1
0
Fork 0
mirror of https://github.com/followmsi/android_kernel_google_msm.git synced 2024-11-06 23:17:41 +00:00
Commit graph

13128 commits

Author SHA1 Message Date
Paul Reioux
8dcf6aa290 Sound Control: MSM8960DT/APQ8064 ONLY: Fix logic derp
mixed up rec lock and power amp lock :'(

Signed-off-by: Paul Reioux <reioux@gmail.com>
Signed-off-by: flar2 <asegaert@gmail.com>
2019-03-16 12:49:12 +01:00
Paul Reioux
528e70238d Sound Control: separate locking mechanism for recording and playback
with newer hardware revisions coming from Qualcomm, single register lock
control isn't sufficient to cover both playback and recording usage scenarios

bump to version 3.5

Signed-off-by: Paul Reioux <reioux@gmail.com>
Signed-off-by: flar2 <asegaert@gmail.com>
2019-03-16 12:49:00 +01:00
Paul Reioux
4c89a46f4b Sound Control: let register lock be dependent on different hw revisions
Signed-off-by: Paul Reioux <reioux@gmail.com>
Signed-off-by: flar2 <asegaert@gmail.com>
2019-03-16 12:48:50 +01:00
Paul Reioux
1129d314ff Sound Control: Misc clean up for newer WCD9xxx SOCs
Bump driver version to 3.4

Signed-off-by: Paul Reioux <reioux@gmail.com>
Signed-off-by: flar2 <asegaert@gmail.com>
2019-03-16 12:48:43 +01:00
Paul Reioux
e03b62f35d Sound Control: expose direct register manipulations to userspace
bump driver version to 3.3

Signed-off-by: Paul Reioux <reioux@gmail.com>
Signed-off-by: flar2 <asegaert@gmail.com>
2019-03-16 12:48:33 +01:00
Paul Reioux
8c16800486 sound control: add register cache
bump to version 3.2

Signed-off-by: Paul Reioux <reioux@gmail.com>
Signed-off-by: flar2 <asegaert@gmail.com>
2019-03-16 12:47:25 +01:00
Paul Reioux
54d75c8c36 Sound Control: (OPTIONAL) add power amp registers access control as well
Signed-off-by: Paul Reioux <reioux@gmail.com>
Signed-off-by: flar2 <asegaert@gmail.com>
2019-03-16 12:47:14 +01:00
Paul Reioux
b5feb08ab6 Sound Control: (Optional) work around for WCD93xx audio issues
(Use this only for devices with audio reset issues)

Also bump version to 3.1

Signed-off-by: Paul Reioux <reioux@gmail.com>

wcd9xxx-core: add register write without mutex protection

This is assuming the calling function will take care of the mutex.

Signed-off-by: Paul Reioux <reioux@gmail.com>
Signed-off-by: flar2 <asegaert@gmail.com>
2019-03-16 12:46:51 +01:00
Paul Reioux
975d8505e9 sound control 3.x: Initial GPL release for WCD9310 Audio Codec
This is first official GPL release based on my private implementation.

This release has been tested for Mako and Flo officially.  It may work
with other devices using the same WCD9310 Audio Codec as well, but not tested

Signed-off-by: Paul Reioux <reioux@gmail.com>
Signed-off-by: flar2 <asegaert@gmail.com>
2019-03-16 12:46:03 +01:00
Paul Reioux
72b6ba851b sound/soc/codecs/wcd9310.c: expose additional controls
Signed-off-by: Paul Reioux <reioux@gmail.com>
Signed-off-by: flar2 <asegaert@gmail.com>
2019-03-16 12:45:49 +01:00
Paul Reioux
b983812326 Sound Control: Added headphone poweramp controls
bump version to 2.1 to reflec this new addition

Signed-off-by: Paul Reioux <reioux@gmail.com>
Signed-off-by: flar2 <asegaert@gmail.com>
2019-03-16 12:42:44 +01:00
faux123
b3dc4742d9 Sound Control: Sound control for WCD93xx codec
Fully GPL'ed version.

Signed-off-by: faux123 <reioux@gmail.com>

Conflicts:
	sound/soc/codecs/Kconfig
	sound/soc/codecs/Makefile
Signed-off-by: flar2 <asegaert@gmail.com>
2019-03-16 12:42:34 +01:00
Honghao Liu
ed3e1345c9 ASoC: msm: Add support for flexible period size and count
Add support for flexible period size and count for audio playback path.

Change-Id: Ide5b504054e9eee5c1ffee60b889446919aeb7f4
Signed-off-by: Honghao Liu <honghaol@codeaurora.org>
2018-08-27 14:52:47 +00:00
Kuirong Wang
eb02886309 ASoC: msm: Validate pcm buffer size
Check if pcm samples to be copied is greater than
the kernel buffer size.

Change-Id: Ieddd3a3299640ebea0225985d13952045d5dc5c9
CRs-fixed: 813448
Signed-off-by: Kuirong Wang <kuirongw@codeaurora.org>
2018-08-27 14:52:46 +00:00
Asish Bhattacharya
ba9db7d517 ASoC: msm: Fix wrong wait_event_timeout timeout checks
wait_event_timeout returns zero when there is a timeout.
Change fixes the condition check to handle timeouts.

Change-Id: I01184cce0c98a82bb205023b07dd4dd2d91b42ad
CRs-Fixed: 487821
Signed-off-by: Asish Bhattacharya <asishb@codeaurora.org>
Signed-off-by: Sridhar Gujje <sgujje@codeaurora.org>
2018-08-27 14:52:46 +00:00
Sidipotu Ashok
4b7d2993d8 ASoc: msm: Fix for pcm_read getting struck in alsa core.
Advance hardware pointer by period size even if the packet
coming from qdsp6 is of less size. QDSP6 sometimes
(for rapid device switches) gives packets worth less
than period size and this results in hw_ptr appl_ptr mismatch.

CRs-Fixed: 486276
CRs-Fixed: 488449
Change-Id: I893f9a52e4cd507fd72e4a7aba3c5fa76527d1bf
Signed-off-by: Sidipotu Ashok <sashok@codeaurora.org>
2018-08-27 14:52:46 +00:00
Patrick Lai
7d142e34bd ASoC: msm: flush if prior and current backends rate not matching
It is found that during device switch from one backend
with one sample rate to another backend with another sample rate,
the command to QDSP6 ADM which maps audio stream session to a
particular backend would not get carried out until pending
data of audio stream session from previous backend is either
read out or flushed. This scenario occurs when application
stops providing more buffers to retrieve captured data.
Remedy is to flush upon detection of rate mismatching

Change-Id: I2c01c036d9bb71f938a6795337f08948bd986553
CRs-fixed: 422205
Signed-off-by: Patrick Lai <plai@codeaurora.org>
Signed-off-by: Joonwoo Park <joonwoop@codeaurora.org>
2018-08-27 14:52:45 +00:00
Krishnankutty Kolathappilly
799b9c14c2 asoc: msm: Add flexible period count to pcm record driver
In pcm recording, if buffers are not requested from dsp at real
 time then dsp drops the buffers and sends partial buffers. This
 is causing record failures. Pcm record platform driver has two
 periods. If system is loaded, read request will not be at real
 time. Add flexible period count to pcm record platform driver
 so client can configure the period count.

CRs-Fixed: 467746
Change-Id: Iadd47979f7b29a01fb8e6479383094a2ed1d93c5
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
2018-08-27 14:52:45 +00:00
Iliyan Malchev
796ae158b5 Revert "ASoC: msm: Flexible period size for pcm playback"
This reverts commit 2c0066767d.
2018-08-27 14:52:45 +00:00
Xiaojun Sang
365b75aec9 ASoC: msm: remove unused msm-compr-q6-v2
msm-compr-q6-v2.c and msm-compr-q6-v2.h are no longer used.

CRs-Fixed: 2022953
Change-Id: I856d90a212a3e123a2c8b80092aff003f7c608c7
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
(cherry picked from commit dc333eb1c31b5bdd2b6375d7cb890086d8f27d8b)
2018-02-16 20:15:05 -07:00
Robb Glasser
745b477c70 ALSA: pcm: prevent UAF in snd_pcm_info
When the device descriptor is closed, the `substream->runtime` pointer
is freed. But another thread may be in the ioctl handler, case
SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which
calls snd_pcm_info() which accesses the now freed `substream->runtime`.

Bug: 36006981
Signed-off-by: Robb Glasser <rglasser@google.com>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Change-Id: I445d24bc21dc0af6d9522a8daabe64969042236a
2018-01-13 17:13:42 +03:00
Takashi Iwai
929132b4e2 UPSTREAM: ALSA: timer: Call notifier in the same spinlock
snd_timer_notify1() is called outside the spinlock and it retakes the
lock after the unlock.  This is rather racy, and it's safer to move
snd_timer_notify() call inside the main spinlock.

The patch also contains a slight refactoring / cleanup of the code.
Now all start/stop/continue/pause look more symmetric and a bit better
readable.

Bug: 37240993
Change-Id: Ib90099f88c8b04928a8cdd2808cd9e16da6d519c
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Siqi Lin <siqilin@google.com>
2018-01-13 17:13:38 +03:00
Takashi Iwai
8e830ee882 UPSTREAM: ALSA: timer: Fix race between stop and interrupt
commit ed8b1d6d2c741ab26d60d499d7fbb7ac801f0f51 upstream.

A slave timer element also unlinks at snd_timer_stop() but it takes
only slave_active_lock.  When a slave is assigned to a master,
however, this may become a race against the master's interrupt
handling, eventually resulting in a list corruption.  The actual bug
could be seen with a syzkaller fuzzer test case in BugLink below.

As a fix, we need to take timeri->timer->lock when timer isn't NULL,
i.e. assigned to a master, while the assignment to a master itself is
protected by slave_active_lock.

Bug: 37240993
Change-Id: Ib6eae144d5fdc92546d2210bcd6bc56454ad3e42
BugLink: http://lkml.kernel.org/r/CACT4Y+Y_Bm+7epAb=8Wi=AaWd+DYS7qawX52qxdCfOfY49vozQ@mail.gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
2018-01-13 17:13:37 +03:00
Takashi Iwai
df160c6cdf UPSTREAM: ALSA: timer: Fix link corruption due to double start or stop
commit f784beb75ce82f4136f8a0960d3ee872f7109e09 upstream.

Although ALSA timer code got hardening for races, it still causes
use-after-free error.  This is however rather a corrupted linked list,
not actually the concurrent accesses.  Namely, when timer start is
triggered twice, list_add_tail() is called twice, too.  This ends
up with the link corruption and triggers KASAN error.

The simplest fix would be replacing list_add_tail() with
list_move_tail(), but fundamentally it's the problem that we don't
check the double start/stop correctly.  So, the right fix here is to
add the proper checks to snd_timer_start() and snd_timer_stop() (and
their variants).

Bug: 37240993
Change-Id: I86a327c4479fecf9b502ba6122c8ae67a2326754
BugLink: http://lkml.kernel.org/r/CACT4Y+ZyPRoMQjmawbvmCEDrkBD2BQuH7R09=eOkf5ESK8kJAw@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
2018-01-13 17:13:37 +03:00
Takashi Iwai
85b1355a58 UPSTREAM: ALSA: timer: Code cleanup
commit c3b1681375dc6e71d89a3ae00cc3ce9e775a8917 upstream.

This is a minor code cleanup without any functional changes:
- Kill keep_flag argument from _snd_timer_stop(), as all callers pass
  only it false.
- Remove redundant NULL check in _snd_timer_stop().

Bug: 37240993
Change-Id: Idc3778ca1cd62b8c22e2a57b3c1130fe7b3d13f6
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
2018-01-13 17:13:37 +03:00
Takashi Iwai
b4a01e21d7 BACKPORT: ALSA: timer: Fix race at concurrent reads
snd_timer_user_read() has a potential race among parallel reads, as
qhead and qused are updated outside the critical section due to
copy_to_user() calls.  Move them into the critical section, and also
sanitize the relevant code a bit.

Bug: 37240993
Change-Id: I7358a57638ef23eb7f97341eaee1f0dd4ba2795a
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Siqi Lin <siqilin@google.com>
(cherry picked from commit 4dff5c7b7093b19c19d3a100f8a3ad87cb7cd9e7)
2018-01-13 17:13:36 +03:00
Takashi Iwai
710ed142a4 BACKPORT: ALSA: timer: Handle disconnection more safely
[ Upstream commit 230323dac060123c340cf75997971145a42661ee ]

Currently ALSA timer device doesn't take the disconnection into
account very well; it merely unlinks the timer device at disconnection
callback but does nothing else.  Because of this, when an application
accessing the timer device is disconnected, it may release the
resource before actually closed.  In most cases, it results in a
warning message indicating a leftover timer instance like:
   ALSA: timer xxxx is busy?
But basically this is an open race.

This patch tries to address it.  The strategy is like other ALSA
devices: namely,
- Manage card's refcount at each open/close
- Wake up the pending tasks at disconnection
- Check the shutdown flag appropriately at each possible call

Note that this patch has one ugly hack to handle the wakeup of pending
tasks.  It'd be cleaner to introduce a new disconnect op to
snd_timer_instance ops.  But since it would lead to internal ABI
breakage and it eventually increase my own work when backporting to
stable kernels, I took a different path to implement locally in
timer.c.  A cleanup patch will follow at next for 4.5 kernel.

Bug: 37240993
Change-Id: I05c7f0e7d28b63fc343091f800ceae9ec2afe4a4
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=109431
Cc: <stable@vger.kernel.org> # v3.15+
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Siqi Lin <siqilin@google.com>
(cherry picked from commit 230323dac060123c340cf75997971145a42661ee)
2018-01-13 17:13:36 +03:00
Takashi Iwai
0a5ec0eb11 UPSTREAM: ALSA: timer: Fix wrong instance passed to slave callbacks
commit 117159f0b9d392fb433a7871426fad50317f06f7 upstream.

In snd_timer_notify1(), the wrong timer instance was passed for slave
ccallback function.  This leads to the access to the wrong data when
an incompatible master is handled (e.g. the master is the sequencer
timer and the slave is a user timer), as spotted by syzkaller fuzzer.

This patch fixes that wrong assignment.

Bug: 37240993
Change-Id: I7a9f258f13d500776725f2383136dabcb563a0d3
BugLink: http://lkml.kernel.org/r/CACT4Y+Y_Bm+7epAb=8Wi=AaWd+DYS7qawX52qxdCfOfY49vozQ@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
2018-01-13 17:13:35 +03:00
Artem Borisov
d7992e6feb Merge remote-tracking branch 'stable/linux-3.4.y' into lineage-15.1
All bluetooth-related changes were omitted because of our ancient incompatible bt stack.

Change-Id: I96440b7be9342a9c1adc9476066272b827776e64
2017-12-27 17:13:15 +03:00
Takashi Iwai
383328af7a ALSA: timer: Fix race between read and ioctl
The read from ALSA timer device, the function snd_timer_user_tread(),
may access to an uninitialized struct snd_timer_user fields when the
read is concurrently performed while the ioctl like
snd_timer_user_tselect() is invoked.  We have already fixed the races
among ioctls via a mutex, but we seem to have forgotten the race
between read vs ioctl.

This patch simply applies (more exactly extends the already applied
range of) tu->ioctl_lock in snd_timer_user_tread() for closing the
race window.

Change-Id: I3b539d6e01d86d5b9cbe813e2616894e6202225f
Reported-by: Alexander Potapenko <glider@google.com>
Tested-by: Alexander Potapenko <glider@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-07-17 05:11:28 +00:00
Takashi Iwai
0fad971542 ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT
snd_timer_user_tselect() reallocates the queue buffer dynamically, but
it forgot to reset its indices.  Since the read may happen
concurrently with ioctl and snd_timer_user_tselect() allocates the
buffer via kmalloc(), this may lead to the leak of uninitialized
kernel-space data, as spotted via KMSAN:

  BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10
  CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ 
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  Call Trace:
   __dump_stack lib/dump_stack.c:16
   dump_stack+0x143/0x1b0 lib/dump_stack.c:52
   kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007
   kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086
   copy_to_user ./arch/x86/include/asm/uaccess.h:725
   snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004
   do_loop_readv_writev fs/read_write.c:716
   __do_readv_writev+0x94c/0x1380 fs/read_write.c:864
   do_readv_writev fs/read_write.c:894
   vfs_readv fs/read_write.c:908
   do_readv+0x52a/0x5d0 fs/read_write.c:934
   SYSC_readv+0xb6/0xd0 fs/read_write.c:1021
   SyS_readv+0x87/0xb0 fs/read_write.c:1018

This patch adds the missing reset of queue indices.  Together with the
previous fix for the ioctl/read race, we cover the whole problem.

Change-Id: I5143563a56255d4063992e75f360972658b3eb21
Reported-by: Alexander Potapenko <glider@google.com>
Tested-by: Alexander Potapenko <glider@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-07-17 05:10:10 +00:00
Xiaojun Sang
b293354c82 ASoC: msm: qdsp6v2: set pointer to NULL after free.
Pointer after kfree is not sanitized.
Set pointer to NULL.

CRs-Fixed: 2008031
Change-Id: Ia59a57fcd142a6ed18d168992b8da4019314afa4
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
Signed-off-by: Bikshapathi Kothapeta <bkotha@codeaurora.org>
2017-06-26 20:42:03 +03:00
Takashi Iwai
6e47c42f2a ALSA: seq: Fix race at timer setup and close
ALSA sequencer code has an open race between the timer setup ioctl and
the close of the client.  This was triggered by syzkaller fuzzer, and
a use-after-free was caught there as a result.

This patch papers over it by adding a proper queue->timer_mutex lock
around the timer-related calls in the relevant code path.

Change-Id: I58773978b545fb73311e2eab973ab63c9099dba1
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-06-26 18:21:28 +03:00
Dan Carpenter
39cd3354c6 ALSA: compress: fix an integer overflow check
I previously added an integer overflow check here but looking at it now,
it's still buggy.

The bug happens in snd_compr_allocate_buffer().  We multiply
".fragments" and ".fragment_size" and that doesn't overflow but then we
save it in an unsigned int so it truncates the high bits away and we
allocate a smaller than expected size.

Fixes: b35cc82258 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
Change-Id: I7759b19003e8bebbcb16652a6398a8ef8c355250
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-06-26 18:07:13 +03:00
Shiv Maliyappanahalli
ea1268cd08 ASoC: msm: qdsp6v2: Fix buffer overflow in voice driver
Userspace registers calibration data with acdb driver
through ioctls. Voice driver registers the calibration
data with CVD by querying acdb data from acdb driver and
copies the calibration data in apr message.

The size of the calibration data can be controlled by userspace
and can result in buffer overflow if the calibration size is
greater than the destination buffer size.
Reject acdb data if the size is greater than the size of
destination buffer.

Change-Id: I1b495390d67907afc608ed8233bf916777d38e11
CRs-fixed: 548872
Signed-off-by: Shiv Maliyappanahalli <smaliyap@codeaurora.org>
2017-06-26 17:04:55 +03:00
Siqi Lin
9e83134523 ALSA: info: Check for integer overflow in snd_info_entry_write()
snd_info_entry_write() resizes the buffer with an unsigned long
size argument that gets truncated because resize_info_buffer()
takes the size parameter as an unsigned int. On 64-bit kernels,
this causes the following copy_to_user() to write out-of-bounds
if (pos + count) can't be represented by an unsigned int.

Bug: 32510733
Change-Id: I9e8b55f93f2bd606b4a73b5a4525b71ee88c7c23
Signed-off-by: Siqi Lin <siqilin@google.com>
2017-06-07 13:18:23 -06:00
Siena Richard
554b572f33 ASoC: msm: qdsp6v2: return error when copy from userspace fails
A copy_from_user is not always expected to succeed. Therefore, check
for an error before operating on the buffer post copy.

CAF-Change-Id: Ibba9a47c84e735d30e32eeac5b80d51044b7a9e8
CRs-Fixed: 1094852
Signed-off-by: Siena Richard <sienar@codeaurora.org>

CVE-2017-0610

Change-Id: I238dd28d531778104660ff5ac9b8a9733c2fac6a
(cherry picked from commit 65009746a6e649779f73d665934561ea983892fe)
2017-05-02 13:50:08 -06:00
Xiaoyu Ye
36067ad6a1 ASoC: msm: qdsp6v2: Add range checking in msm_dai_q6_set_channel_map
Range checking is added to prevent buffer overflow that due to inputs
can be set by user space.

CRs-Fixed: 1098363
CAF-Change-Id: I057261291806240ee6d7b8106a5e83a7665e013d
Signed-off-by: Xiaoyu Ye <benyxy@codeaurora.org>

CVE-2017-0608

Change-Id: I41aee14edf5a7dd257aae78132047048b82b127e
(cherry picked from commit b66f442dd97c781e873e8f7b248e197f86fd2980)
2017-05-02 11:38:05 -06:00
Lars-Peter Clausen
401717e104 ALSA: control: Make sure that id->index does not overflow
The ALSA control code expects that the range of assigned indices to a control is
continuous and does not overflow. Currently there are no checks to enforce this.
If a control with a overflowing index range is created that control becomes
effectively inaccessible and unremovable since snd_ctl_find_id() will not be
able to find it. This patch adds a check that makes sure that controls with a
overflowing index range can not be created.

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Jaroslav Kysela <perex@perex.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

CVE-2014-4656

Change-Id: Id984d11f78449f476804642ccfaf09380ad70ac9
(cherry picked from commit 883a1d49f0)
2017-04-03 16:43:05 -06:00
Takashi Iwai
a2b06797f9 ALSA: pcm : Call kill_fasync() in stream lock
Currently kill_fasync() is called outside the stream lock in
snd_pcm_period_elapsed().  This is potentially racy, since the stream
may get released even during the irq handler is running.  Although
snd_pcm_release_substream() calls snd_pcm_drop(), this doesn't
guarantee that the irq handler finishes, thus the kill_fasync() call
outside the stream spin lock may be invoked after the substream is
detached, as recently reported by KASAN.

As a quick workaround, move kill_fasync() call inside the stream
lock.  The fasync is rarely used interface, so this shouldn't have a
big impact from the performance POV.

Ideally, we should implement some sync mechanism for the proper finish
of stream and irq handler.  But this oneliner should suffice for most
cases, so far.

Reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit 3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4)

Change-Id: I921b3b0b4a7dfaa6267df71676d99e8dc2fb303f
2017-03-07 05:44:50 +00:00
Lars-Peter Clausen
602366ce81 ALSA: Remove transfer_ack_{begin,end} callbacks from struct snd_pcm_runtime
While there is nothing wrong with the transfer_ack_begin and
transfer_ack_end callbacks per-se, the last documented user was part of the
alsa-driver 0.5.12a package, which was released 14 years ago and even
predates the upstream integration of the ALSA core and has subsequently
been superseded by newer alsa-driver releases.

This seems to indicate that there is no need for having these callbacks and
they are just cruft that can be removed.

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit 53e597b1d194910bef53ed0632da329fef497904)

Change-Id: Ifa69c873640b171aa1843335b2b3cb856d29bb1a
2017-03-07 05:44:05 +00:00
Vladis Dronov
e74a14ad5f ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call
create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and
create_uaxx_quirk() functions allocate the audioformat object by themselves
and free it upon error before returning. However, once the object is linked
to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be
double-freed, eventually resulting in a memory corruption.

This patch fixes these failures in the error paths by unlinking the audioformat
object before freeing it.

Based on a patch by Takashi Iwai <tiwai@suse.de>

[Note for stable backports:
 this patch requires the commit 902eb7fd1e4a ('ALSA: usb-audio: Minor
 code cleanup in create_fixed_stream_quirk()')]

Change-Id: I129dc4f3b0ae4cb6f790c16d24dd768c9ee06822
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Cc: <stable@vger.kernel.org> # see the note above
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2016-11-11 13:37:28 +11:00
Takashi Iwai
74f53621d2 ALSA: usb-audio: Minor code cleanup in create_fixed_stream_quirk()
Just a minor code cleanup: unify the error paths.

Change-Id: I31346b08ed1024819c58eff797c63bb42c283512
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2016-11-11 13:37:09 +11:00
Lars-Peter Clausen
c2f44eb7b6 ALSA: control: Fix replacing user controls
There are two issues with the current implementation for replacing user
controls. The first is that the code does not check if the control is actually a
user control and neither does it check if the control is owned by the process
that tries to remove it. That allows userspace applications to remove arbitrary
controls, which can cause a user after free if a for example a driver does not
expect a control to be removed from under its feed.

The second issue is that on one hand when a control is replaced the
user_ctl_count limit is not checked and on the other hand the user_ctl_count is
increased (even though the number of user controls does not change). This allows
userspace, once the user_ctl_count limit as been reached, to repeatedly replace
a control until user_ctl_count overflows. Once that happens new controls can be
added effectively bypassing the user_ctl_count limit.

Both issues can be fixed by instead of open-coding the removal of the control
that is to be replaced to use snd_ctl_remove_user_ctl(). This function does
proper permission checks as well as decrements user_ctl_count after the control
has been removed.

Note that by using snd_ctl_remove_user_ctl() the check which returns -EBUSY at
beginning of the function if the control already exists is removed. This is not
a problem though since the check is quite useless, because the lock that is
protecting the control list is released between the check and before adding the
new control to the list, which means that it is possible that a different
control with the same settings is added to the list after the check. Luckily
there is another check that is done while holding the lock in snd_ctl_add(), so
we'll rely on that to make sure that the same control is not added twice.

Change-Id: Ia4bd6bff33e86ee8b971031381d07b80bd383171
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Jaroslav Kysela <perex@perex.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2016-10-31 23:36:23 +11:00
Weiyin Jiang
1301ad430e ASoC: msm: audio-effects: misc fixes in h/w accelerated
effect

Adding memory copy size check and integer overflow check in h/w
accelerated effect driver.

Change-Id: I17d4cc0a38770f0c5067fa8047cd63e7bf085e48
CRs-Fixed: 1006609
Signed-off-by: Weiyin Jiang <wjiang@codeaurora.org>
2016-10-31 23:20:27 +11:00
Takashi Iwai
5a7dee22fa ALSA: hrtimer: Fix stall by hrtimer_cancel()
hrtimer_cancel() waits for the completion from the callback, thus it
must not be called inside the callback itself.  This was already a
problem in the past with ALSA hrtimer driver, and the early commit
[fcfdebe707: ALSA: hrtimer - Fix lock-up] tried to address it.

However, the previous fix is still insufficient: it may still cause a
lockup when the ALSA timer instance reprograms itself in its callback.
Then it invokes the start function even in snd_timer_interrupt() that
is called in hrtimer callback itself, results in a CPU stall.  This is
no hypothetical problem but actually triggered by syzkaller fuzzer.

This patch tries to fix the issue again.  Now we call
hrtimer_try_to_cancel() at both start and stop functions so that it
won't fall into a deadlock, yet giving some chance to cancel the queue
if the functions have been called outside the callback.  The proper
hrtimer_cancel() is called in anyway at closing, so this should be
enough.

Change-Id: Id6224b2a3ade0d217e891e6af09744df4d0b2e5c
Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2016-10-29 23:12:35 +08:00
Takashi Iwai
57149ce653 ALSA: timer: Harden slave timer list handling
A slave timer instance might be still accessible in a racy way while
operating the master instance as it lacks of locking.  Since the
master operation is mostly protected with timer->lock, we should cope
with it while changing the slave instance, too.  Also, some linked
lists (active_list and ack_list) of slave instances aren't unlinked
immediately at stopping or closing, and this may lead to unexpected
accesses.

This patch tries to address these issues.  It adds spin lock of
timer->lock (either from master or slave, which is equivalent) in a
few places.  For avoiding a deadlock, we ensure that the global
slave_active_lock is always locked at first before each timer lock.

Also, ack and active_list of slave instances are properly unlinked at
snd_timer_stop() and snd_timer_close().

Last but not least, remove the superfluous call of _snd_timer_stop()
at removing slave links.  This is a noop, and calling it may confuse
readers wrt locking.  Further cleanup will follow in a later patch.

Actually we've got reports of use-after-free by syzkaller fuzzer, and
this hopefully fixes these issues.

Change-Id: I572878b909dda522dbedc84633414185802bc974
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2016-10-29 23:12:35 +08:00
Takashi Iwai
f433a247ea ALSA: timer: Fix double unlink of active_list
ALSA timer instance object has a couple of linked lists and they are
unlinked unconditionally at snd_timer_stop().  Meanwhile
snd_timer_interrupt() unlinks it, but it calls list_del() which leaves
the element list itself unchanged.  This ends up with unlinking twice,
and it was caught by syzkaller fuzzer.

The fix is to use list_del_init() variant properly there, too.

Change-Id: I95e2ab06180dfe43fb6b7c2875a866b53ca245ce
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2016-10-29 23:12:35 +08:00
Andrey Konovalov
21681e6dce ALSA: usb-audio: avoid freeing umidi object twice
The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
when tearing down the rawmidi interface. So we shouldn't try to free it
in snd_usbmidi_create() after having registered the rawmidi interface.

Found by KASAN.

Change-Id: I8534867beeac111370017ef246adc17e23e1a3b1
Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
Acked-by: Clemens Ladisch <clemens@ladisch.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2016-10-29 23:12:35 +08:00
Takashi Iwai
5a8fea111f ALSA: rme96: Fix unexpected volume reset after rate changes
commit a74a821624c0c75388a193337babd17a8c02c740 upstream.

rme96 driver needs to reset DAC depending on the sample rate, and this
results in resetting to the max volume suddenly.  It's because of the
missing call of snd_rme96_apply_dac_volume().

However, calling this function right after the DAC reset still may not
work, and we need some delay before this call.  Since the DAC reset
and the procedure after that are performed in the spinlock, we delay
the DAC volume restore at the end after the spinlock.

Reported-and-tested-by: Sylvain LABOISNE <maeda1@free.fr>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Zefan Li <lizefan@huawei.com>
2016-10-26 23:15:35 +08:00