1. 13 May, 2018 3 commits
  2. 02 May, 2018 1 commit
    • Takashi Iwai's avatar
      ALSA: pcm: Check PCM state at xfern compat ioctl · f13876e2
      Takashi Iwai authored
      Since snd_pcm_ioctl_xfern_compat() has no PCM state check, it may go
      further and hit the sanity check pcm_sanity_check() when the ioctl is
      called right after open.  It may eventually spew a kernel warning, as
      triggered by syzbot, depending on kconfig.
      
      The lack of PCM state check there was just an oversight.  Although
      it's no real crash, the spurious kernel warning is annoying, so let's
      add the proper check.
      
      Reported-by: syzbot+1dac3a4f6bc9c1c675d4@syzkaller.appspotmail.com
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      f13876e2
  3. 30 Apr, 2018 1 commit
  4. 29 Apr, 2018 1 commit
    • Takashi Sakamoto's avatar
      ALSA: dice: fix kernel NULL pointer dereference due to invalid calculation for array index · 52759c09
      Takashi Sakamoto authored
      At a commit f91c9d76 ('ALSA: firewire-lib: cache maximum length of
      payload to reduce function calls'), maximum size of payload for tx
      isochronous packet is cached to reduce the number of function calls.
      
      This cache was programmed to updated at a first callback of ohci1394 IR
      context. However, the maximum size is required to queueing packets before
      starting the isochronous context.
      
      As a result, the cached value is reused to queue packets in next time to
      starting the isochronous context. Then the cache is updated in a first
      callback of the isochronous context. This can cause kernel NULL pointer
      dereference in a below call graph:
      
      (sound/firewire/amdtp-stream.c)
      amdtp_stream_start()
      ->queue_in_packet()
        ->queue_packet()
          (drivers/firewire/core-iso.c)
          ->fw_iso_context_queue()
            ->struct fw_card_driver.queue_iso()
            (drivers/firewire/ohci.c)
            = ohci_queue_iso()
              ->queue_iso_packet_per_buffer()
                buffer->pages[page]
      
      The issued dereference occurs in a case that:
       - target unit supports different stream formats for sampling transmission
         frequency.
       - maximum length of payload for tx stream in a first trial is bigger
         than the length in a second trial.
      
      In this case, correct number of pages are allocated for DMA and the 'pages'
      array has enough elements, while index of the element is wrongly calculated
      according to the old value of length of payload in a call of
      'queue_in_packet()'. Then it causes the issue.
      
      This commit fixes the critical bug. This affects all of drivers in ALSA
      firewire stack in Linux kernel v4.12 or later.
      
      [12665.302360] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
      [12665.302415] IP: ohci_queue_iso+0x47c/0x800 [firewire_ohci]
      [12665.302439] PGD 0
      [12665.302440] P4D 0
      [12665.302450]
      [12665.302470] Oops: 0000 [#1] SMP PTI
      [12665.302487] Modules linked in: ...
      [12665.303096] CPU: 1 PID: 12760 Comm: jackd Tainted: P           OE   4.13.0-38-generic #43-Ubuntu
      [12665.303154] Hardware name:                  /DH77DF, BIOS KCH7710H.86A.0069.2012.0224.1825 02/24/2012
      [12665.303215] task: ffff9ce87da2ae80 task.stack: ffffb5b8823d0000
      [12665.303258] RIP: 0010:ohci_queue_iso+0x47c/0x800 [firewire_ohci]
      [12665.303301] RSP: 0018:ffffb5b8823d3ab8 EFLAGS: 00010086
      [12665.303337] RAX: ffff9ce4f4876930 RBX: 0000000000000008 RCX: ffff9ce88a3955e0
      [12665.303384] RDX: 0000000000000000 RSI: 0000000034877f00 RDI: 0000000000000000
      [12665.303427] RBP: ffffb5b8823d3b68 R08: ffff9ce8ccb390a0 R09: ffff9ce877639ab0
      [12665.303475] R10: 0000000000000108 R11: 0000000000000000 R12: 0000000000000003
      [12665.303513] R13: 0000000000000000 R14: ffff9ce4f4876950 R15: 0000000000000000
      [12665.303554] FS:  00007f2ec467f8c0(0000) GS:ffff9ce8df280000(0000) knlGS:0000000000000000
      [12665.303600] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [12665.303633] CR2: 0000000000000030 CR3: 00000002dcf90004 CR4: 00000000000606e0
      [12665.303674] Call Trace:
      [12665.303698]  fw_iso_context_queue+0x18/0x20 [firewire_core]
      [12665.303735]  queue_packet+0x88/0xe0 [snd_firewire_lib]
      [12665.303770]  amdtp_stream_start+0x19b/0x270 [snd_firewire_lib]
      [12665.303811]  start_streams+0x276/0x3c0 [snd_dice]
      [12665.303840]  snd_dice_stream_start_duplex+0x1bf/0x480 [snd_dice]
      [12665.303882]  ? vma_gap_callbacks_rotate+0x1e/0x30
      [12665.303914]  ? __rb_insert_augmented+0xab/0x240
      [12665.303936]  capture_prepare+0x3c/0x70 [snd_dice]
      [12665.303961]  snd_pcm_do_prepare+0x1d/0x30 [snd_pcm]
      [12665.303985]  snd_pcm_action_single+0x3b/0x90 [snd_pcm]
      [12665.304009]  snd_pcm_action_nonatomic+0x68/0x70 [snd_pcm]
      [12665.304035]  snd_pcm_prepare+0x68/0x90 [snd_pcm]
      [12665.304058]  snd_pcm_common_ioctl1+0x4c0/0x940 [snd_pcm]
      [12665.304083]  snd_pcm_capture_ioctl1+0x19b/0x250 [snd_pcm]
      [12665.304108]  snd_pcm_capture_ioctl+0x27/0x40 [snd_pcm]
      [12665.304131]  do_vfs_ioctl+0xa8/0x630
      [12665.304148]  ? entry_SYSCALL_64_after_hwframe+0xe9/0x139
      [12665.304172]  ? entry_SYSCALL_64_after_hwframe+0xe2/0x139
      [12665.304195]  ? entry_SYSCALL_64_after_hwframe+0xdb/0x139
      [12665.304218]  ? entry_SYSCALL_64_after_hwframe+0xd4/0x139
      [12665.304242]  ? entry_SYSCALL_64_after_hwframe+0xcd/0x139
      [12665.304265]  ? entry_SYSCALL_64_after_hwframe+0xc6/0x139
      [12665.304288]  ? entry_SYSCALL_64_after_hwframe+0xbf/0x139
      [12665.304312]  ? entry_SYSCALL_64_after_hwframe+0xb8/0x139
      [12665.304335]  ? entry_SYSCALL_64_after_hwframe+0xb1/0x139
      [12665.304358]  SyS_ioctl+0x79/0x90
      [12665.304374]  ? entry_SYSCALL_64_after_hwframe+0x72/0x139
      [12665.304397]  entry_SYSCALL_64_fastpath+0x24/0xab
      [12665.304417] RIP: 0033:0x7f2ec3750ef7
      [12665.304433] RSP: 002b:00007fff99e31388 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
      [12665.304465] RAX: ffffffffffffffda RBX: 00007fff99e312f0 RCX: 00007f2ec3750ef7
      [12665.304494] RDX: 0000000000000000 RSI: 0000000000004140 RDI: 0000000000000007
      [12665.304522] RBP: 0000556ebc63fd60 R08: 0000556ebc640560 R09: 0000000000000000
      [12665.304553] R10: 0000000000000001 R11: 0000000000000246 R12: 0000556ebc63fcf0
      [12665.304584] R13: 0000000000000000 R14: 0000000000000007 R15: 0000000000000000
      [12665.304612] Code: 01 00 00 44 89 eb 45 31 ed 45 31 db 66 41 89 1e 66 41 89 5e 0c 66 45 89 5e 0e 49 8b 49 08 49 63 d4 4d 85 c0 49 63 ff 48 8b 14 d1 <48> 8b 72 30 41 8d 14 37 41 89 56 04 48 63 d3 0f 84 ce 00 00 00
      [12665.304713] RIP: ohci_queue_iso+0x47c/0x800 [firewire_ohci] RSP: ffffb5b8823d3ab8
      [12665.304743] CR2: 0000000000000030
      [12665.317701] ---[ end trace 9d55b056dd52a19f ]---
      
      Fixes: f91c9d76 ('ALSA: firewire-lib: cache maximum length of payload to reduce function calls')
      Cc: <stable@vger.kernel.org> # v4.12+
      Signed-off-by: default avatarTakashi Sakamoto <o-takashi@sakamocchi.jp>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      52759c09
  5. 27 Apr, 2018 2 commits
    • Takashi Iwai's avatar
      ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger() · 8f22e525
      Takashi Iwai authored
      The sequencer virmidi code has an open race at its output trigger
      callback: namely, virmidi keeps only one event packet for processing
      while it doesn't protect for concurrent output trigger calls.
      
      snd_virmidi_output_trigger() tries to process the previously
      unfinished event before starting encoding the given MIDI stream, but
      this is done without any lock.  Meanwhile, if another rawmidi stream
      starts the output trigger, this proceeds further, and overwrites the
      event package that is being processed in another thread.  This
      eventually corrupts and may lead to the invalid memory access if the
      event type is like SYSEX.
      
      The fix is just to move the spinlock to cover both the pending event
      and the new stream.
      
      The bug was spotted by a new fuzzer, RaceFuzzer.
      
      BugLink: http://lkml.kernel.org/r/20180426045223.GA15307@dragonet.kaist.ac.krReported-by: default avatarDaeRyong Jeong <threeearcat@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      8f22e525
    • Takashi Iwai's avatar
      ALSA: hda - Fix incorrect usage of IS_REACHABLE() · 6a30abaa
      Takashi Iwai authored
      The commit c469652b ("ALSA: hda - Use IS_REACHABLE() for
      dependency on input") simplified the dependencies with IS_REACHABLE()
      macro, but it broke due to its incorrect usage: it should have been
      IS_REACHABLE(CONFIG_INPUT) instead of IS_REACHABLE(INPUT).
      
      Fixes: c469652b ("ALSA: hda - Use IS_REACHABLE() for dependency on input")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      6a30abaa
  6. 26 Apr, 2018 1 commit
  7. 25 Apr, 2018 15 commits
  8. 24 Apr, 2018 4 commits
  9. 23 Apr, 2018 6 commits
    • Takashi Iwai's avatar
      ALSA: usb-audio: Fix forgotten conversion of control query functions · 2de841ef
      Takashi Iwai authored
      The recent code refactoring made the argument for some helper
      functions to be the explicit UAC_CS_* and UAC2_CS_* value instead of
      0-based offset.  However, there was one place left forgotten, and it
      caused a regression on some devices appearing as the inconsistent
      mixer setup.
      
      This patch corrects the forgotten conversion.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199449
      Fixes: 21e9b3e9 ("ALSA: usb-audio: fix uac control query argument")
      Tested-by: default avatarNazar Mokrynskyi <nazar@mokrynskyi.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      2de841ef
    • Takashi Iwai's avatar
      ALSA: control: Fix missing __user annotation · 1ba7862f
      Takashi Iwai authored
      There is one place missing __user annotation to the pointer used by
      the recent code refactoring.  Reported by sparse.
      
      Fixes: 450296f3 ("ALSA: control: code refactoring TLV ioctl handler")
      Reviewed-by: default avatarTakashi Sakamoto <o-takashi@sakamocchi.jp>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      1ba7862f
    • David Henningsson's avatar
      ALSA: core: Report audio_tstamp in snd_pcm_sync_ptr · f853dcaa
      David Henningsson authored
      It looks like a simple mistake that this struct member
      was forgotten.
      
      Audio_tstamp isn't used much, and on some archs (such as x86) this
      ioctl is not used by default, so that might be the reason why this
      has slipped for so long.
      
      Fixes: 4eeaaeae ("ALSA: core: add hooks for audio timestamps")
      Signed-off-by: default avatarDavid Henningsson <diwic@ubuntu.com>
      Reviewed-by: default avatarTakashi Sakamoto <o-takashi@sakamocchi.jp>
      Cc: <stable@vger.kernel.org> # v3.8+
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      f853dcaa
    • Jeffery Miller's avatar
      ALSA: pcm: Return negative delays from SNDRV_PCM_IOCTL_DELAY. · 912e4c33
      Jeffery Miller authored
      The commit c2c86a97 ("ALSA: pcm: Remove set_fs() in PCM core code")
      changed SNDRV_PCM_IOCTL_DELAY to return an inconsistent error instead of a
      negative delay.  Originally the call would succeed and return the negative
      delay.  The Chromium OS Audio Server (CRAS) gets confused and hangs when
      the error is returned instead of the negative delay.
      
      Help CRAS avoid the issue by rolling back the behavior to return a
      negative delay instead of an error.
      
      Fixes: c2c86a97 ("ALSA: pcm: Remove set_fs() in PCM core code")
      Signed-off-by: default avatarJeffery Miller <jmiller@neverware.com>
      Cc: <stable@vger.kernel.org> # v4.13+
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      912e4c33
    • Linus Torvalds's avatar
      Linux 4.17-rc2 · 6d08b06e
      Linus Torvalds authored
      6d08b06e
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-v4.17-rc2' of git://people.freedesktop.org/~airlied/linux · 867ab4b2
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Exynos, i915, vc4, amdgpu fixes.
      
        i915:
         - an oops fix
         - two race fixes
         - some gvt fixes
      
        amdgpu:
         - dark screen fix
         - clk/voltage fix
         - vega12 smu fix
      
        vc4:
         - memory leak fix
      
        exynos just drops some code"
      
      * tag 'drm-fixes-for-v4.17-rc2' of git://people.freedesktop.org/~airlied/linux: (23 commits)
        drm/amd/powerplay: header file interface to SMU update
        drm/amd/pp: Fix bug voltage can't be OD separately on VI
        drm/amd/display: Don't program bypass on linear regamma LUT
        drm/i915: Fix LSPCON TMDS output buffer enabling from low-power state
        drm/i915/audio: Fix audio detection issue on GLK
        drm/i915: Call i915_perf_fini() on init_hw error unwind
        drm/i915/bios: filter out invalid DDC pins from VBT child devices
        drm/i915/pmu: Inspect runtime PM state more carefully while estimating RC6
        drm/i915: Do no use kfree() to free a kmem_cache_alloc() return value
        drm/exynos: exynos_drm_fb -> drm_framebuffer
        drm/exynos: Move dma_addr out of exynos_drm_fb
        drm/exynos: Move GEM BOs to drm_framebuffer
        drm: Fix HDCP downstream dev count read
        drm/vc4: Fix memory leak during BO teardown
        drm/i915/execlists: Clear user-active flag on preemption completion
        drm/i915/gvt: Add drm_format_mod update
        drm/i915/gvt: Disable primary/sprite/cursor plane at virtual display initialization
        drm/i915/gvt: Delete redundant error message in fb_decode.c
        drm/i915/gvt: Cancel dma map when resetting ggtt entries
        drm/i915/gvt: Missed to cancel dma map for ggtt entries
        ...
      867ab4b2
  10. 22 Apr, 2018 6 commits
    • Dave Airlie's avatar
      Merge branch 'drm-next-4.17' of git://people.freedesktop.org/~agd5f/linux into drm-next · 221bda4b
      Dave Airlie authored
      - Fix a dark screen issue in DC
      - Fix clk/voltage dependency tracking for wattman
      - Update SMU interface for vega12
      
      * 'drm-next-4.17' of git://people.freedesktop.org/~agd5f/linux:
        drm/amd/powerplay: header file interface to SMU update
        drm/amd/pp: Fix bug voltage can't be OD separately on VI
        drm/amd/display: Don't program bypass on linear regamma LUT
      221bda4b
    • Dave Airlie's avatar
      Merge tag 'exynos-drm-fixes-for-v4.17-rc2' of... · 2e1d6eab
      Dave Airlie authored
      Merge tag 'exynos-drm-fixes-for-v4.17-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos into drm-next
      
      Remove Exynos specific framebuffer structure and
      relevant functions.
      - it removes exynos_drm_fb structure which is a wrapper of
        drm_framebuffer and unnecessary two exynos specific callback
        functions, exynos_drm_destory() and exynos_drm_fb_create_handle()
        because we can reuse existing drm common callback ones instead.
      
      * tag 'exynos-drm-fixes-for-v4.17-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos:
        drm/exynos: exynos_drm_fb -> drm_framebuffer
        drm/exynos: Move dma_addr out of exynos_drm_fb
        drm/exynos: Move GEM BOs to drm_framebuffer
        drm/amdkfd: Deallocate SDMA queues correctly
        drm/amdkfd: Fix scratch memory with HWS enabled
      2e1d6eab
    • Dave Airlie's avatar
      Merge tag 'drm-intel-next-fixes-2018-04-19' of... · bc9ebca2
      Dave Airlie authored
      Merge tag 'drm-intel-next-fixes-2018-04-19' of git://anongit.freedesktop.org/drm/drm-intel into drm-next
      
      - Fix for FDO #105549: Avoid OOPS on bad VBT (Jani)
      - Fix rare pre-emption race (Chris)
      - Fix RC6 race against PM transitions (Tvrtko)
      
      * tag 'drm-intel-next-fixes-2018-04-19' of git://anongit.freedesktop.org/drm/drm-intel:
        drm/i915/audio: Fix audio detection issue on GLK
        drm/i915: Call i915_perf_fini() on init_hw error unwind
        drm/i915/bios: filter out invalid DDC pins from VBT child devices
        drm/i915/pmu: Inspect runtime PM state more carefully while estimating RC6
        drm/i915: Do no use kfree() to free a kmem_cache_alloc() return value
        drm/i915/execlists: Clear user-active flag on preemption completion
        drm/i915/gvt: Add drm_format_mod update
        drm/i915/gvt: Disable primary/sprite/cursor plane at virtual display initialization
        drm/i915/gvt: Delete redundant error message in fb_decode.c
        drm/i915/gvt: Cancel dma map when resetting ggtt entries
        drm/i915/gvt: Missed to cancel dma map for ggtt entries
        drm/i915/gvt: Make MI_USER_INTERRUPT nop in cmd parser
        drm/i915/gvt: Mark expected switch fall-through in handle_g2v_notification
        drm/i915/gvt: throw error on unhandled vfio ioctls
      bc9ebca2
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2018-04-18-1' of git://anongit.freedesktop.org/drm/drm-misc into drm-next · e1898f99
      Dave Airlie authored
      drm-misc-fixes:
      
      stable: vc4: Fix memory leak during BO teardown (Daniel)
      dp: Add i2c retry for LSPCON adapters (Imre)
      hdcp: Fix device count mask (Ramalingam)
      
      Cc: Daniel J Blueman <daniel@quora.org
      Cc: Imre Deak <imre.deak@intel.com>
      Cc: Ramalingam C <ramalingam.c@intel.com>
      
      * tag 'drm-misc-fixes-2018-04-18-1' of git://anongit.freedesktop.org/drm/drm-misc:
        drm/i915: Fix LSPCON TMDS output buffer enabling from low-power state
        drm: Fix HDCP downstream dev count read
        drm/vc4: Fix memory leak during BO teardown
      e1898f99
    • Linus Torvalds's avatar
      Merge tag '4.17-rc1-SMB3-CIFS' of git://git.samba.org/sfrench/cifs-2.6 · 5ec83b22
      Linus Torvalds authored
      Pull cifs fixes from Steve French:
       "Various SMB3/CIFS fixes.
      
        There are three more security related fixes in progress that are not
        included in this set but they are still being tested and reviewed, so
        sending this unrelated set of smaller fixes now"
      
      * tag '4.17-rc1-SMB3-CIFS' of git://git.samba.org/sfrench/cifs-2.6:
        CIFS: fix typo in cifs_dbg
        cifs: do not allow creating sockets except with SMB1 posix exensions
        cifs: smbd: Dump SMB packet when configured
        cifs: smbd: Check for iov length on sending the last iov
        fs: cifs: Adding new return type vm_fault_t
        cifs: smb2ops: Fix NULL check in smb2_query_symlink
      5ec83b22
    • Linus Torvalds's avatar
      Merge tag 'for-4.17-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · d54b5c13
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "This contains a few fixups to the qgroup patches that were merged this
        dev cycle, unaligned access fix, blockgroup removal corner case fix
        and a small debugging output tweak"
      
      * tag 'for-4.17-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: print-tree: debugging output enhancement
        btrfs: Fix race condition between delayed refs and blockgroup removal
        btrfs: fix unaligned access in readdir
        btrfs: Fix wrong btrfs_delalloc_release_extents parameter
        btrfs: delayed-inode: Remove wrong qgroup meta reservation calls
        btrfs: qgroup: Use independent and accurate per inode qgroup rsv
        btrfs: qgroup: Commit transaction in advance to reduce early EDQUOT
      d54b5c13