1. 18 Jan, 2016 5 commits
    • Takashi Iwai's avatar
      ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0 · c0bcdbdf
      Takashi Iwai authored
      When a TLV ioctl with numid zero is handled, the driver may spew a
      kernel warning with a stack trace at each call.  The check was
      intended obviously only for a kernel driver, but not for a user
      interaction.  Let's fix it.
      
      This was spotted by syzkaller fuzzer.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      c0bcdbdf
    • Nicolas Boichat's avatar
      ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode · 9586495d
      Nicolas Boichat authored
      This reverts one hunk of
      commit ef44a1ec ("ALSA: sound/core: use memdup_user()"), which
      replaced a number of kmalloc followed by memcpy with memdup calls.
      
      In this case, we are copying from a struct snd_seq_port_info32 to a
      struct snd_seq_port_info, but the latter is 4 bytes longer than the
      32-bit version, so we need to separate kmalloc and copy calls.
      
      Fixes: ef44a1ec ('ALSA: sound/core: use memdup_user()')
      Signed-off-by: default avatarNicolas Boichat <drinkcat@chromium.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      9586495d
    • Nicolas Boichat's avatar
      ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode · 43c54b8c
      Nicolas Boichat authored
      This reverts one hunk of
      commit ef44a1ec ("ALSA: sound/core: use memdup_user()"), which
      replaced a number of kmalloc followed by memcpy with memdup calls.
      
      In this case, we are copying from a struct snd_pcm_hw_params32 to
      a struct snd_pcm_hw_params, but the latter is 4 bytes longer than
      the 32-bit version, so we need to separate kmalloc and copy calls.
      
      This actually leads to an out-of-bounds memory access later on
      in sound/soc/soc-pcm.c:soc_pcm_hw_params() (detected using KASan).
      
      Fixes: ef44a1ec ('ALSA: sound/core: use memdup_user()')
      Signed-off-by: default avatarNicolas Boichat <drinkcat@chromium.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      43c54b8c
    • Takashi Iwai's avatar
      ALSA: hrtimer: Fix stall by hrtimer_cancel() · 2ba1fe7a
      Takashi Iwai authored
      hrtimer_cancel() waits for the completion from the callback, thus it
      must not be called inside the callback itself.  This was already a
      problem in the past with ALSA hrtimer driver, and the early commit
      [fcfdebe7: ALSA: hrtimer - Fix lock-up] tried to address it.
      
      However, the previous fix is still insufficient: it may still cause a
      lockup when the ALSA timer instance reprograms itself in its callback.
      Then it invokes the start function even in snd_timer_interrupt() that
      is called in hrtimer callback itself, results in a CPU stall.  This is
      no hypothetical problem but actually triggered by syzkaller fuzzer.
      
      This patch tries to fix the issue again.  Now we call
      hrtimer_try_to_cancel() at both start and stop functions so that it
      won't fall into a deadlock, yet giving some chance to cancel the queue
      if the functions have been called outside the callback.  The proper
      hrtimer_cancel() is called in anyway at closing, so this should be
      enough.
      Reported-and-tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      2ba1fe7a
    • Takashi Iwai's avatar
      ALSA: hda - Fix bass pin fixup for ASUS N550JX · db8948e6
      Takashi Iwai authored
      ASUS N550JX (PCI SSID 1043:13df) requires the same fixup for a bass
      speaker output pin as other N550 models.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=110001
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      db8948e6
  2. 15 Jan, 2016 3 commits
    • Takashi Iwai's avatar
      ALSA: timer: Code cleanup · c3b16813
      Takashi Iwai authored
      This is a minor code cleanup without any functional changes:
      - Kill keep_flag argument from _snd_timer_stop(), as all callers pass
        only it false.
      - Remove redundant NULL check in _snd_timer_stop().
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      c3b16813
    • Takashi Iwai's avatar
      ALSA: timer: Harden slave timer list handling · b5a663aa
      Takashi Iwai authored
      A slave timer instance might be still accessible in a racy way while
      operating the master instance as it lacks of locking.  Since the
      master operation is mostly protected with timer->lock, we should cope
      with it while changing the slave instance, too.  Also, some linked
      lists (active_list and ack_list) of slave instances aren't unlinked
      immediately at stopping or closing, and this may lead to unexpected
      accesses.
      
      This patch tries to address these issues.  It adds spin lock of
      timer->lock (either from master or slave, which is equivalent) in a
      few places.  For avoiding a deadlock, we ensure that the global
      slave_active_lock is always locked at first before each timer lock.
      
      Also, ack and active_list of slave instances are properly unlinked at
      snd_timer_stop() and snd_timer_close().
      
      Last but not least, remove the superfluous call of _snd_timer_stop()
      at removing slave links.  This is a noop, and calling it may confuse
      readers wrt locking.  Further cleanup will follow in a later patch.
      
      Actually we've got reports of use-after-free by syzkaller fuzzer, and
      this hopefully fixes these issues.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      b5a663aa
    • Takashi Iwai's avatar
      ALSA: hda - Add fixup for Dell Latitidue E6540 · cf52103a
      Takashi Iwai authored
      Another Dell model, another fixup entry: Latitude E6540 needs the same
      fixup as other Latitude E series as workaround for noise problems.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=104341
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      cf52103a
  3. 14 Jan, 2016 2 commits
  4. 13 Jan, 2016 3 commits
  5. 12 Jan, 2016 5 commits
    • Takashi Iwai's avatar
      ALSA: hda - Fix white noise on Dell Latitude E5550 · 98070576
      Takashi Iwai authored
      Dell Latitude E5550 (1028:062c) has a white noise problem like other
      Latitude E models, and it gets fixed by the very same quirk as well.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=110591
      Cc: <stable@vger.kernel.org> # v4.1+
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      98070576
    • Heiner Kallweit's avatar
      ALSA: hda_intel: add card number to irq description · de65360b
      Heiner Kallweit authored
      Currently the info in /proc/interrupts doesn't allow to figure out which
      interrupt belongs to which card (HDMI, PCH, ..).
      Therefore add card details to the interrupt description.
      With the patch the info in /proc/interrupts looks like this:
      
      PCI-MSI 442368-edge      snd_hda_intel:card1
      PCI-MSI 49152-edge      snd_hda_intel:card0
      
      NOTE: this patch adds the new irq_descr field snd_card struct that is
      filled automatically at a card object creation.  This can be used
      generically for other drivers as well.  The changes for others will
      follow later -- tiwai
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      de65360b
    • Takashi Iwai's avatar
      ALSA: seq: Fix race at timer setup and close · 3567eb6a
      Takashi Iwai authored
      ALSA sequencer code has an open race between the timer setup ioctl and
      the close of the client.  This was triggered by syzkaller fuzzer, and
      a use-after-free was caught there as a result.
      
      This patch papers over it by adding a proper queue->timer_mutex lock
      around the timer-related calls in the relevant code path.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      3567eb6a
    • Takashi Iwai's avatar
      ALSA: seq: Fix missing NULL check at remove_events ioctl · 030e2c78
      Takashi Iwai authored
      snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear()
      unconditionally even if there is no FIFO assigned, and this leads to
      an Oops due to NULL dereference.  The fix is just to add a proper NULL
      check.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      030e2c78
    • Takashi Iwai's avatar
      ALSA: usb-audio: Avoid calling usb_autopm_put_interface() at disconnect · 5c06d68b
      Takashi Iwai authored
      ALSA PCM may still have a leftover instance after disconnection and
      it delays its release.  The problem is that the PCM close code path of
      USB-audio driver has a call of snd_usb_autosuspend().  This involves
      with the call of usb_autopm_put_interface() and it may lead to a
      kernel Oops due to the NULL object like:
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000190
       IP: [<ffffffff815ae7ef>] usb_autopm_put_interface+0xf/0x30 PGD 0
       Call Trace:
        [<ffffffff8173bd94>] snd_usb_autosuspend+0x14/0x20
        [<ffffffff817461bc>] snd_usb_pcm_close.isra.14+0x5c/0x90
        [<ffffffff8174621f>] snd_usb_playback_close+0xf/0x20
        [<ffffffff816ef58a>] snd_pcm_release_substream.part.36+0x3a/0x90
        [<ffffffff816ef6b3>] snd_pcm_release+0xa3/0xb0
        [<ffffffff816debb0>] snd_disconnect_release+0xd0/0xe0
        [<ffffffff8114d417>] __fput+0x97/0x1d0
        [<ffffffff8114d589>] ____fput+0x9/0x10
        [<ffffffff8109e452>] task_work_run+0x72/0x90
        [<ffffffff81088510>] do_exit+0x280/0xa80
        [<ffffffff8108996a>] do_group_exit+0x3a/0xa0
        [<ffffffff8109261f>] get_signal+0x1df/0x540
        [<ffffffff81040903>] do_signal+0x23/0x620
        [<ffffffff8114c128>] ? do_readv_writev+0x128/0x200
        [<ffffffff810012e1>] prepare_exit_to_usermode+0x91/0xd0
        [<ffffffff810013ba>] syscall_return_slowpath+0x9a/0x120
        [<ffffffff817587cd>] ? __sys_recvmsg+0x5d/0x70
        [<ffffffff810d2765>] ? ktime_get_ts64+0x45/0xe0
        [<ffffffff8115dea0>] ? SyS_poll+0x60/0xf0
        [<ffffffff818d2327>] int_ret_from_sys_call+0x25/0x8f
      
      We have already a check of disconnection in snd_usb_autoresume(), but
      the check is missing its counterpart.  The fix is just to put the same
      check in snd_usb_autosuspend(), too.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=109431
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      5c06d68b
  6. 11 Jan, 2016 22 commits