- 22 Sep, 2017 2 commits
-
-
Takashi Iwai authored
When a USB-audio device receives a maliciously adjusted or corrupted buffer descriptor, the USB-audio driver may access an out-of-bounce value at its parser. This was detected by syzkaller, something like: BUG: KASAN: slab-out-of-bounds in usb_audio_probe+0x27b2/0x2ab0 Read of size 1 at addr ffff88006b83a9e8 by task kworker/0:1/24 CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc1-42251-gebb2c243 #224 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:16 dump_stack+0x292/0x395 lib/dump_stack.c:52 print_address_description+0x78/0x280 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 kasan_report+0x22f/0x340 mm/kasan/report.c:409 __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427 snd_usb_create_streams sound/usb/card.c:248 usb_audio_probe+0x27b2/0x2ab0 sound/usb/card.c:605 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361 really_probe drivers/base/dd.c:413 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 device_add+0xd0b/0x1660 drivers/base/core.c:1835 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266 really_probe drivers/base/dd.c:413 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 device_add+0xd0b/0x1660 drivers/base/core.c:1835 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457 hub_port_connect drivers/usb/core/hub.c:4903 hub_port_connect_change drivers/usb/core/hub.c:5009 port_event drivers/usb/core/hub.c:5115 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119 worker_thread+0x221/0x1850 kernel/workqueue.c:2253 kthread+0x3a1/0x470 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 This patch adds the checks of out-of-bounce accesses at appropriate places and bails out when it goes out of the given buffer. Reported-by: Andrey Konovalov <andreyknvl@google.com> Tested-by: Andrey Konovalov <andreyknvl@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Baolin Wang authored
X32 ABI uses the 64bit timespec in addition to 64bit alignment of 64bit values. We have added compat ABI for these ioctls, but this patch adds one missing padding into 'struct snd_pcm_mmap_status_x32' to fix incompatibilities. Signed-off-by: Baolin Wang <baolin.wang@linaro.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 20 Sep, 2017 2 commits
-
-
Kai-Heng Feng authored
Like other Plantronics devices, C310 and C520-M do not support sample rate reading. Add them to the sample rate quirk accordingly. BugLink: https://bugs.launchpad.net/bugs/1708499 BugLink: https://bugs.launchpad.net/bugs/1709282Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Sriram Periyasamy authored
On recent Intel platforms (Haswell, Broadwell, Skylake, ApolloLake, KabyLake, ...), the IEC Coding Type (ICT) bitfield in the Digital Converter Control #3 needs to be set explicitly for HDMI/DisplayPort High Bit Rate (HBR) audio playback to work. This was not required in earlier platforms when HBR was first introduced. The ICT bits are defined in Section 7.3.3.9 of the HDaudio 1.0a specification. Since the ICT bitfield was not specified for HDAudio 1.0 devices (before 2009), we only program it on machines more recent than Haswell. We tested that this fix is not needed on Baytrail-I (MinnowBoard Turbot) and believe by extension it also does not apply to Braswell. [ Moved AC_VERB_SET_DIGI_CONVERT_3 definition to the right place by tiwai ] Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=98797Signed-off-by: Sriram Periyasamy <sriramx.periyasamy@intel.com> Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com> Signed-off-by: Subhransu S. Prusty <subhransu.s.prusty@intel.com> Acked-by: Vinod Koul <vinod.koul@intel.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 19 Sep, 2017 1 commit
-
-
Meng Xu authored
The hm->h.size is intended to hold the actual size of the hm struct that is copied from userspace and should always be <= sizeof(*hm). However, after copy_from_user(hm, puhm, hm->h.size), since userspace process has full control over the memory region pointed by puhm, it is possible that the value of hm->h.size is different from what is fetched-in previously (get_user(hm->h.size, (u16 __user *)puhm)). In other words, hm->h.size is overriden and the relation between hm->h.size and the hm struct is broken. This patch proposes to use a seperate variable, msg_size, to hold the value of the first fetch and override hm->h.size to msg_size after the second fetch to maintain the relation. Signed-off-by: Meng Xu <mengxu.gatech@gmail.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 18 Sep, 2017 1 commit
-
-
Guneshwor Singh authored
Commit 04c5d5a4 ("ALSA: compress: Embed struct device") removed the statement that used 'str' but didn't remove the variable itself. So remove it. [Adding stable to Cc since pr_debug() may refer to the uninitialized buffer -- tiwai] Fixes: 04c5d5a4 ("ALSA: compress: Embed struct device") Signed-off-by: Guneshwor Singh <guneshwor.o.singh@intel.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 12 Sep, 2017 2 commits
-
-
Takashi Iwai authored
ALSA sequencer core has a mechanism to load the enumerated devices automatically, and it's performed in an off-load work. This seems causing some race when a sequencer is removed while the pending autoload work is running. As syzkaller spotted, it may lead to some use-after-free: BUG: KASAN: use-after-free in snd_rawmidi_dev_seq_free+0x69/0x70 sound/core/rawmidi.c:1617 Write of size 8 at addr ffff88006c611d90 by task kworker/2:1/567 CPU: 2 PID: 567 Comm: kworker/2:1 Not tainted 4.13.0+ #29 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: events autoload_drivers Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x192/0x22c lib/dump_stack.c:52 print_address_description+0x78/0x280 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x230/0x340 mm/kasan/report.c:409 __asan_report_store8_noabort+0x1c/0x20 mm/kasan/report.c:435 snd_rawmidi_dev_seq_free+0x69/0x70 sound/core/rawmidi.c:1617 snd_seq_dev_release+0x4f/0x70 sound/core/seq_device.c:192 device_release+0x13f/0x210 drivers/base/core.c:814 kobject_cleanup lib/kobject.c:648 [inline] kobject_release lib/kobject.c:677 [inline] kref_put include/linux/kref.h:70 [inline] kobject_put+0x145/0x240 lib/kobject.c:694 put_device+0x25/0x30 drivers/base/core.c:1799 klist_devices_put+0x36/0x40 drivers/base/bus.c:827 klist_next+0x264/0x4a0 lib/klist.c:403 next_device drivers/base/bus.c:270 [inline] bus_for_each_dev+0x17e/0x210 drivers/base/bus.c:312 autoload_drivers+0x3b/0x50 sound/core/seq_device.c:117 process_one_work+0x9fb/0x1570 kernel/workqueue.c:2097 worker_thread+0x1e4/0x1350 kernel/workqueue.c:2231 kthread+0x324/0x3f0 kernel/kthread.c:231 ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:425 The fix is simply to assure canceling the autoload work at removing the device. Reported-by: Andrey Konovalov <andreyknvl@google.com> Tested-by: Andrey Konovalov <andreyknvl@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Markus Elfring authored
Add a jump target so that a bit of exception handling can be better reused at the end of this function. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 07 Sep, 2017 10 commits
-
-
Takashi Iwai authored
BUG_ON() is the worst choice for a trivial sanity check. Either it should be removed or replaced with a softer one like WARN_ON() if still really needed. Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Helge Deller authored
The debug functions uses wrongly the %pF instead of the %pS printk format specifier for printing symbols for the address returned by _builtin_return_address(0). Fix it for the ia64, ppc64 and parisc64 architectures. Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Markus Elfring authored
* Add a jump target so that a bit of exception handling can be better reused at the end of this function. This issue was detected by using the Coccinelle software. * The script "checkpatch.pl" pointed information out like the following. ERROR: do not use assignment in if condition Thus fix a few source code places. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Markus Elfring authored
* Add a jump target so that a bit of exception handling can be better reused at the end of this function. This issue was detected by using the Coccinelle software. * The script "checkpatch.pl" pointed information out like the following. ERROR: do not use assignment in if condition Thus fix a few source code places. [ This also fixed a potential use-after-free at error path of snd_opl3_hwdep_new(), too -- tiwai ] Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Markus Elfring authored
Add a jump target so that a bit of exception handling can be better reused at the end of this function. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Markus Elfring authored
Add a jump target so that a bit of exception handling can be better reused at the end of this function. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Markus Elfring authored
Add a jump target so that a bit of exception handling can be better reused at the end of this function. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Markus Elfring authored
Add a jump target so that a bit of exception handling can be better reused at the end of this function. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Markus Elfring authored
Add a jump target so that a bit of common code can be better reused at the end of this function. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Markus Elfring authored
Add jump targets so that a bit of exception handling can be better reused at the end of these functions. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 04 Sep, 2017 11 commits
-
-
Takashi Iwai authored
Merge tag 'asoc-v4.14-cs43130' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Fixes for the CS43130 driver A couple of warning fixes for the newly added CS43130 driver.
-
Takashi Iwai authored
The CA0132 codec driver doesn't call the free function at its error path of the probe, which leaves the allocated memory. Call ca0132_free() properly at the error handling. Fixes: a73d511c ("ALSA: hda/ca0132: Add unsol handler for DSP and jack detection") Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Wang YanQing authored
When hda_codec_driver_probe meet error and return failure, we need to free resource with patch_ops.free, or we will get resource leak. Signed-off-by: Wang YanQing <udknight@gmail.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Iwai authored
Add __maybe_unused prefix for addressing the following warnings: sound/soc/codecs/cs43130.c:2615:12: warning: ‘cs43130_runtime_resume’ defined but not used [-Wunused-function] sound/soc/codecs/cs43130.c:2596:12: warning: ‘cs43130_runtime_suspend’ defined but not used [-Wunused-function] Fixes: 8f1e5bf9 ("ASoC: cs43130: Add support for CS43130 codec") Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Mark Brown <broonie@kernel.org>
-
Takashi Iwai authored
As compiler spotted out, there is the potential NULL-dereference in the code when dc-measure OF is given for other than 43130/43131: sound/soc/codecs/cs43130.c:2089:18: warning: ‘hpload_seq’ may be used uninitialized in this function [-Wmaybe-uninitialized] Warn it and return before triggering Oops. Fixes: 8f1e5bf9 ("ASoC: cs43130: Add support for CS43130 codec") Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Mark Brown <broonie@kernel.org>
-
Takashi Iwai authored
Merge tag 'asoc-v4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Updates for v4.14 This is quite a large release by volume of patches and diff, a lot of that is mechanical cleanup patches but it's great to also see a range of vendors actively working on adding new features and fixing issues in their drivers. Intel and Realtek have been especially active here. - Continued work towards moving everything to the component model from Morimoto-san. - Use of devres for jack detection GPIOs, eliminating some potential resource leaks. - Jack detection support for Qualcomm MSM8916. - Support for Allwinner H3, Cirrus Logic CS43130, Intel Kabylake systems with RT5663, Realtek RT274, TI TLV320AIC32x6 and Wolfson WM8523.
-
Colin Ian King authored
Trivial fix to spelling mistake in variable name Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Mark Brown <broonie@kernel.org>
-
Andy Shevchenko authored
The ALSA related include header files are left overs after the commit 020c5260 ("ALSA: atmel: Remove AVR32 bits from the driver") Fixes: 020c5260 ("ALSA: atmel: Remove AVR32 bits from the driver") Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Andy Shevchenko authored
Convert the driver to use GPIO descriptor API. Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
PeiSen Hou authored
Intel ALC 700 needs this patch for jack detection function. Because ALC700's jack detect function defaults is disable. So alc700 needs pathc to enable jack detection function. Signed-off-by: PeiSen Hou <pshou@realtek.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Iwai authored
-
- 03 Sep, 2017 1 commit
-
-
Wang YanQing authored
Commit fb087eaa ("ALSA: hda - hdmi eld control created based on pcm") forget to filter out invalid pcm numbers, if there is only one invalid pcm number, then this issue causes we create eld control for invalid pcm silently, but when there are more than one invalid pcm numbers, then this issue bring probe error looks like below dmesg: " kernel: [ 1.647283] snd_hda_intel 0000:00:03.0: bound 0000:00:02.0 (ops 0xc2967540) kernel: [ 1.651192] snd_hda_intel 0000:00:03.0: Too many HDMI devices kernel: [ 1.651195] snd_hda_intel 0000:00:03.0: Consider building the kernel with CONFIG_SND_DYNAMIC_MINORS=y kernel: [ 1.651197] snd_hda_intel 0000:00:03.0: Too many HDMI devices kernel: [ 1.651199] snd_hda_intel 0000:00:03.0: Consider building the kernel with CONFIG_SND_DYNAMIC_MINORS=y kernel: [ 1.651201] snd_hda_intel 0000:00:03.0: Too many HDMI devices kernel: [ 1.651203] snd_hda_intel 0000:00:03.0: Consider building the kernel with CONFIG_SND_DYNAMIC_MINORS=y kernel: [ 1.651676] snd_hda_intel 0000:00:03.0: control 3:0:0:ELD:0 is already present kernel: [ 1.651787] snd_hda_codec_hdmi: probe of hdaudioC0D0 failed with error -16 " This patch add invalid pcm number filter before calling hdmi_create_eld_ctl. Fixes: fb087eaa ("ALSA: hda - hdmi eld control created based on pcm") Signed-off-by: Wang YanQing <udknight@gmail.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
- 01 Sep, 2017 10 commits
-
-
Mark Brown authored
Merge remote-tracking branches 'asoc/topic/wm8524', 'asoc/topic/wm8804' and 'asoc/topic/zte' into asoc-next
-
Mark Brown authored
Merge remote-tracking branches 'asoc/topic/twl6040', 'asoc/topic/txx9', 'asoc/topic/utils', 'asoc/topic/ux500' and 'asoc/topic/wm8523' into asoc-next
-
Mark Brown authored
Merge remote-tracking branches 'asoc/topic/tas2552', 'asoc/topic/tas5720', 'asoc/topic/tegra', 'asoc/topic/tlv320aic32x4' and 'asoc/topic/tlv320aic3x' into asoc-next
-
Mark Brown authored
Merge remote-tracking branches 'asoc/topic/simple', 'asoc/topic/spear', 'asoc/topic/sta32x', 'asoc/topic/stm32' and 'asoc/topic/sunxi' into asoc-next
-
Mark Brown authored
Merge remote-tracking branches 'asoc/topic/rt5665', 'asoc/topic/rt5670', 'asoc/topic/rt5677' and 'asoc/topic/samsung' into asoc-next
-
Mark Brown authored
Merge remote-tracking branches 'asoc/topic/rt5563', 'asoc/topic/rt5616', 'asoc/topic/rt5645', 'asoc/topic/rt5659' and 'asoc/topic/rt5663' into asoc-next
-
Mark Brown authored
Merge remote-tracking branches 'asoc/topic/rk3036', 'asoc/topic/rockchip', 'asoc/topic/rt274' and 'asoc/topic/rt5514' into asoc-next
-
Mark Brown authored
Merge remote-tracking branches 'asoc/topic/omap', 'asoc/topic/psc-ac97' and 'asoc/topic/pxa' into asoc-next
-
Mark Brown authored
Merge remote-tracking branches 'asoc/topic/mtk', 'asoc/topic/mxs', 'asoc/topic/nau8825', 'asoc/topic/nuc900' and 'asoc/topic/of-graph' into asoc-next
-
Mark Brown authored
Merge remote-tracking branches 'asoc/topic/kirkwood', 'asoc/topic/max9867', 'asoc/topic/max98926' and 'asoc/topic/max98927' into asoc-next
-