
A few other places in caiaq driver have the URB handling with the fixed endpoints without checking the validity, too. Add the sanity check with the new helper function at each appropriate place for avoiding the spurious kernel warnings due to invalid EPs. Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Iwai authored
hiface usb-audio driver sets up URBs containing the fixed endpoints without validation. This may end up with an oops-like kernel warning when submitted. For avoiding it, this patch adds the calls of the new sanity-check helper for URBs. Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Iwai authored
usx2y driver sets up URBs containing the fixed endpoints without validation. This may end up with an oops-like kernel warning when submitted. For avoiding it, this patch adds the calls of the new sanity-check helper for URBs. Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Iwai authored
USB-audio driver may set up a URB containing the fixed EP without validating its presence for some non-class-compliant devices. This may end up with an oops-like kernel warning when submitted. For avoiding it, this patch adds the call of the new sanity-check helper for URBs. The checks are needed only for MIDI I/O as the other places have already some other checks. Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Iwai authored
As syzkaller spotted, currently line6 drivers submit a URB with the fixed EP without checking whether it's actually available, which may result in a kernel warning like: usb 1-1: BOGUS urb xfer, pipe 3 != type 1 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 24 at drivers/usb/core/urb.c:449 usb_submit_urb+0xf8a/0x11d0 Modules linked in: CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc2-42613-g1488251d1a98 #238 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: line6_start_listen+0x55f/0x9e0 sound/usb/line6/driver.c:82 line6_init_cap_control sound/usb/line6/driver.c:690 line6_probe+0x7c9/0x1310 sound/usb/line6/driver.c:764 podhd_probe+0x64/0x70 sound/usb/line6/podhd.c:474 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361 .... This patch adds a sanity check of validity of EPs at the device initialization phase for avoiding the call with an invalid EP. Reported-by: Andrey Konovalov <andreyknvl@google.com> Tested-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Iwai authored
As syzkaller spotted, currently caiaq driver submits a URB with the fixed EP without checking whether it's actually available, which may result in a kernel warning like: usb 1-1: BOGUS urb xfer, pipe 3 != type 1 ------------[ cut here ]------------ WARNING: CPU: 1 PID: 1150 at drivers/usb/core/urb.c:449 usb_submit_urb+0xf8a/0x11d0 Modules linked in: CPU: 1 PID: 1150 Comm: kworker/1:1 Not tainted 4.14.0-rc2-42660-g24b7bd59eec0 #277 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: init_card sound/usb/caiaq/device.c:467 snd_probe+0x81c/0x1150 sound/usb/caiaq/device.c:525 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361 .... This patch adds a sanity check of validity of EPs at the device initialization phase for avoiding the call with an invalid EP. Reported-by: Andrey Konovalov <andreyknvl@google.com> Tested-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Iwai authored
As syzkaller spotted, currently bcd2000 driver submits a URB with the fixed EP without checking whether it's actually available, which may result in a kernel warning like: usb 1-1: BOGUS urb xfer, pipe 1 != type 3 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1846 at drivers/usb/core/urb.c:449 usb_submit_urb+0xf8a/0x11d0 Modules linked in: CPU: 0 PID: 1846 Comm: kworker/0:2 Not tainted 4.14.0-rc2-42613-g1488251d1a98 #238 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: bcd2000_init_device sound/usb/bcd2000/bcd2000.c:289 bcd2000_init_midi sound/usb/bcd2000/bcd2000.c:345 bcd2000_probe+0xe64/0x19e0 sound/usb/bcd2000/bcd2000.c:406 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361 .... This patch adds a sanity check of validity of EPs at the device initialization phase for avoiding the call with an invalid EP. Reported-by: Andrey Konovalov <andreyknvl@google.com> Tested-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Iwai authored
This patch adds a new helper function to perform a sanity check of the given URB to see whether it contains a valid endpoint. It's a light- weight version of what usb_submit_urb() does, but without the kernel warning followed by the stack trace, just returns an error code. Especially for a driver that doesn't parse the descriptor but fills the URB with the fixed endpoint (e.g. some quirks for non-compliant devices), this kind of check is preferable at the probe phase before actually submitting the urb. Tested-by: Andrey Konovalov <andreyknvl@google.com> Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Iwai authored
In case of user unbind ALSA driver during playing back / capturing, each driver needs to stop and remove it correctly. One note here is that we can't cancel from remove function in such case, because unbind operation doesn't check return value from remove function. So, we *must* stop and remove in this case. For this purpose, we need to sync (= wait) until the all top-level operations are canceled at remove function. For example, snd_card_free() processes the disconnection procedure at first, then waits for the completion. That's how the hot-unplug works safely. It's implemented, at least, in the top-level driver removal. Now for the lower level driver, we need a similar strategy. Notify to the toplevel for hot-unplug (disconnect in ALSA), and sync with the stop operation, then continue the rest of its own remove procedure. This patch adds snd_card_disconnect_sync(), and driver can use it from remove function. Note: the "lower level" driver here refers to a middle layer driver (e.g. ASoC components) that can be unbound freely during operation. Most of legacy ALSA helper drivers don't have such a problem because they can't be unbound. Note#2: snd_card_disconnect_sync() merely calls snd_card_disconnect() and syncs with closing all pending files. It takes only the files opened by user-space into account, and doesn't care about object refcounts. (The latter is handled by snd_card_free() completion call, BTW.) Also, the function doesn't free resources by itself. Tested-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Iwai authored
There is a potential race window opened at creating and deleting a port via ioctl, as spotted by fuzzing. snd_seq_create_port() creates a port object and returns its pointer, but it doesn't take the refcount, thus it can be deleted immediately by another thread. Meanwhile, snd_seq_ioctl_create_port() still calls the function snd_seq_system_client_ev_port_start() with the created port object that is being deleted, and this triggers use-after-free like: BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1 ============================================================================= BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511 ___slab_alloc+0x425/0x460 __slab_alloc+0x20/0x40 kmem_cache_alloc_trace+0x150/0x190 snd_seq_create_port+0x94/0x9b0 [snd_seq] snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq] snd_seq_do_ioctl+0x11c/0x190 [snd_seq] snd_seq_ioctl+0x40/0x80 [snd_seq] do_vfs_ioctl+0x54b/0xda0 SyS_ioctl+0x79/0x90 entry_SYSCALL_64_fastpath+0x16/0x75 INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717 __slab_free+0x204/0x310 kfree+0x15f/0x180 port_delete+0x136/0x1a0 [snd_seq] snd_seq_delete_port+0x235/0x350 [snd_seq] snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq] snd_seq_do_ioctl+0x11c/0x190 [snd_seq] snd_seq_ioctl+0x40/0x80 [snd_seq] do_vfs_ioctl+0x54b/0xda0 SyS_ioctl+0x79/0x90 entry_SYSCALL_64_fastpath+0x16/0x75 Call Trace: [<ffffffff81b03781>] dump_stack+0x63/0x82 [<ffffffff81531b3b>] print_trailer+0xfb/0x160 [<ffffffff81536db4>] object_err+0x34/0x40 [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520 [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30 [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq] [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0 [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq] [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq] [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80 [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0 ..... We may fix this in a few different ways, and in this patch, it's fixed simply by taking the refcount properly at snd_seq_create_port() and letting the caller unref the object after use. Also, there is another potential use-after-free by sprintf() call in snd_seq_create_port(), and this is moved inside the lock. This fix covers CVE-2017-15265. Reported-and-tested-by: Michael23 Yu <ycqzsy@gmail.com> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 10 Oct, 2017 2 commits
-
-
Takashi Iwai authored
USB-audio driver may leave a stray URB for the mixer interrupt when it exits by some error during probe. This leads to a use-after-free error as spotted by syzkaller like: ================================================================== BUG: KASAN: use-after-free in snd_usb_mixer_interrupt+0x604/0x6f0 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:16 dump_stack+0x292/0x395 lib/dump_stack.c:52 print_address_description+0x78/0x280 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 kasan_report+0x23d/0x350 mm/kasan/report.c:409 __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430 snd_usb_mixer_interrupt+0x604/0x6f0 sound/usb/mixer.c:2490 __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779 .... Allocated by task 1484: save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772 kmalloc ./include/linux/slab.h:493 kzalloc ./include/linux/slab.h:666 snd_usb_create_mixer+0x145/0x1010 sound/usb/mixer.c:2540 create_standard_mixer_quirk+0x58/0x80 sound/usb/quirks.c:516 snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560 create_composite_quirk+0x1c4/0x3e0 sound/usb/quirks.c:59 snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560 usb_audio_probe+0x1040/0x2c10 sound/usb/card.c:618 .... Freed by task 1484: save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524 slab_free_hook mm/slub.c:1390 slab_free_freelist_hook mm/slub.c:1412 slab_free mm/slub.c:2988 kfree+0xf6/0x2f0 mm/slub.c:3919 snd_usb_mixer_free+0x11a/0x160 sound/usb/mixer.c:2244 snd_usb_mixer_dev_free+0x36/0x50 sound/usb/mixer.c:2250 __snd_device_free+0x1ff/0x380 sound/core/device.c:91 snd_device_free_all+0x8f/0xe0 sound/core/device.c:244 snd_card_do_free sound/core/init.c:461 release_card_device+0x47/0x170 sound/core/init.c:181 device_release+0x13f/0x210 drivers/base/core.c:814 .... Actually such a URB is killed properly at disconnection when the device gets probed successfully, and what we need is to apply it for the error-path, too. In this patch, we apply snd_usb_mixer_disconnect() at releasing. Also introduce a new flag, disconnected, to struct usb_mixer_interface for not performing the disconnection procedure twice. Reported-by: Andrey Konovalov <andreyknvl@google.com> Tested-by: Andrey Konovalov <andreyknvl@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Iwai authored
The sequencer event may contain a user-space pointer with its SNDRV_SEQ_EXT_USRPTR bit, and we assure that its delivery is limited with non-atomic mode. Otherwise the copy_from_user() may hit the fault and cause a problem. Although the core code doesn't set such a flag (only set at snd_seq_write()), any wild driver may set it mistakenly and lead to an unexpected crash. This patch adds a sanity check of such events at the delivery core code to filter out the invalid invocation in the atomic mode. Signed-off-by: Takashi Iwai <tiwai@suse.de>
-