1. 23 Mar, 2018 5 commits
  2. 22 Mar, 2018 4 commits
    • Takashi Iwai's avatar
      ALSA: aloop: Fix access to not-yet-ready substream via cable · 8e6b1a72
      Takashi Iwai authored
      In loopback_open() and loopback_close(), we assign and release the
      substream object to the corresponding cable in a racy way.  It's
      neither locked nor done in the right position.  The open callback
      assigns the substream before its preparation finishes, hence the other
      side of the cable may pick it up, which may lead to the invalid memory
      access.
      
      This patch addresses these: move the assignment to the end of the open
      callback, and wrap with cable->lock for avoiding concurrent accesses.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      8e6b1a72
    • Takashi Iwai's avatar
      ALSA: aloop: Sync stale timer before release · 67a01afa
      Takashi Iwai authored
      The aloop driver tries to stop the pending timer via timer_del() in
      the trigger callback and in the close callback.  The former is
      correct, as it's an atomic operation, while the latter expects that
      the timer gets really removed and proceeds the resource releases after
      that.  But timer_del() doesn't synchronize, hence the running timer
      may still access the released resources.
      
      A similar situation can be also seen in the prepare callback after
      trigger(STOP) where the prepare tries to re-initialize the things
      while a timer is still running.
      
      The problems like the above are seen indirectly in some syzkaller
      reports (although it's not 100% clear whether this is the only cause,
      as the race condition is quite narrow and not always easy to
      trigger).
      
      For addressing these issues, this patch adds the explicit alls of
      timer_del_sync() in some places, so that the pending timer is properly
      killed / synced.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      67a01afa
    • Kailang Yang's avatar
      ALSA: hda/realtek - Fix speaker no sound after system resume · 88d42b2b
      Kailang Yang authored
      It will have a chance speaker no sound after system resume.
      To toggle NID 0x53 index 0x2 bit 15 will solve this issue.
      This usage will also suitable with ALC256.
      
      Fixes: 4a219ef8 ("ALSA: hda/realtek - Add ALC256 HP depop function")
      Signed-off-by: default avatarKailang Yang <kailang@realtek.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      88d42b2b
    • Kailang Yang's avatar
      ALSA: hda/realtek - Fix Dell headset Mic can't record · f0ba9d69
      Kailang Yang authored
      This platform was hardware fixed type for CTIA type for headset port.
      Assigned 0x19 verb will fix can't record issue.
      Signed-off-by: default avatarKailang Yang <kailang@realtek.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      f0ba9d69
  3. 21 Mar, 2018 2 commits
    • Ruslan Bilovol's avatar
      ALSA: usb: initial USB Audio Device Class 3.0 support · 9a2fe9b8
      Ruslan Bilovol authored
      Recently released USB Audio Class 3.0 specification
      introduces many significant changes comparing to
      previous versions, like
       - new Power Domains, support for LPM/L1
       - new Cluster descriptor
       - changed layout of all class-specific descriptors
       - new High Capability descriptors
       - New class-specific String descriptors
       - new and removed units
       - additional sources for interrupts
       - removed Type II Audio Data Formats
       - ... and many other things (check spec)
      
      It also provides backward compatibility through
      multiple configurations, as well as requires
      mandatory support for BADD (Basic Audio Device
      Definition) on each ADC3.0 compliant device
      
      This patch adds initial support of UAC3 specification
      that is enough for Generic I/O Profile (BAOF, BAIF)
      device support from BADD document.
      Signed-off-by: default avatarRuslan Bilovol <ruslan.bilovol@gmail.com>
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      9a2fe9b8
    • Takashi Iwai's avatar
      ALSA: hda - Force polling mode on CFL for fixing codec communication · a8d7bde2
      Takashi Iwai authored
      We've observed too long probe time with Coffee Lake (CFL) machines,
      and the likely cause is some communication problem between the
      HD-audio controller and the codec chips.  While the controller expects
      an IRQ wakeup for each codec response, it seems sometimes missing, and
      it takes one second for the controller driver to time out and read the
      response in the polling mode.
      
      Although we aren't sure about the real culprit yet, in this patch, we
      put a workaround by forcing the polling mode as default for CFL
      machines; the polling mode itself isn't too heavy, and much better
      than other workarounds initially suggested (e.g. disabling
      power-save), at least.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199007
      Fixes: e79b0006 ("ALSA: hda - Add Coffelake PCI ID")
      Reported-and-tested-by: default avatarHui Wang <hui.wang@canonical.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      a8d7bde2
  4. 19 Mar, 2018 3 commits
  5. 17 Mar, 2018 1 commit
    • Takashi Iwai's avatar
      ALSA: hda/realtek - Always immediately update mute LED with pin VREF · e40bdb03
      Takashi Iwai authored
      Some HP laptops have a mute mute LED controlled by a pin VREF.  The
      Realtek codec driver updates the VREF via vmaster hook by calling
      snd_hda_set_pin_ctl_cache().
      
      This works fine as long as the driver is running in a normal mode.
      However, when the VREF change happens during the codec being in
      runtime PM suspend, the regmap access will skip and postpone the
      actual register change.  This ends up with the unchanged LED status
      until the next runtime PM resume even if you change the Master mute
      switch.  (Interestingly, the machine keeps the LED status even after
      the codec goes into D3 -- but it's another story.)
      
      For improving this usability, let the driver temporarily powering up /
      down only during the pin VREF change.  This can be achieved easily by
      wrapping the call with snd_hda_power_up_pm() / *_down_pm().
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199073
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      e40bdb03
  6. 13 Mar, 2018 3 commits
  7. 12 Mar, 2018 5 commits
  8. 11 Mar, 2018 9 commits
    • Linus Torvalds's avatar
      Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · ed58d66f
      Linus Torvalds authored
      Pull x86/pti updates from Thomas Gleixner:
       "Yet another pile of melted spectrum related updates:
      
         - Drop native vsyscall support finally as it causes more trouble than
           benefit.
      
         - Make microcode loading more robust. There were a few issues
           especially related to late loading which are now surfacing because
           late loading of the IB* microcodes addressing spectre issues has
           become more widely used.
      
         - Simplify and robustify the syscall handling in the entry code
      
         - Prevent kprobes on the entry trampoline code which lead to kernel
           crashes when the probe hits before CR3 is updated
      
         - Don't check microcode versions when running on hypervisors as they
           are considered as lying anyway.
      
         - Fix the 32bit objtool build and a coment typo"
      
      * 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/kprobes: Fix kernel crash when probing .entry_trampoline code
        x86/pti: Fix a comment typo
        x86/microcode: Synchronize late microcode loading
        x86/microcode: Request microcode on the BSP
        x86/microcode/intel: Look into the patch cache first
        x86/microcode: Do not upload microcode if CPUs are offline
        x86/microcode/intel: Writeback and invalidate caches before updating microcode
        x86/microcode/intel: Check microcode revision before updating sibling threads
        x86/microcode: Get rid of struct apply_microcode_ctx
        x86/spectre_v2: Don't check microcode versions when running under hypervisors
        x86/vsyscall/64: Drop "native" vsyscalls
        x86/entry/64/compat: Save one instruction in entry_INT80_compat()
        x86/entry: Do not special-case clone(2) in compat entry
        x86/syscalls: Use COMPAT_SYSCALL_DEFINEx() macros for x86-only compat syscalls
        x86/syscalls: Use proper syscall definition for sys_ioperm()
        x86/entry: Remove stale syscall prototype
        x86/syscalls/32: Simplify $entry == $compat entries
        objtool: Fix 32-bit build
      ed58d66f
    • Linus Torvalds's avatar
      Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 1ad5daa6
      Linus Torvalds authored
      Pull timer fix from Thomas Gleixner:
       "Just a single fix which adds a missing Kconfig dependency to avoid
        unmet dependency warnings"
      
      * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        clocksource/atmel-st: Add 'depends on HAS_IOMEM' to fix unmet dependency
      1ad5daa6
    • Linus Torvalds's avatar
      Merge branch 'ras-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · ebb3762e
      Linus Torvalds authored
      Pull RAS fixes from Thomas Gleixner:
       "Two small fixes for RAS/MCE:
      
         - Serialize sysfs changes to avoid concurrent modificaiton of
           underlying data
      
         - Add microcode revision to Machine Check records. This should have
           been there forever, but now with the broken microcode versions in
           the wild it has become important"
      
      * 'ras-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/MCE: Serialize sysfs changes
        x86/MCE: Save microcode revision in machine check records
      ebb3762e
    • Linus Torvalds's avatar
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 8ad44243
      Linus Torvalds authored
      Pull perf updates from Thomas Gleixner:
       "Another set of perf updates:
      
         - Fix a Skylake Uncore event format declaration
      
         - Prevent perf pipe mode from crahsing which was caused by a missing
           buffer allocation
      
         - Make the perf top popup message which tells the user that it uses
           fallback mode on older kernels a debug message.
      
         - Make perf context rescheduling work correcctly
      
         - Robustify the jump error drawing in perf browser mode so it does
           not try to create references to NULL initialized offset entries
      
         - Make trigger_on() robust so it does not enable the trigger before
           everything is set up correctly to handle it
      
         - Make perf auxtrace respect the --no-itrace option so it does not
           try to queue AUX data for decoding.
      
         - Prevent having different number of field separators in CVS output
           lines when a counter is not supported.
      
         - Make the perf kallsyms man page usage behave like it does for all
           other perf commands.
      
         - Synchronize the kernel headers"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/core: Fix ctx_event_type in ctx_resched()
        perf tools: Fix trigger class trigger_on()
        perf auxtrace: Prevent decoding when --no-itrace
        perf stat: Fix CVS output format for non-supported counters
        tools headers: Sync x86's cpufeatures.h
        tools headers: Sync copy of kvm UAPI headers
        perf record: Fix crash in pipe mode
        perf annotate browser: Be more robust when drawing jump arrows
        perf top: Fix annoying fallback message on older kernels
        perf kallsyms: Fix the usage on the man page
        perf/x86/intel/uncore: Fix Skylake UPI event format
      8ad44243
    • Linus Torvalds's avatar
      Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 02bf0ef0
      Linus Torvalds authored
      Pull locking fix from Thomas Gleixner:
       "rt_mutex_futex_unlock() grew a new irq-off call site, but the function
        assumes that its always called from irq enabled context.
      
        Use (un)lock_irqsafe() to handle the new call site correctly"
      
      * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        rtmutex: Make rt_mutex_futex_unlock() safe for irq-off callsites
      02bf0ef0
    • Linus Torvalds's avatar
      Merge tag 'dmaengine-fix-4.16-rc5' of git://git.infradead.org/users/vkoul/slave-dma · abeb7521
      Linus Torvalds authored
      Pull dmaengine fixes from Vinod Koul:
       "Two small fixes are for this cycle:
      
         - fix max_chunk_size for rcar-dmac for R-Car Gen3
      
         - fix clock resource of mv_xor_v2"
      
      * tag 'dmaengine-fix-4.16-rc5' of git://git.infradead.org/users/vkoul/slave-dma:
        dmaengine: mv_xor_v2: Fix clock resource by adding a register clock
        dmaengine: rcar-dmac: fix max_chunk_size for R-Car Gen3
      abeb7521
    • Linus Torvalds's avatar
      Merge tag 'gpio-v4.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · d43be80a
      Linus Torvalds authored
      Pull GPIO fix from Linus Walleij:
       "This is a single GPIO fix for the v4.16 series affecting the Renesas
        driver, and fixes wakeup from external stuff"
      
      * tag 'gpio-v4.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
        gpio: rcar: Use wakeup_path i.s.o. explicit clock handling
      d43be80a
    • Gregory CLEMENT's avatar
      dmaengine: mv_xor_v2: Fix clock resource by adding a register clock · 3cd2c313
      Gregory CLEMENT authored
      On the CP110 components which are present on the Armada 7K/8K SoC we need
      to explicitly enable the clock for the registers. However it is not
      needed for the AP8xx component, that's why this clock is optional.
      
      With this patch both clock have now a name, but in order to be backward
      compatible, the name of the first clock is not used. It allows to still
      use this clock with a device tree using the old binding.
      Signed-off-by: default avatarGregory CLEMENT <gregory.clement@bootlin.com>
      Reviewed-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      3cd2c313
    • Takashi Iwai's avatar
      ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats() · 01c0b426
      Takashi Iwai authored
      snd_pcm_oss_get_formats() has an obvious use-after-free around
      snd_mask_test() calls, as spotted by syzbot.  The passed format_mask
      argument is a pointer to the hw_params object that is freed before the
      loop.  What a surprise that it has been present since the original
      code of decades ago...
      
      Reported-by: syzbot+4090700a4f13fccaf648@syzkaller.appspotmail.com
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      01c0b426
  9. 10 Mar, 2018 8 commits
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v4.16-2' of... · 3266b5bd
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v4.16-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - make fixdep parse kconfig.h to fix missing rebuild
      
       - replace hyphens with underscores in builtin DTB label names
      
       - fix typos
      
      * tag 'kbuild-fixes-v4.16-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        kbuild: Handle builtin dtb file names containing hyphens
        scripts/bloat-o-meter: fix typos in help
        fixdep: do not ignore kconfig.h
        fixdep: remove some false CONFIG_ matches
        fixdep: remove stale references to uml-config.h
      3266b5bd
    • Linus Torvalds's avatar
      Merge tag 'linux-watchdog-4.16-fixes-2' of git://www.linux-watchdog.org/linux-watchdog · 23b33acc
      Linus Torvalds authored
      Pull watchdog fixes from Wim Van Sebroeck:
      
       - f71808e_wdt: Fix magic close handling
      
       - sbsa: 32-bit read fix for WCV
      
       - hpwdt: Remove legacy NMI sourcing
      
      * tag 'linux-watchdog-4.16-fixes-2' of git://www.linux-watchdog.org/linux-watchdog:
        watchdog: hpwdt: Remove legacy NMI sourcing.
        watchdog: sbsa: use 32-bit read for WCV
        watchdog: f71808e_wdt: Fix magic close handling
      23b33acc
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20180309' of git://git.kernel.dk/linux-block · 91a26209
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - a xen-blkfront fix from Bhavesh with a multiqueue fix when
         detaching/re-attaching
      
       - a few important NVMe fixes, including a revert for a sysfs fix that
         caused some user space confusion
      
       - two bcache fixes by way of Michael Lyle
      
       - a loop regression fix, fixing an issue with lost writes on DAX.
      
      * tag 'for-linus-20180309' of git://git.kernel.dk/linux-block:
        loop: Fix lost writes caused by missing flag
        nvme_fc: rework sqsize handling
        nvme-fabrics: Ignore nr_io_queues option for discovery controllers
        xen-blkfront: move negotiate_mq to cover all cases of new VBDs
        Revert "nvme: create 'slaves' and 'holders' entries for hidden controllers"
        bcache: don't attach backing with duplicate UUID
        bcache: fix crashes in duplicate cache device register
        nvme: pci: pass max vectors as num_possible_cpus() to pci_alloc_irq_vectors
        nvme-pci: Fix EEH failure on ppc
      91a26209
    • Linus Torvalds's avatar
      Merge tag 'for-4.16/dm-fixes-2' of... · b3b25b1d
      Linus Torvalds authored
      Merge tag 'for-4.16/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
      
      Pull device mapper fixes from Mike Snitzer:
      
       - Fix an uninitialized variable false warning in dm bufio
      
       - Fix DM's passthrough ioctl support to be race free against an
         underlying device being removed.
      
       - Fix corner-case of DM raid resync reporting if/when the raid becomes
         degraded during resync; otherwise automated raid repair will fail.
      
       - A few DM multipath fixes to make non-SCSI optimizations, that were
         introduced during the 4.16 merge, useful for all non-SCSI devices,
         rather than narrowly define this non-SCSI mode in terms of "nvme".
      
         This allows the removal of "queue_mode nvme" that really didn't need
         to be introduced. Instead DM core will internalize whether
         nvme-specific IO submission optimizations are doable and DM multipath
         will only do SCSI-specific device handler operations if SCSI is in
         use.
      
      * tag 'for-4.16/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm table: allow upgrade from bio-based to specialized bio-based variant
        dm mpath: remove unnecessary NVMe branching in favor of scsi_dh checks
        dm table: fix "nvme" test
        dm raid: fix incorrect sync_ratio when degraded
        dm: use blkdev_get rather than bdgrab when issuing pass-through ioctl
        dm bufio: avoid false-positive Wmaybe-uninitialized warning
      b3b25b1d
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · 2f64e70c
      Linus Torvalds authored
      Pull rdma fixes from Doug Ledford:
      
       - Various driver bug fixes in mlx5, mlx4, bnxt_re and qedr, ranging
         from bugs under load to bad error case handling
      
       - There in one largish patch fixing the locking in bnxt_re to avoid a
         machine hard lock situation
      
       - A few core bugs on error paths
      
       - A patch to reduce stack usage in the new CQ API
      
       - One mlx5 regression introduced in this merge window
      
       - There were new syzkaller scripts written for the RDMA subsystem and
         we are fixing issues found by the bot
      
       - One of the commits (aa0de36a “RDMA/mlx5: Fix integer overflow
         while resizing CQ”) is missing part of the commit log message and one
         of the SOB lines. The original patch was from Leon Romanovsky, and a
         cut-n-paste separator in the commit message confused patchworks which
         then put the end of message separator in the wrong place in the
         downloaded patch, and I didn’t notice in time. The patch made it into
         the official branch, and the only way to fix it in-place was to
         rebase. Given the pain that a rebase causes, and the fact that the
         patch has relevant tags for stable and syzkaller, a revert of the
         munged patch and a reapplication of the original patch with the log
         message intact was done.
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: (25 commits)
        RDMA/mlx5: Fix integer overflow while resizing CQ
        Revert "RDMA/mlx5: Fix integer overflow while resizing CQ"
        RDMA/ucma: Check that user doesn't overflow QP state
        RDMA/mlx5: Fix integer overflow while resizing CQ
        RDMA/ucma: Limit possible option size
        IB/core: Fix possible crash to access NULL netdev
        RDMA/bnxt_re: Avoid Hard lockup during error CQE processing
        RDMA/core: Reduce poll batch for direct cq polling
        IB/mlx5: Fix an error code in __mlx5_ib_modify_qp()
        IB/mlx5: When not in dual port RoCE mode, use provided port as native
        IB/mlx4: Include GID type when deleting GIDs from HW table under RoCE
        IB/mlx4: Fix corruption of RoCEv2 IPv4 GIDs
        RDMA/qedr: Fix iWARP write and send with immediate
        RDMA/qedr: Fix kernel panic when running fio over NFSoRDMA
        RDMA/qedr: Fix iWARP connect with port mapper
        RDMA/qedr: Fix ipv6 destination address resolution
        IB/core : Add null pointer check in addr_resolve
        RDMA/bnxt_re: Fix the ib_reg failure cleanup
        RDMA/bnxt_re: Fix incorrect DB offset calculation
        RDMA/bnxt_re: Unconditionly fence non wire memory operations
        ...
      2f64e70c
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v4.16-6' of git://git.infradead.org/linux-platform-drivers-x86 · b3337a6c
      Linus Torvalds authored
      Pull x86 platform driver fixes from Darren Hart:
       "Correct a module loading race condition between the DELL_SMBIOS
        backend modules and the first user by converting them to bool features
        of the DELL_SMBIOS driver. Fixup the resulting Kconfig dependency
        issue with DCDBAS"
      
      * tag 'platform-drivers-x86-v4.16-6' of git://git.infradead.org/linux-platform-drivers-x86:
        platform/x86: dell-smbios: Resolve dependency error on DCDBAS
        platform/x86: Allow for SMBIOS backend defaults
        platform/x86: dell-smbios: Link all dell-smbios-* modules together
        platform/x86: dell-smbios: Rename dell-smbios source to dell-smbios-base
        platform/x86: dell-smbios: Correct some style warnings
      b3337a6c
    • Takashi Iwai's avatar
      ALSA: seq: Clear client entry before deleting else at closing · a2ff19f7
      Takashi Iwai authored
      When releasing a client, we need to clear the clienttab[] entry at
      first, then call snd_seq_queue_client_leave().  Otherwise, the
      in-flight cell in the queue might be picked up by the timer interrupt
      via snd_seq_check_queue() before calling snd_seq_queue_client_leave(),
      and it's delivered to another queue while the client is clearing
      queues.  This may eventually result in an uncleared cell remaining in
      a queue, and the later snd_seq_pool_delete() may need to wait for a
      long time until the event gets really processed.
      
      By moving the clienttab[] clearance at the beginning of release, any
      event delivery of a cell belonging to this client will fail at a later
      point, since snd_seq_client_ptr() returns NULL.  Thus the cell that
      was picked up by the timer interrupt will be returned immediately
      without further delivery, and the long stall of snd_seq_delete_pool()
      can be avoided, too.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      a2ff19f7
    • Takashi Iwai's avatar
      ALSA: seq: Fix possible UAF in snd_seq_check_queue() · d0f83306
      Takashi Iwai authored
      Although we've covered the races between concurrent write() and
      ioctl() in the previous patch series, there is still a possible UAF in
      the following scenario:
      
      A: user client closed		B: timer irq
        -> snd_seq_release()		  -> snd_seq_timer_interrupt()
          -> snd_seq_free_client()	    -> snd_seq_check_queue()
      				      -> cell = snd_seq_prioq_cell_peek()
            -> snd_seq_prioq_leave()
               .... removing all cells
            -> snd_seq_pool_done()
               .... vfree()
      				      -> snd_seq_compare_tick_time(cell)
      				         ... Oops
      
      So the problem is that a cell is peeked and accessed without any
      protection until it's retrieved from the queue again via
      snd_seq_prioq_cell_out().
      
      This patch tries to address it, also cleans up the code by a slight
      refactoring.  snd_seq_prioq_cell_out() now receives an extra pointer
      argument.  When it's non-NULL, the function checks the event timestamp
      with the given pointer.  The caller needs to pass the right reference
      either to snd_seq_tick or snd_seq_realtime depending on the event
      timestamp type.
      
      A good news is that the above change allows us to remove the
      snd_seq_prioq_cell_peek(), too, thus the patch actually reduces the
      code size.
      Reviewed-by: default avatarNicolai Stange <nstange@suse.de>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      d0f83306