1. 22 Aug, 2019 2 commits
    • Takashi Iwai's avatar
      ALSA: usb-audio: More validations of descriptor units · 57f87706
      Takashi Iwai authored
      Introduce a new helper to validate each audio descriptor unit before
      and check the unit before actually accessing it.  This should harden
      against the OOB access cases with malformed descriptors that have been
      recently frequently reported by fuzzers.
      
      The existing descriptor checks are still kept although they become
      superfluous after this patch.  They'll be cleaned up eventually
      later.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      57f87706
    • Takashi Iwai's avatar
      ALSA: usb-audio: Check mixer unit bitmap yet more strictly · f9f0e9ed
      Takashi Iwai authored
      The bmControls (for UAC1) or bmMixerControls (for UAC2/3) bitmap has a
      variable size depending on both input and output pins.  Its size is to
      fit with input * output bits.  The problem is that the input size
      can't be determined simply from the unit descriptor itself but it
      needs to parse the whole connected sources.  Although the
      uac_mixer_unit_get_channels() tries to check some possible overflow of
      this bitmap, it's incomplete due to the lack of the  evaluation of
      input pins.
      
      For covering possible overflows, this patch adds the bitmap overflow
      check in the loop of input pins in parse_audio_mixer_unit().
      
      Fixes: 0bfe5e43 ("ALSA: usb-audio: Check mixer unit descriptors more strictly")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      f9f0e9ed
  2. 21 Aug, 2019 2 commits
    • Takashi Iwai's avatar
      ALSA: line6: Fix memory leak at line6_init_pcm() error path · 1bc8d18c
      Takashi Iwai authored
      I forgot to release the allocated object at the early error path in
      line6_init_pcm().  For addressing it, slightly shuffle the code so
      that the PCM destructor (pcm->private_free) is assigned properly
      before all error paths.
      
      Fixes: 34501219 ("ALSA: line6: Fix write on zero-sized buffer")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      1bc8d18c
    • Takashi Iwai's avatar
      ALSA: usb-audio: Fix invalid NULL check in snd_emuusb_set_samplerate() · 6de3c9e3
      Takashi Iwai authored
      The quirk function snd_emuusb_set_samplerate() has a NULL check for
      the mixer element, but this is useless in the current code.  It used
      to be a check against mixer->id_elems[unitid] but it was changed later
      to the value after mixer_eleme_list_to_info() which is always non-NULL
      due to the container_of() usage.
      
      This patch fixes the check before the conversion.
      
      While we're at it, correct a typo in the comment in the function,
      too.
      
      Fixes: 8c558076 ("ALSA: usb-audio: Clean up mixer element list traverse")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      6de3c9e3
  3. 20 Aug, 2019 2 commits
  4. 19 Aug, 2019 1 commit
  5. 15 Aug, 2019 1 commit
  6. 14 Aug, 2019 3 commits
    • Hui Peng's avatar
      ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit · daac0715
      Hui Peng authored
      The `uac_mixer_unit_descriptor` shown as below is read from the
      device side. In `parse_audio_mixer_unit`, `baSourceID` field is
      accessed from index 0 to `bNrInPins` - 1, the current implementation
      assumes that descriptor is always valid (the length  of descriptor
      is no shorter than 5 + `bNrInPins`). If a descriptor read from
      the device side is invalid, it may trigger out-of-bound memory
      access.
      
      ```
      struct uac_mixer_unit_descriptor {
      	__u8 bLength;
      	__u8 bDescriptorType;
      	__u8 bDescriptorSubtype;
      	__u8 bUnitID;
      	__u8 bNrInPins;
      	__u8 baSourceID[];
      }
      ```
      
      This patch fixes the bug by add a sanity check on the length of
      the descriptor.
      Reported-by: default avatarHui Peng <benquike@gmail.com>
      Reported-by: default avatarMathias Payer <mathias.payer@nebelwelt.net>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarHui Peng <benquike@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      daac0715
    • Hui Wang's avatar
      ALSA: hda - Add a generic reboot_notify · 871b9066
      Hui Wang authored
      Make codec enter D3 before rebooting or poweroff can fix the noise
      issue on some laptops. And in theory it is harmless for all codecs
      to enter D3 before rebooting or poweroff, let us add a generic
      reboot_notify, then realtek and conexant drivers can call this
      function.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHui Wang <hui.wang@canonical.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      871b9066
    • Hui Wang's avatar
      ALSA: hda - Let all conexant codec enter D3 when rebooting · 401714d9
      Hui Wang authored
      We have 3 new lenovo laptops which have conexant codec 0x14f11f86,
      these 3 laptops also have the noise issue when rebooting, after
      letting the codec enter D3 before rebooting or poweroff, the noise
      disappers.
      
      Instead of adding a new ID again in the reboot_notify(), let us make
      this function apply to all conexant codec. In theory make codec enter
      D3 before rebooting or poweroff is harmless, and I tested this change
      on a couple of other Lenovo laptops which have different conexant
      codecs, there is no side effect so far.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHui Wang <hui.wang@canonical.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      401714d9
  7. 13 Aug, 2019 1 commit
  8. 10 Aug, 2019 1 commit
    • Wenwen Wang's avatar
      ALSA: hda - Fix a memory leak bug · cfef67f0
      Wenwen Wang authored
      In snd_hda_parse_generic_codec(), 'spec' is allocated through kzalloc().
      Then, the pin widgets in 'codec' are parsed. However, if the parsing
      process fails, 'spec' is not deallocated, leading to a memory leak.
      
      To fix the above issue, free 'spec' before returning the error.
      
      Fixes: 352f7f91 ("ALSA: hda - Merge Realtek parser code to generic parser")
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      cfef67f0
  9. 09 Aug, 2019 1 commit
  10. 08 Aug, 2019 2 commits
    • Wenwen Wang's avatar
      ALSA: firewire: fix a memory leak bug · 1be3c1fa
      Wenwen Wang authored
      In iso_packets_buffer_init(), 'b->packets' is allocated through
      kmalloc_array(). Then, the aligned packet size is checked. If it is
      larger than PAGE_SIZE, -EINVAL will be returned to indicate the error.
      However, the allocated 'b->packets' is not deallocated on this path,
      leading to a memory leak.
      
      To fix the above issue, free 'b->packets' before returning the error code.
      
      Fixes: 31ef9134 ("ALSA: add LaCie FireWire Speakers/Griffin FireWave Surround driver")
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Reviewed-by: default avatarTakashi Sakamoto <o-takashi@sakamocchi.jp>
      Cc: <stable@vger.kernel.org> # v2.6.39+
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      1be3c1fa
    • Wenwen Wang's avatar
      sound: fix a memory leak bug · c7cd7c74
      Wenwen Wang authored
      In sound_insert_unit(), the controlling structure 's' is allocated through
      kmalloc(). Then it is added to the sound driver list by invoking
      __sound_insert_unit(). Later on, if __register_chrdev() fails, 's' is
      removed from the list through __sound_remove_unit(). If 'index' is not less
      than 0, -EBUSY is returned to indicate the error. However, 's' is not
      deallocated on this execution path, leading to a memory leak bug.
      
      To fix the above issue, free 's' before -EBUSY is returned.
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      c7cd7c74
  11. 07 Aug, 2019 2 commits
    • Takashi Iwai's avatar
      ALSA: hda - Workaround for crackled sound on AMD controller (1022:1457) · c02f77d3
      Takashi Iwai authored
      A long-time problem on the recent AMD chip (X370, X470, B450, etc with
      PCI ID 1022:1457) with Realtek codecs is the crackled or distorted
      sound for capture streams, as well as occasional playback hiccups.
      After lengthy debugging sessions, the workarounds we've found are like
      the following:
      
      - Set up the proper driver caps for this controller, similar as the
        other AMD controller.
      
      - Correct the DMA position reporting with the fixed FIFO size, which
        is similar like as workaround used for VIA chip set.
      
      - Even after the position correction, PulseAudio still shows
        mysterious stalls of playback streams when a capture is triggered in
        timer-scheduled mode.  Since we have no clear way to eliminate the
        stall, pass the BATCH PCM flag for PA to suppress the tsched mode as
        a temporary workaround.
      
      This patch implements the workarounds.  For the driver caps, it
      defines a new preset, AXZ_DCAPS_PRESET_AMD_SB.  It enables the FIFO-
      corrected position reporting (corresponding to the new position_fix=6)
      and enforces the SNDRV_PCM_INFO_BATCH flag.
      
      Note that the current implementation is merely a workaround.
      Hopefully we'll find a better alternative in future, especially about
      removing the BATCH flag hack again.
      
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=195303
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      c02f77d3
    • Wenwen Wang's avatar
      ALSA: hiface: fix multiple memory leak bugs · 3d92aa45
      Wenwen Wang authored
      In hiface_pcm_init(), 'rt' is firstly allocated through kzalloc(). Later
      on, hiface_pcm_init_urb() is invoked to initialize 'rt->out_urbs[i]'. In
      hiface_pcm_init_urb(), 'rt->out_urbs[i].buffer' is allocated through
      kzalloc().  However, if hiface_pcm_init_urb() fails, both 'rt' and
      'rt->out_urbs[i].buffer' are not deallocated, leading to memory leak bugs.
      Also, 'rt->out_urbs[i].buffer' is not deallocated if snd_pcm_new() fails.
      
      To fix the above issues, free 'rt' and 'rt->out_urbs[i].buffer'.
      
      Fixes: a91c3fb2 ("Add M2Tech hiFace USB-SPDIF driver")
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      3d92aa45
  12. 06 Aug, 2019 5 commits
  13. 02 Aug, 2019 2 commits
  14. 31 Jul, 2019 3 commits
  15. 30 Jul, 2019 1 commit
  16. 29 Jul, 2019 1 commit
  17. 27 Jul, 2019 1 commit
    • Samuel Thibault's avatar
      ALSA: hda: Fix 1-minute detection delay when i915 module is not available · 74bf71ed
      Samuel Thibault authored
      Distribution installation images such as Debian include different sets
      of modules which can be downloaded dynamically.  Such images may notably
      include the hda sound modules but not the i915 DRM module, even if the
      latter was enabled at build time, as reported on
      https://bugs.debian.org/931507
      
      In such a case hdac_i915 would be linked in and try to load the i915
      module, fail since it is not there, but still wait for a whole minute
      before giving up binding with it.
      
      This fixes such as case by only waiting for the binding if the module
      was properly loaded (or module support is disabled, in which case i915
      is already compiled-in anyway).
      
      Fixes: f9b54e19 ("ALSA: hda/i915: Allow delayed i915 audio component binding")
      Signed-off-by: default avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      74bf71ed
  18. 26 Jul, 2019 4 commits
  19. 25 Jul, 2019 1 commit
  20. 24 Jul, 2019 2 commits
  21. 23 Jul, 2019 2 commits