1. 30 Oct, 2017 1 commit
  2. 26 Oct, 2017 2 commits
  3. 25 Oct, 2017 2 commits
    • Takashi Iwai's avatar
      ALSA: sb: Minor optimization / fix of timer usage in sb8_midi.c · 20e5f8bf
      Takashi Iwai authored
      Currently the SB8 MIDI code sets up the timer object at each time
      before scheduling it at trigger callback, but basically this is
      superfluous once after set up.  Also, the code misses the
      del_timer_sync() call that may leave a race condition for
      use-after-free.
      
      This patch addresses these issues, moving timer_setup() to
      snd_sb8dsp_midi(), and adding the del_timer_sync() call at
      snd_sb8dsp_midi_output_trigger() to make sure.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      20e5f8bf
    • Kees Cook's avatar
      ALSA: sb: Convert timers to use timer_setup() · 4f928246
      Kees Cook authored
      In preparation for unconditionally passing the struct timer_list pointer to
      all timer callbacks, switch to using the new timer_setup() and from_timer()
      to pass the timer pointer explicitly.
      
      [Re-use the existing chip->midi_substream_output instead of assigning
       a new field to struct snd_sb -- tiwai]
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      4f928246
  4. 24 Oct, 2017 5 commits
  5. 19 Oct, 2017 1 commit
    • Takashi Iwai's avatar
      ALSA: hda: Avoid racy recreation of widget kobjects · 9780ded3
      Takashi Iwai authored
      The refresh of HD-audio widget sysfs kobjects via
      snd_hdac_refresh_widget_sysfs() is slightly racy.
      The driver recreates the whole tree from scratch after deleting the
      whole.  When CONFIG_DEBUG_KOBJECT_RELEASE option is used, kobject
      release doesn't happen immediately but delayed, while the re-creation
      of the same named kobject happens soon after invoking kobject_put().
      This may end up with the conflicts of duplicated kobjects, as found in
      the bug report below.
      
      In this patch, we take another approach to refresh the tree: instead
      of recreating the whole tree, just add the new nodes and delete the
      non-existing nodes.  Since the refresh happens only once at
      initialization, no longer race would happen.
      
      Along with the code change, merge snd_hdac_refresh_widget_sysfs() with
      the existing snd_hdac_refresh_widgets() with an additional bool flag
      for simplifying the code.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=197307Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      9780ded3
  6. 18 Oct, 2017 3 commits
  7. 17 Oct, 2017 4 commits
  8. 16 Oct, 2017 5 commits
  9. 13 Oct, 2017 2 commits
  10. 11 Oct, 2017 13 commits
    • Takashi Iwai's avatar
      ALSA: caiaq: Fix stray URB at probe error path · 99fee508
      Takashi Iwai authored
      caiaq driver doesn't kill the URB properly at its error path during
      the probe, which may lead to a use-after-free error later.  This patch
      addresses it.
      Reported-by: default avatarJohan Hovold <johan@kernel.org>
      Reviewed-by: default avatarJohan Hovold <johan@kernel.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      99fee508
    • Takashi Iwai's avatar
      Merge branch 'topic/usb-ep-check-v2' into for-next · 8ed5d192
      Takashi Iwai authored
      Pulling the EP validity checks in USB audio drivers.
      It also adds a new helper in USB core, which was acked by Greg.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      8ed5d192
    • Takashi Iwai's avatar
      ALSA: line6: Add yet more sanity checks for invalid EPs · 4f95646c
      Takashi Iwai authored
      There are a few other places calling usb_submit_urb() with the URB
      composed from the fixed endpoint without validation.  For avoiding the
      spurious kernel warnings, add the sanity checks to appropriate
      places.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      4f95646c
    • Takashi Iwai's avatar
      ALSA: caiaq: Add yet more sanity checks for invalid EPs · 96cd7962
      Takashi Iwai authored
      A few other places in caiaq driver have the URB handling with the
      fixed endpoints without checking the validity, too.  Add the sanity
      check with the new helper function at each appropriate place for
      avoiding the spurious kernel warnings due to invalid EPs.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      96cd7962
    • Takashi Iwai's avatar
      ALSA: hiface: Add sanity checks for invalid EPs · 5935b952
      Takashi Iwai authored
      hiface usb-audio driver sets up URBs containing the fixed endpoints
      without validation.  This may end up with an oops-like kernel warning
      when submitted.
      
      For avoiding it, this patch adds the calls of the new sanity-check
      helper for URBs.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      5935b952
    • Takashi Iwai's avatar
      ALSA: usx2y: Add sanity checks for invalid EPs · 1f100349
      Takashi Iwai authored
      usx2y driver sets up URBs containing the fixed endpoints without
      validation.  This may end up with an oops-like kernel warning when
      submitted.
      
      For avoiding it, this patch adds the calls of the new sanity-check
      helper for URBs.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      1f100349
    • Takashi Iwai's avatar
      ALSA: usb-audio: Add sanity checks for invalid EPs · 738d9edc
      Takashi Iwai authored
      USB-audio driver may set up a URB containing the fixed EP without
      validating its presence for some non-class-compliant devices.  This
      may end up with an oops-like kernel warning when submitted.
      
      For avoiding it, this patch adds the call of the new sanity-check
      helper for URBs.  The checks are needed only for MIDI I/O as the other
      places have already some other checks.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      738d9edc
    • Takashi Iwai's avatar
      ALSA: line6: Add a sanity check for invalid EPs · 2a4340c5
      Takashi Iwai authored
      As syzkaller spotted, currently line6 drivers submit a URB with the
      fixed EP without checking whether it's actually available, which may
      result in a kernel warning like:
        usb 1-1: BOGUS urb xfer, pipe 3 != type 1
        ------------[ cut here ]------------
        WARNING: CPU: 0 PID: 24 at drivers/usb/core/urb.c:449
        usb_submit_urb+0xf8a/0x11d0
        Modules linked in:
        CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc2-42613-g1488251d1a98 #238
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        Workqueue: usb_hub_wq hub_event
        Call Trace:
         line6_start_listen+0x55f/0x9e0 sound/usb/line6/driver.c:82
         line6_init_cap_control sound/usb/line6/driver.c:690
         line6_probe+0x7c9/0x1310 sound/usb/line6/driver.c:764
         podhd_probe+0x64/0x70 sound/usb/line6/podhd.c:474
         usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
         ....
      
      This patch adds a sanity check of validity of EPs at the device
      initialization phase for avoiding the call with an invalid EP.
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      2a4340c5
    • Takashi Iwai's avatar
      ALSA: caiaq: Add a sanity check for invalid EPs · 58fc7f73
      Takashi Iwai authored
      As syzkaller spotted, currently caiaq driver submits a URB with the
      fixed EP without checking whether it's actually available, which may
      result in a kernel warning like:
        usb 1-1: BOGUS urb xfer, pipe 3 != type 1
        ------------[ cut here ]------------
        WARNING: CPU: 1 PID: 1150 at drivers/usb/core/urb.c:449
        usb_submit_urb+0xf8a/0x11d0
        Modules linked in:
        CPU: 1 PID: 1150 Comm: kworker/1:1 Not tainted
        4.14.0-rc2-42660-g24b7bd59eec0 #277
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        Workqueue: usb_hub_wq hub_event
        Call Trace:
         init_card sound/usb/caiaq/device.c:467
         snd_probe+0x81c/0x1150 sound/usb/caiaq/device.c:525
         usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
         ....
      
      This patch adds a sanity check of validity of EPs at the device
      initialization phase for avoiding the call with an invalid EP.
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      58fc7f73
    • Takashi Iwai's avatar
      ALSA: bcd2000: Add a sanity check for invalid EPs · 6815a0b4
      Takashi Iwai authored
      As syzkaller spotted, currently bcd2000 driver submits a URB with the
      fixed EP without checking whether it's actually available, which may
      result in a kernel warning like:
        usb 1-1: BOGUS urb xfer, pipe 1 != type 3
        ------------[ cut here ]------------
        WARNING: CPU: 0 PID: 1846 at drivers/usb/core/urb.c:449
        usb_submit_urb+0xf8a/0x11d0
        Modules linked in:
        CPU: 0 PID: 1846 Comm: kworker/0:2 Not tainted
        4.14.0-rc2-42613-g1488251d1a98 #238
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        Workqueue: usb_hub_wq hub_event
        Call Trace:
         bcd2000_init_device sound/usb/bcd2000/bcd2000.c:289
         bcd2000_init_midi sound/usb/bcd2000/bcd2000.c:345
         bcd2000_probe+0xe64/0x19e0 sound/usb/bcd2000/bcd2000.c:406
         usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
         ....
      
      This patch adds a sanity check of validity of EPs at the device
      initialization phase for avoiding the call with an invalid EP.
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      6815a0b4
    • Takashi Iwai's avatar
      usb: core: Add a helper function to check the validity of EP type in URB · e901b987
      Takashi Iwai authored
      This patch adds a new helper function to perform a sanity check of the
      given URB to see whether it contains a valid endpoint.  It's a light-
      weight version of what usb_submit_urb() does, but without the kernel
      warning followed by the stack trace, just returns an error code.
      
      Especially for a driver that doesn't parse the descriptor but fills
      the URB with the fixed endpoint (e.g. some quirks for non-compliant
      devices), this kind of check is preferable at the probe phase before
      actually submitting the urb.
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Acked-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      e901b987
    • Takashi Iwai's avatar
      ALSA: add snd_card_disconnect_sync() · c44027c8
      Takashi Iwai authored
      In case of user unbind ALSA driver during playing back / capturing,
      each driver needs to stop and remove it correctly. One note here is
      that we can't cancel from remove function in such case, because
      unbind operation doesn't check return value from remove function.
      So, we *must* stop and remove in this case.
      
      For this purpose, we need to sync (= wait) until the all top-level
      operations are canceled at remove function.
      For example, snd_card_free() processes the disconnection procedure at
      first, then waits for the completion. That's how the hot-unplug works
      safely. It's implemented, at least, in the top-level driver removal.
      
      Now for the lower level driver, we need a similar strategy. Notify to
      the toplevel for hot-unplug (disconnect in ALSA), and sync with the
      stop operation, then continue the rest of its own remove procedure.
      
      This patch adds snd_card_disconnect_sync(), and driver can use it from
      remove function.
      
      Note: the "lower level" driver here refers to a middle layer driver
      (e.g. ASoC components) that can be unbound freely during operation.
      Most of legacy ALSA helper drivers don't have such a problem because
      they can't be unbound.
      
      Note#2: snd_card_disconnect_sync() merely calls snd_card_disconnect()
      and syncs with closing all pending files.  It takes only the files
      opened by user-space into account, and doesn't care about object
      refcounts.  (The latter is handled by snd_card_free() completion call,
      BTW.)  Also, the function doesn't free resources by itself.
      Tested-by: default avatarKuninori Morimoto <kuninori.morimoto.gx@renesas.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      c44027c8
    • Takashi Iwai's avatar
      ALSA: seq: Fix use-after-free at creating a port · 71105998
      Takashi Iwai authored
      There is a potential race window opened at creating and deleting a
      port via ioctl, as spotted by fuzzing.  snd_seq_create_port() creates
      a port object and returns its pointer, but it doesn't take the
      refcount, thus it can be deleted immediately by another thread.
      Meanwhile, snd_seq_ioctl_create_port() still calls the function
      snd_seq_system_client_ev_port_start() with the created port object
      that is being deleted, and this triggers use-after-free like:
      
       BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
       =============================================================================
       BUG kmalloc-512 (Tainted: G    B          ): kasan: bad access detected
       -----------------------------------------------------------------------------
       INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
       	___slab_alloc+0x425/0x460
       	__slab_alloc+0x20/0x40
        	kmem_cache_alloc_trace+0x150/0x190
      	snd_seq_create_port+0x94/0x9b0 [snd_seq]
      	snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
       	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
       	snd_seq_ioctl+0x40/0x80 [snd_seq]
       	do_vfs_ioctl+0x54b/0xda0
       	SyS_ioctl+0x79/0x90
       	entry_SYSCALL_64_fastpath+0x16/0x75
       INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
       	__slab_free+0x204/0x310
       	kfree+0x15f/0x180
       	port_delete+0x136/0x1a0 [snd_seq]
       	snd_seq_delete_port+0x235/0x350 [snd_seq]
       	snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
       	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
       	snd_seq_ioctl+0x40/0x80 [snd_seq]
       	do_vfs_ioctl+0x54b/0xda0
       	SyS_ioctl+0x79/0x90
       	entry_SYSCALL_64_fastpath+0x16/0x75
       Call Trace:
        [<ffffffff81b03781>] dump_stack+0x63/0x82
        [<ffffffff81531b3b>] print_trailer+0xfb/0x160
        [<ffffffff81536db4>] object_err+0x34/0x40
        [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
        [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
        [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
        [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
        [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
        [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
        [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
        [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
        [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
        [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
        .....
      
      We may fix this in a few different ways, and in this patch, it's fixed
      simply by taking the refcount properly at snd_seq_create_port() and
      letting the caller unref the object after use.  Also, there is another
      potential use-after-free by sprintf() call in snd_seq_create_port(),
      and this is moved inside the lock.
      
      This fix covers CVE-2017-15265.
      Reported-and-tested-by: default avatarMichael23 Yu <ycqzsy@gmail.com>
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      71105998
  11. 10 Oct, 2017 2 commits
    • Takashi Iwai's avatar
      ALSA: usb-audio: Kill stray URB at exiting · 124751d5
      Takashi Iwai authored
      USB-audio driver may leave a stray URB for the mixer interrupt when it
      exits by some error during probe.  This leads to a use-after-free
      error as spotted by syzkaller like:
        ==================================================================
        BUG: KASAN: use-after-free in snd_usb_mixer_interrupt+0x604/0x6f0
        Call Trace:
         <IRQ>
         __dump_stack lib/dump_stack.c:16
         dump_stack+0x292/0x395 lib/dump_stack.c:52
         print_address_description+0x78/0x280 mm/kasan/report.c:252
         kasan_report_error mm/kasan/report.c:351
         kasan_report+0x23d/0x350 mm/kasan/report.c:409
         __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
         snd_usb_mixer_interrupt+0x604/0x6f0 sound/usb/mixer.c:2490
         __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779
         ....
      
        Allocated by task 1484:
         save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
         save_stack+0x43/0xd0 mm/kasan/kasan.c:447
         set_track mm/kasan/kasan.c:459
         kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
         kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
         kmalloc ./include/linux/slab.h:493
         kzalloc ./include/linux/slab.h:666
         snd_usb_create_mixer+0x145/0x1010 sound/usb/mixer.c:2540
         create_standard_mixer_quirk+0x58/0x80 sound/usb/quirks.c:516
         snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
         create_composite_quirk+0x1c4/0x3e0 sound/usb/quirks.c:59
         snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
         usb_audio_probe+0x1040/0x2c10 sound/usb/card.c:618
         ....
      
        Freed by task 1484:
         save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
         save_stack+0x43/0xd0 mm/kasan/kasan.c:447
         set_track mm/kasan/kasan.c:459
         kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
         slab_free_hook mm/slub.c:1390
         slab_free_freelist_hook mm/slub.c:1412
         slab_free mm/slub.c:2988
         kfree+0xf6/0x2f0 mm/slub.c:3919
         snd_usb_mixer_free+0x11a/0x160 sound/usb/mixer.c:2244
         snd_usb_mixer_dev_free+0x36/0x50 sound/usb/mixer.c:2250
         __snd_device_free+0x1ff/0x380 sound/core/device.c:91
         snd_device_free_all+0x8f/0xe0 sound/core/device.c:244
         snd_card_do_free sound/core/init.c:461
         release_card_device+0x47/0x170 sound/core/init.c:181
         device_release+0x13f/0x210 drivers/base/core.c:814
         ....
      
      Actually such a URB is killed properly at disconnection when the
      device gets probed successfully, and what we need is to apply it for
      the error-path, too.
      
      In this patch, we apply snd_usb_mixer_disconnect() at releasing.
      Also introduce a new flag, disconnected, to struct usb_mixer_interface
      for not performing the disconnection procedure twice.
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      124751d5
    • Takashi Iwai's avatar
      ALSA: seq: Add sanity check for user-space pointer delivery · 19b592da
      Takashi Iwai authored
      The sequencer event may contain a user-space pointer with its
      SNDRV_SEQ_EXT_USRPTR bit, and we assure that its delivery is limited
      with non-atomic mode.  Otherwise the copy_from_user() may hit the
      fault and cause a problem.  Although the core code doesn't set such a
      flag (only set at snd_seq_write()), any wild driver may set it
      mistakenly and lead to an unexpected crash.
      
      This patch adds a sanity check of such events at the delivery core
      code to filter out the invalid invocation in the atomic mode.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      19b592da