commit 3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4 upstream.
Currently kill_fasync() is called outside the stream lock in
snd_pcm_period_elapsed(). This is potentially racy, since the stream
may get released even during the irq handler is running. Although
snd_pcm_release_substream() calls snd_pcm_drop(), this doesn't
guarantee that the irq handler finishes, thus the kill_fasync() call
outside the stream spin lock may be invoked after the substream is
detached, as recently reported by KASAN.
As a quick workaround, move kill_fasync() call inside the stream
lock. The fasync is rarely used interface, so this shouldn't have a
big impact from the performance POV.
Ideally, we should implement some sync mechanism for the proper finish
of stream and irq handler. But this oneliner should suffice for most
cases, so far.
Change-Id: Iad00158de5e6acd5adfa331c2e11450f2cf42390
Reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>
CVE-2016-9794
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
I previously added an integer overflow check here but looking at it now,
it's still buggy.
The bug happens in snd_compr_allocate_buffer(). We multiply
".fragments" and ".fragment_size" and that doesn't overflow but then we
save it in an unsigned int so it truncates the high bits away and we
allocate a smaller than expected size.
Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
CVE-2014-9904
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Change-Id: I04ed32d9c858ac971ff48235eed8f231ef39a277
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
b/28980217
Git-commit: e4ec8cc8039a7063e24204299b462bd1383184a5
Git-repo: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
(cherry picked from commit e4ec8cc8039a7063e24204299b462bd1383184a5)
Change-Id: I53aa15632e941199010aae670cefb65c8fd56833
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
b/28980217
Git-commit: 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6
Git-repo: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
(cherry picked from commit 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6)
Change-Id: I12949efac2aba669d302908704005fb94ba7efd7
The stack object "tread" has a total size of 32 bytes. Its field
"event" and "val" both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Change-Id: Ief5bbada3a144447aaecc236f86aa91da968bb3f
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Git-commit: cec8f96e49d9be372fdb0c3836dcf31ec71e457e
Git-repo: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
ALSA timer ioctls have an open race and this may lead to a
use-after-free of timer instance object. A simplistic fix is to make
each ioctl exclusive. We have already tread_sem for controlling the
tread, and extend this as a global mutex to be applied to each ioctl.
The downside is, of course, the worse concurrency. But these ioctls
aren't to be parallel accessible, in anyway, so it should be fine to
serialize there.
Change-Id: Ic177ce2a35996d450cd2807aa22a69c8a90b1139
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Git-commit: af368027a49a751d6ff4ee9e3f9961f35bb4fede
Git-repo: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
ALSA sequencer code has an open race between the timer setup ioctl and
the close of the client. This was triggered by syzkaller fuzzer, and
a use-after-free was caught there as a result.
This patch papers over it by adding a proper queue->timer_mutex lock
around the timer-related calls in the relevant code path.
Change-Id: I74a0789b15ad8c823adff8652498d95e3304b7a4
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Git-commit: 3567eb6af614dac436c4b16a8d426f9faed639b3
Git-repo: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
A slave timer instance might be still accessible in a racy way while
operating the master instance as it lacks of locking. Since the
master operation is mostly protected with timer->lock, we should cope
with it while changing the slave instance, too. Also, some linked
lists (active_list and ack_list) of slave instances aren't unlinked
immediately at stopping or closing, and this may lead to unexpected
accesses.
This patch tries to address these issues. It adds spin lock of
timer->lock (either from master or slave, which is equivalent) in a
few places. For avoiding a deadlock, we ensure that the global
slave_active_lock is always locked at first before each timer lock.
Also, ack and active_list of slave instances are properly unlinked at
snd_timer_stop() and snd_timer_close().
Last but not least, remove the superfluous call of _snd_timer_stop()
at removing slave links. This is a noop, and calling it may confuse
readers wrt locking. Further cleanup will follow in a later patch.
Actually we've got reports of use-after-free by syzkaller fuzzer, and
this hopefully fixes these issues.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit b5a663aa426f4884c71cd8580adae73f33570f0d)
Change-Id: I7e7e4e1ab476f93131111d60d8f4e6a1add43193
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Propagate the error code from the compress framework for the timestamp
query. This error code will be used by the client to handle the
error case scenarios gracefully
CRs-Fixed: 672454
Change-Id: I68ad14d52327dd0156531fe8d17ac54ba110fdf6
Signed-off-by: Aviral Gupta <aviralg@codeaurora.org>
When disconnect callback is called, each component should wake up
sleepers and check card->shutdown flag for avoiding the endless sleep
blocking the proper resource release.
Selectively taken from 0914f7961babbf28aaa2f19b453951fb4841c03f
from kernel/msm-3.10
Change-Id: Id5f19eef3b3db030854b7d40a188d5b23ed8da45
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Divya Narayanan Poojary <dnaray@codeaurora.org>
ALSA jack framework currently supports reporting only
one microphone. Add support to report presence of
second microphone to the userspace.
Change-Id: Id0df7aa222e547da3771f5d61092a959394c10dc
Signed-off-by: Phani Kumar Uppalapati <phaniu@codeaurora.org>
snd_compr_tstamp is initialized using aggregate initialization
that does not zero out the padded bytes. Initialize timestamp
structure to zero using memset to avoid this.
CRs-Fixed: 568717
Change-Id: I7a7d188705161f06201f1a1f2945bb6acd633d5d
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
Like the previous patch by Dan, we should clear the data to be
returned from certain compress ioctls, namely,
snd_compr_get_codec_caps() and snd_compr_get_params().
This time, we can simply replace kmalloc() with kzalloc().
Change-Id: Ib1d0e669e82eba76bfc2bd0b25034970c12537be
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Eric Laurent <elaurent@google.com>
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
If the ->get_caps() function doesn't clear the buffer then there would
stack information leaked to userspace. For example,
soc_compr_get_caps() can return success without clearing the buffer.
Change-Id: Ifcd9c95fa949e151039a115f5bd77f7ce6b20a79
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Eric Laurent <elaurent@google.com>
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
This patch reworks the writes to use cumulative values thus making the
app_pointer unecessary and removing it.
Only tested as far as build.
Change-Id: I89478e4b4dea5e599088ab007e3c30394a61d037
Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Signed-off-by: Richard Fitzgerald <rf@opensource.wolfsonmicro.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Eric Laurent <elaurent@google.com>
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
Only tested as far as build.
Change-Id: Ida52baaf4112801318ca37ab4c928809d328e5ed
Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Signed-off-by: Richard Fitzgerald <rf@opensource.wolfsonmicro.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Eric Laurent <elaurent@google.com>
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
The buffer passed to the copy callback should not be const because the
copy callback can be used for capture and playback.
Change-Id: I20674598b00bf933a0fe08eb77c122df6cdf3369
Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Signed-off-by: Richard Fitzgerald <rf@opensource.wolfsonmicro.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Eric Laurent <elaurent@google.com>
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
The app_pointer is managed locally by the compress core for memory
mapped DSPs but for DSPs that are not memory mapped this would have to
be manually updated from within the DSP driver itself, which is hardly
very idiomatic.
This patch switches to using the cumulative values to calculate the
available buffer space because these are already gracefully passed out
of the DSP driver to the compress core and otherwise should be
functionally equivalent.
Change-Id: Ia5a7ad9d02450b5140563e0f87829af0cb284958
Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Signed-off-by: Richard Fitzgerald <rf@opensource.wolfsonmicro.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Eric Laurent <elaurent@google.com>
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
Since we dont have lock over the function, we need to acquire mutex
when checking and modifying states in drain and partial_drain handlers
Change-Id: I3f8af90a226b772492fb6e09c625ebedc8ebfeb5
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Eric Laurent <elaurent@google.com>
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
Some simple ioctls like timsetamp query, capabities query can be done anytime
and should not be under the stream lock. Move these to
snd_compress_simple_iotcls() which is invoked without lock held.
While at it, improve readblity a bit by sprinkling some empty lines.
Change-Id: Icc8ffdadd565c635f6a95e7e5bdda76257f24ea3
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Eric Laurent <elaurent@google.com>
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
Currently we assume that userspace will shut down the compressed stream
correctly. However, if userspcae dies (e.g. cplay & ctrl-C) we dont
stop the stream before freeing it.
This now checks that the stream is stopped before freeing.
Change-Id: If163520ff08b61fcf104ad6c06d89c705b7e5935
Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
We are not currently freeing the compressed devices at module
unload time. This could be used to help, but more investigation
needs to be done to resolve this issue.
This patch is WIP.
Change-Id: I6cf8bcc56e4d446d83e9a0e63b79db3da378a901
Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
The new ASoC dynamic PCM core needs to create PCMs and substreams that are
for use by internal ASoC drivers only and not visible to userspace for
direct IO. These new PCMs are similar to regular PCMs expect they have no
device nodes or procfs entries. The ASoC component drivers use them in exactly
the same way as regular PCMs for PCM and DAI operations.
The intention is that a dynamic PCM based driver will register both regular
PCMs and internal PCMs. The regular PCMs will be used for all IO with userspace
however the internal PCMs will be used by the driver to route digital audio
through numerous back end DAI links (with potentially a DSP providing different
hw_params, DAI formats based on the regular front end PCM params) to devices
like CODECs, MODEMs, Bluetooth, FM, DMICs, etc
This patch adds a new snd_pcm_new_internal() API call to create the internal PCM
without device nodes or procfs. It also adds adds a new internal flag to snd_pcm.
[fixed minor coding-style issues by tiwai]
Change-Id: Ic36945035a135278d3e7769fa8add4222853f605
Signed-off-by: Liam Girdwood <lrg@ti.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
Fix compilation error after merging commit 1245b700
from master: SIZE_MAX is not defined.
Change-Id: Ia1b28d3ffed8e8bb20a477e1f0b69e27506113ba
Signed-off-by: Eric Laurent <elaurent@google.com>
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
this add new API for sound compress to support gapless playback.
As noted in Documentation change, we add API to send metadata of encoder and
padding delay to DSP. Also add API for indicating EOF and switching to
subsequent track
Also bump the compress API version
Conflicts:
include/uapi/sound/compress_offload.h
Signed-off-by: Jeeja KP <jeeja.kp@intel.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Conflicts:
include/sound/compress_offload.h
Change-Id: I62de413012796d61455f0ef484703d8b096f59c5
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
The snd_compr_update_tstamp() can only fill in the snd_compr_tstamp
if the codec implements the pointer() function. If that happened
the code was previously returning uninitialized garbage in the
tstamp because it wasn't initialized anywhere.
This change zero-fills the tstamp in the two places it is used
before calling snd_compr_update_tstamp(), and also has
snd_compr_update_tstamp() return an error indication if it
can't provide a tstamp. For the case of snd_compr_calc_avail()
it ignores this error because we still need to return info on
the available buffer space even if we can't provide tstamp
info - when the tstamp is not valid all fields are now
guaranteed to be zero.
Change-Id: Ib3287720a05861f358561dbcc465a2ea685945db
Signed-off-by: Richard Fitzgerald <rf@opensource.wolfsonmicro.com>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
Commit ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()
added a new error check for input params.
this add new routine for input checks and moves buffer overflow check to this
new routine. This allows the error value to be propogated to user space
Change-Id: I913ab75dbb7279beaead68ef60380cfb66530350
Signed-off-by: Vinod Koul <vinod.koul@linux.intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
These are 32 bit values that come from the user, we need to check for
integer overflows or we could end up allocating a smaller buffer than
expected.
Change-Id: Icf5a66c48d50b99907574b13450e9ed7ce7353f8
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
O_RDONLY is zero so the original test (f->f_flags & O_RDONLY) is always
false and it will never do compress capture. The test for O_WRONLY is
also slightly off. The original test would consider "->flags =
(O_WRONLY | O_RDWR)" as write only instead of rejecting it as invalid.
I've also removed the pr_err() because that could flood dmesg.
Change-Id: Ib495771faa15caa734c9f9bd5c4fd34aa7593ade
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
as the start can be called after stop again, we need to reset state
Change-Id: I663eaa00d453f740a1dbe991e1b9115645e0a3d3
Signed-off-by: Namarta Kohli <namartax.kohli@intel.com>
Signed-off-by: Vinod Koul <vinod.koul@linux.intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
during pause the core should maintain the status-quo on the device and pointers
and not wake up. If app needs it should call DROP explcitly.
Change-Id: Ice86678afbf13d2d216f36aecd3ada31b990d955
Signed-off-by: Namarta Kohli <namartax.kohli@intel.com>
Signed-off-by: Vinod Koul <vinod.koul@linux.intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
Channel info data structure is parsed from userspace and if
user does not set the no. of channels correctly, it could lead
to security vulnerability if we don't check for overflow when the
no. of channels is multiplied with pcm bit width. Add a condition
to check for overflow during multiplication.
CRs-fixed: 537818
Change-Id: Ib9631b6e45d77b39be2c27343d4aee3e9244d8cc
Signed-off-by: Phani Kumar Uppalapati <phaniu@codeaurora.org>
Incase of A2DP usecase using proxy driver, appl_ptr has
boundary value as 0x60000000 frames in sw_params for stereo(2 channels).
When this value crosses 0x40000000, then userspace calculating
appl_ptr at bytes results in crossing 32-bit value 0x100000000,
and points to 0x0 offset which can result in crash or pop.
To avoid above scenario, set the sw_params appl_ptr boundary value
within 0x40000000. Added proper check at sw_params update
to set this value correctly within 32-bit boundary(frames).
Change-Id: I537a04156699d90549a0a468ae19539ecd552d3b
CRs-Fixed: 483203
Signed-off-by: Laxminath Kasam <lkasam@codeaurora.org>
Expose sound card online/offline state to procfs so userspace application
can poll and read sound card's state.
Change-Id: Icafb2a8b970fb53ebc3eb7c44d075f1c01985072
Signed-off-by: Joonwoo Park <joonwoop@codeaurora.org>
Add a new ioctl to support metadata mode in lpa driver. This ioctl
allows lpa driver to work in default alsa compliant mode and also
metadata mode.
CRs-Fixed: 458904 491077 490992
Change-Id: I8111e8652bbfb6dd93bdbda69bd16f53b45cb756
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
Introduced a new helper function snd_pcm_add_volume_ctls() to
create control elements representing the volume for each PCM
(sub)stream.
Change-Id: Id483257c4fe84a909e7a4af3a5aa3e4f0d5d9ea5
Signed-off-by: Damir Didjusto <damird@codeaurora.org>
Handle ioctl magic 'U' as an user defined ioctl so that ALSA core calls
substream's ioctl handler. This gets rid of a requirement that ALSA core
needs to be changed every time when a new user defined ioctl is introduced.
Change-Id: I8dfebb3100ac40670032e3bd6ca40defc9ac1140
Signed-off-by: Joonwoo Park <joonwoop@codeaurora.org>
The VOLATILE flag was added to control elements by
snd_pcm_add_chmap_ctls() just because I didn't want to have a
side-effect of "alsactl restore". But now the set operation doesn't
allow to change the value unless the PCM stream is in PREAPRED state,
there is no reason to keep this flag. Let's rip it off.
Change-Id: If39dc081b61859b6f1d819c5dfe902f22181a8ab
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Subhash Chandra Bose Naripeddy <snariped@codeaurora.org>
This patch implements the basic data types for the standard channel
mapping API handling.
- The definitions of the channel positions and the new TLV types are
added in sound/asound.h and sound/tlv.h, so that they can be
referred from user-space.
- Introduced a new helper function snd_pcm_add_chmap_ctls() to create
control elements representing the channel maps for each PCM
(sub)stream.
- Some standard pre-defined channel maps are provided for
convenience.
Change-Id: If1685763b7010f36db3b9eb11eba363e84161593
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Subhash Chandra Bose Naripeddy <snariped@codeaurora.org>