Commit Graph

707131 Commits

Author SHA1 Message Date
Takashi Iwai 20e5f8bfb1 ALSA: sb: Minor optimization / fix of timer usage in sb8_midi.c
Currently the SB8 MIDI code sets up the timer object at each time
before scheduling it at trigger callback, but basically this is
superfluous once after set up.  Also, the code misses the
del_timer_sync() call that may leave a race condition for
use-after-free.

This patch addresses these issues, moving timer_setup() to
snd_sb8dsp_midi(), and adding the del_timer_sync() call at
snd_sb8dsp_midi_output_trigger() to make sure.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-25 10:00:43 +02:00
Kees Cook 4f928246f0 ALSA: sb: Convert timers to use timer_setup()
In preparation for unconditionally passing the struct timer_list pointer to
all timer callbacks, switch to using the new timer_setup() and from_timer()
to pass the timer pointer explicitly.

[Re-use the existing chip->midi_substream_output instead of assigning
 a new field to struct snd_sb -- tiwai]

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-25 09:51:21 +02:00
Kees Cook 57e69e2f06 ALSA: wavefront: Convert timers to use timer_setup()
In preparation for unconditionally passing the struct timer_list pointer to
all timer callbacks, switch to using the new timer_setup() and from_timer()
to pass the timer pointer explicitly.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-24 21:33:03 +02:00
Kees Cook 08352b200b ALSA: emux: Convert timers to use timer_setup()
In preparation for unconditionally passing the struct timer_list pointer to
all timer callbacks, switch to using the new timer_setup() and from_timer()
to pass the timer pointer explicitly.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-24 21:01:33 +02:00
Kees Cook bc47ba90b0 ALSA: drivers: Convert timers to use timer_setup()
In preparation for unconditionally passing the struct timer_list pointer to
all timer callbacks, switch to using the new timer_setup() and from_timer()
to pass the timer pointer explicitly.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-24 21:01:16 +02:00
Takashi Iwai 1a01901575 Merge branch 'topic/card-disconnect' into for-next
Pull snd_card_disconnect_sync() extension for ASoC hot-unplug support.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-24 08:15:49 +02:00
Rakesh Ughreja b676da70c4 ALSA: hda: Abort capability probe on invalid capability
On reading wrong capability pointer values driver may crash, so whenever
driver discovers unknown HDA capability, log it as error and stop traversing
the link list further.

Signed-off-by: Rakesh Ughreja <rakesh.a.ughreja@intel.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-24 08:13:55 +02:00
Takashi Iwai 9780ded39b ALSA: hda: Avoid racy recreation of widget kobjects
The refresh of HD-audio widget sysfs kobjects via
snd_hdac_refresh_widget_sysfs() is slightly racy.
The driver recreates the whole tree from scratch after deleting the
whole.  When CONFIG_DEBUG_KOBJECT_RELEASE option is used, kobject
release doesn't happen immediately but delayed, while the re-creation
of the same named kobject happens soon after invoking kobject_put().
This may end up with the conflicts of duplicated kobjects, as found in
the bug report below.

In this patch, we take another approach to refresh the tree: instead
of recreating the whole tree, just add the new nodes and delete the
non-existing nodes.  Since the refresh happens only once at
initialization, no longer race would happen.

Along with the code change, merge snd_hdac_refresh_widget_sysfs() with
the existing snd_hdac_refresh_widgets() with an additional bool flag
for simplifying the code.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=197307
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-19 13:58:36 +02:00
Takashi Iwai 28d1d6d2f3 ALSA: hda - Add model string for Intel reference board quirk
For allowing user to apply the existing quirk on a machine with a
different SSID, add a new model string entry, alc700-ref.
The quirk itself was introduced in the commit b84e843644f2: "ALSA:
hda/realtek - Enable jack detection function for Intel ALC700")

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-18 14:01:58 +02:00
Takashi Iwai 6ca73de7eb ALSA: pcm: Forcibly stop at disconnect callback
So far we assumed that each driver implements the hotplug PCM handling
properly, e.g. dealing with the pending PCM stream at disconnect
callback.  But most codes don't care, and it eventually leaves the PCM
stream inconsistent state when an abrupt disconnection like sysfs
unbind happens.

This patch is simple but a big-hammer solution: invoke snd_pcm_stop()
at the common PCM disconnect callback always when the stream is
running.

Tested-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-18 08:05:46 +02:00
Takashi Iwai 8b645e4a40 ALSA: pcm: Don't call register and disconnect callbacks for internal PCM
The internal PCM (aka DPCM backend PCM) doesn't need any registration
procedure, thus currently we bail out immediately at dev_register
callback.  Similarly, its counterpart, dev_disconnect callback, is
superfluous for the internal PCM.  For simplifying and avoiding the
conflicting disconnect call for internal PCM objects, this patch drops
dev_register and dev_disconnect callbacks for the internal ops.

The only uncertain thing by this action is whether skipping the PCM
state change to SNDRV_PCM_STATE_DISCONNECT for the internal PCM is
mandatory.  Looking through the current implementations, this doesn't
look so, hence dropping the whole dev_disconnect would make more
sense.

Tested-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-18 08:05:34 +02:00
Colin Ian King d368478b29 ALSA: emu10k1: remove redundant assignment to tmp
The assignment to variable tmp is redundant as the value is never
read and a new value is assigned to tmp in the following for-loop,
so remove the assignment.
Cleans up clang warning: Value stored to 'tmp' is never read

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-17 19:15:45 +02:00
Colin Ian King 067483577b ALSA: au88x0: remove redundant assignment of variable i
The assignment to variable i is redundant as it is never read
because it is updated a little later on. Remove this assignment.
Cleans up clang warning: Value stored to 'i' is never read

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-17 14:14:04 +02:00
Kees Cook a6162afa71 ALSA: usb-audio: Convert timers to use timer_setup()
In preparation for unconditionally passing the struct timer_list pointer to
all timer callbacks, switch to using the new timer_setup() and from_timer()
to pass the timer pointer explicitly.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-17 10:52:22 +02:00
Takashi Iwai 0011a33f09 Merge branch 'for-linus' into for-next
Back-merge for applying the timer API conversion patch for line6
driver that conflicts with the recent fix in upstream.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-17 10:52:06 +02:00
Colin Ian King 49815404bd ALSA: 6fire: remove unused variable card
The pointer card is being assigned a value but it is never used.
Remove this redundant variable. Cleans up clang warning:
Value stored to 'card' is never read

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-16 14:48:49 +02:00
Colin Ian King 6512ab68e2 ALSA: asihpi: clean up a couple of build warnings
Variable dpcm is never used and hence can be removed. Variable
runtime is being assigned but is never read, so the assignment
is redundant and can be removed. Cleans up two clang warnings:

Value stored to 'dpcm' is never read
Value stored to 'runtime' is never read

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-16 14:48:11 +02:00
Colin Ian King 41e4b7dc6e ALSA: emux: remove unused redundant variable p2
The variable p2 is being assigned but never used, it is redundant
and can be safely removed.  Cleans up clang warning: Value stored to
'p2' is never read.

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-16 13:37:38 +02:00
Colin Ian King 40ddfe659a ALSA: ens137x: remove redundant variable result
Variable result is being assigned a value from a calculation
however the variable is never read, so this redundant variable
can be removed.

Cleans up clang warning: Value stored to 'result' is never read

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-16 13:36:24 +02:00
Colin Ian King de16898138 ALSA: pcm: remove redundant variable runtime
An earlier commit removed the access to variable runtime
and we are now left with unused variable that is redundant,
so remove it.

Cleans up the clang warning: Value stored to 'runtime' is never read

Fixes: e11f0f90a6 ("ALSA: pcm: remove SNDRV_PCM_IOCTL1_INFO internal command")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-16 13:35:36 +02:00
Dan Carpenter 0de7d83562 ALSA: hda - silence uninitialized variable warning in activate_amp_in()
If snd_hda_get_conn_list() fails then "conn" isn't initialized.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-13 15:14:44 +02:00
Jérémy Lefaure a9291f461d ALSA: hda/ca0132 - use ARRAY_SIZE
Using the ARRAY_SIZE macro improves the readability of the code.

Found with Coccinelle with the following semantic patch:
@r depends on (org || report)@
type T;
T[] E;
position p;
@@
(
 (sizeof(E)@p /sizeof(*E))
|
 (sizeof(E)@p /sizeof(E[...]))
|
 (sizeof(E)@p /sizeof(T))
)

Signed-off-by: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-13 15:14:08 +02:00
Takashi Iwai 99fee50824 ALSA: caiaq: Fix stray URB at probe error path
caiaq driver doesn't kill the URB properly at its error path during
the probe, which may lead to a use-after-free error later.  This patch
addresses it.

Reported-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Johan Hovold <johan@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-11 17:01:18 +02:00
Takashi Iwai 8ed5d192c0 Merge branch 'topic/usb-ep-check-v2' into for-next
Pulling the EP validity checks in USB audio drivers.
It also adds a new helper in USB core, which was acked by Greg.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-11 17:00:08 +02:00
Takashi Iwai 4f95646c80 ALSA: line6: Add yet more sanity checks for invalid EPs
There are a few other places calling usb_submit_urb() with the URB
composed from the fixed endpoint without validation.  For avoiding the
spurious kernel warnings, add the sanity checks to appropriate
places.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-11 16:59:29 +02:00
Takashi Iwai 96cd79626f ALSA: caiaq: Add yet more sanity checks for invalid EPs
A few other places in caiaq driver have the URB handling with the
fixed endpoints without checking the validity, too.  Add the sanity
check with the new helper function at each appropriate place for
avoiding the spurious kernel warnings due to invalid EPs.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-11 16:59:28 +02:00
Takashi Iwai 5935b9526a ALSA: hiface: Add sanity checks for invalid EPs
hiface usb-audio driver sets up URBs containing the fixed endpoints
without validation.  This may end up with an oops-like kernel warning
when submitted.

For avoiding it, this patch adds the calls of the new sanity-check
helper for URBs.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-11 16:59:27 +02:00
Takashi Iwai 1f10034938 ALSA: usx2y: Add sanity checks for invalid EPs
usx2y driver sets up URBs containing the fixed endpoints without
validation.  This may end up with an oops-like kernel warning when
submitted.

For avoiding it, this patch adds the calls of the new sanity-check
helper for URBs.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-11 16:52:33 +02:00
Takashi Iwai 738d9edcfd ALSA: usb-audio: Add sanity checks for invalid EPs
USB-audio driver may set up a URB containing the fixed EP without
validating its presence for some non-class-compliant devices.  This
may end up with an oops-like kernel warning when submitted.

For avoiding it, this patch adds the call of the new sanity-check
helper for URBs.  The checks are needed only for MIDI I/O as the other
places have already some other checks.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-11 15:14:51 +02:00
Takashi Iwai 2a4340c577 ALSA: line6: Add a sanity check for invalid EPs
As syzkaller spotted, currently line6 drivers submit a URB with the
fixed EP without checking whether it's actually available, which may
result in a kernel warning like:
  usb 1-1: BOGUS urb xfer, pipe 3 != type 1
  ------------[ cut here ]------------
  WARNING: CPU: 0 PID: 24 at drivers/usb/core/urb.c:449
  usb_submit_urb+0xf8a/0x11d0
  Modules linked in:
  CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc2-42613-g1488251d1a98 #238
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  Workqueue: usb_hub_wq hub_event
  Call Trace:
   line6_start_listen+0x55f/0x9e0 sound/usb/line6/driver.c:82
   line6_init_cap_control sound/usb/line6/driver.c:690
   line6_probe+0x7c9/0x1310 sound/usb/line6/driver.c:764
   podhd_probe+0x64/0x70 sound/usb/line6/podhd.c:474
   usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
   ....

This patch adds a sanity check of validity of EPs at the device
initialization phase for avoiding the call with an invalid EP.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-11 15:14:50 +02:00
Takashi Iwai 58fc7f73a8 ALSA: caiaq: Add a sanity check for invalid EPs
As syzkaller spotted, currently caiaq driver submits a URB with the
fixed EP without checking whether it's actually available, which may
result in a kernel warning like:
  usb 1-1: BOGUS urb xfer, pipe 3 != type 1
  ------------[ cut here ]------------
  WARNING: CPU: 1 PID: 1150 at drivers/usb/core/urb.c:449
  usb_submit_urb+0xf8a/0x11d0
  Modules linked in:
  CPU: 1 PID: 1150 Comm: kworker/1:1 Not tainted
  4.14.0-rc2-42660-g24b7bd59eec0 #277
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  Workqueue: usb_hub_wq hub_event
  Call Trace:
   init_card sound/usb/caiaq/device.c:467
   snd_probe+0x81c/0x1150 sound/usb/caiaq/device.c:525
   usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
   ....

This patch adds a sanity check of validity of EPs at the device
initialization phase for avoiding the call with an invalid EP.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-11 15:14:50 +02:00
Takashi Iwai 6815a0b444 ALSA: bcd2000: Add a sanity check for invalid EPs
As syzkaller spotted, currently bcd2000 driver submits a URB with the
fixed EP without checking whether it's actually available, which may
result in a kernel warning like:
  usb 1-1: BOGUS urb xfer, pipe 1 != type 3
  ------------[ cut here ]------------
  WARNING: CPU: 0 PID: 1846 at drivers/usb/core/urb.c:449
  usb_submit_urb+0xf8a/0x11d0
  Modules linked in:
  CPU: 0 PID: 1846 Comm: kworker/0:2 Not tainted
  4.14.0-rc2-42613-g1488251d1a98 #238
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  Workqueue: usb_hub_wq hub_event
  Call Trace:
   bcd2000_init_device sound/usb/bcd2000/bcd2000.c:289
   bcd2000_init_midi sound/usb/bcd2000/bcd2000.c:345
   bcd2000_probe+0xe64/0x19e0 sound/usb/bcd2000/bcd2000.c:406
   usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
   ....

This patch adds a sanity check of validity of EPs at the device
initialization phase for avoiding the call with an invalid EP.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-11 15:14:49 +02:00
Takashi Iwai e901b98738 usb: core: Add a helper function to check the validity of EP type in URB
This patch adds a new helper function to perform a sanity check of the
given URB to see whether it contains a valid endpoint.  It's a light-
weight version of what usb_submit_urb() does, but without the kernel
warning followed by the stack trace, just returns an error code.

Especially for a driver that doesn't parse the descriptor but fills
the URB with the fixed endpoint (e.g. some quirks for non-compliant
devices), this kind of check is preferable at the probe phase before
actually submitting the urb.

Tested-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-11 15:14:32 +02:00
Takashi Iwai c44027c89e ALSA: add snd_card_disconnect_sync()
In case of user unbind ALSA driver during playing back / capturing,
each driver needs to stop and remove it correctly. One note here is
that we can't cancel from remove function in such case, because
unbind operation doesn't check return value from remove function.
So, we *must* stop and remove in this case.

For this purpose, we need to sync (= wait) until the all top-level
operations are canceled at remove function.
For example, snd_card_free() processes the disconnection procedure at
first, then waits for the completion. That's how the hot-unplug works
safely. It's implemented, at least, in the top-level driver removal.

Now for the lower level driver, we need a similar strategy. Notify to
the toplevel for hot-unplug (disconnect in ALSA), and sync with the
stop operation, then continue the rest of its own remove procedure.

This patch adds snd_card_disconnect_sync(), and driver can use it from
remove function.

Note: the "lower level" driver here refers to a middle layer driver
(e.g. ASoC components) that can be unbound freely during operation.
Most of legacy ALSA helper drivers don't have such a problem because
they can't be unbound.

Note#2: snd_card_disconnect_sync() merely calls snd_card_disconnect()
and syncs with closing all pending files.  It takes only the files
opened by user-space into account, and doesn't care about object
refcounts.  (The latter is handled by snd_card_free() completion call,
BTW.)  Also, the function doesn't free resources by itself.

Tested-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-11 15:06:10 +02:00
Takashi Iwai 7110599884 ALSA: seq: Fix use-after-free at creating a port
There is a potential race window opened at creating and deleting a
port via ioctl, as spotted by fuzzing.  snd_seq_create_port() creates
a port object and returns its pointer, but it doesn't take the
refcount, thus it can be deleted immediately by another thread.
Meanwhile, snd_seq_ioctl_create_port() still calls the function
snd_seq_system_client_ev_port_start() with the created port object
that is being deleted, and this triggers use-after-free like:

 BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
 =============================================================================
 BUG kmalloc-512 (Tainted: G    B          ): kasan: bad access detected
 -----------------------------------------------------------------------------
 INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
 	___slab_alloc+0x425/0x460
 	__slab_alloc+0x20/0x40
  	kmem_cache_alloc_trace+0x150/0x190
	snd_seq_create_port+0x94/0x9b0 [snd_seq]
	snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
 	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
 	snd_seq_ioctl+0x40/0x80 [snd_seq]
 	do_vfs_ioctl+0x54b/0xda0
 	SyS_ioctl+0x79/0x90
 	entry_SYSCALL_64_fastpath+0x16/0x75
 INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
 	__slab_free+0x204/0x310
 	kfree+0x15f/0x180
 	port_delete+0x136/0x1a0 [snd_seq]
 	snd_seq_delete_port+0x235/0x350 [snd_seq]
 	snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
 	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
 	snd_seq_ioctl+0x40/0x80 [snd_seq]
 	do_vfs_ioctl+0x54b/0xda0
 	SyS_ioctl+0x79/0x90
 	entry_SYSCALL_64_fastpath+0x16/0x75
 Call Trace:
  [<ffffffff81b03781>] dump_stack+0x63/0x82
  [<ffffffff81531b3b>] print_trailer+0xfb/0x160
  [<ffffffff81536db4>] object_err+0x34/0x40
  [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
  [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
  [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
  [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
  [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
  [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
  [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
  [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
  [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
  [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
  .....

We may fix this in a few different ways, and in this patch, it's fixed
simply by taking the refcount properly at snd_seq_create_port() and
letting the caller unref the object after use.  Also, there is another
potential use-after-free by sprintf() call in snd_seq_create_port(),
and this is moved inside the lock.

This fix covers CVE-2017-15265.

Reported-and-tested-by: Michael23 Yu <ycqzsy@gmail.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-11 09:58:18 +02:00
Takashi Iwai 124751d5e6 ALSA: usb-audio: Kill stray URB at exiting
USB-audio driver may leave a stray URB for the mixer interrupt when it
exits by some error during probe.  This leads to a use-after-free
error as spotted by syzkaller like:
  ==================================================================
  BUG: KASAN: use-after-free in snd_usb_mixer_interrupt+0x604/0x6f0
  Call Trace:
   <IRQ>
   __dump_stack lib/dump_stack.c:16
   dump_stack+0x292/0x395 lib/dump_stack.c:52
   print_address_description+0x78/0x280 mm/kasan/report.c:252
   kasan_report_error mm/kasan/report.c:351
   kasan_report+0x23d/0x350 mm/kasan/report.c:409
   __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
   snd_usb_mixer_interrupt+0x604/0x6f0 sound/usb/mixer.c:2490
   __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779
   ....

  Allocated by task 1484:
   save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
   save_stack+0x43/0xd0 mm/kasan/kasan.c:447
   set_track mm/kasan/kasan.c:459
   kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
   kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
   kmalloc ./include/linux/slab.h:493
   kzalloc ./include/linux/slab.h:666
   snd_usb_create_mixer+0x145/0x1010 sound/usb/mixer.c:2540
   create_standard_mixer_quirk+0x58/0x80 sound/usb/quirks.c:516
   snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
   create_composite_quirk+0x1c4/0x3e0 sound/usb/quirks.c:59
   snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
   usb_audio_probe+0x1040/0x2c10 sound/usb/card.c:618
   ....

  Freed by task 1484:
   save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
   save_stack+0x43/0xd0 mm/kasan/kasan.c:447
   set_track mm/kasan/kasan.c:459
   kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
   slab_free_hook mm/slub.c:1390
   slab_free_freelist_hook mm/slub.c:1412
   slab_free mm/slub.c:2988
   kfree+0xf6/0x2f0 mm/slub.c:3919
   snd_usb_mixer_free+0x11a/0x160 sound/usb/mixer.c:2244
   snd_usb_mixer_dev_free+0x36/0x50 sound/usb/mixer.c:2250
   __snd_device_free+0x1ff/0x380 sound/core/device.c:91
   snd_device_free_all+0x8f/0xe0 sound/core/device.c:244
   snd_card_do_free sound/core/init.c:461
   release_card_device+0x47/0x170 sound/core/init.c:181
   device_release+0x13f/0x210 drivers/base/core.c:814
   ....

Actually such a URB is killed properly at disconnection when the
device gets probed successfully, and what we need is to apply it for
the error-path, too.

In this patch, we apply snd_usb_mixer_disconnect() at releasing.
Also introduce a new flag, disconnected, to struct usb_mixer_interface
for not performing the disconnection procedure twice.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-10 14:17:09 +02:00
Takashi Iwai 19b592dae8 ALSA: seq: Add sanity check for user-space pointer delivery
The sequencer event may contain a user-space pointer with its
SNDRV_SEQ_EXT_USRPTR bit, and we assure that its delivery is limited
with non-atomic mode.  Otherwise the copy_from_user() may hit the
fault and cause a problem.  Although the core code doesn't set such a
flag (only set at snd_seq_write()), any wild driver may set it
mistakenly and lead to an unexpected crash.

This patch adds a sanity check of such events at the delivery core
code to filter out the invalid invocation in the atomic mode.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-10 13:45:13 +02:00
Takashi Iwai c95072b3d8 ALSA: line6: Fix leftover URB at error-path during probe
While line6_probe() may kick off URB for a control MIDI endpoint, the
function doesn't clean up it properly at its error path.  This results
in a leftover URB action that is eventually triggered later and causes
an Oops like:
  general protection fault: 0000 [#1] PREEMPT SMP KASAN
  CPU: 1 PID: 0 Comm: swapper/1 Not tainted
  RIP: 0010:usb_fill_bulk_urb ./include/linux/usb.h:1619
  RIP: 0010:line6_start_listen+0x3fe/0x9e0 sound/usb/line6/driver.c:76
  Call Trace:
   <IRQ>
   line6_data_received+0x1f7/0x470 sound/usb/line6/driver.c:326
   __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779
   usb_hcd_giveback_urb+0x337/0x420 drivers/usb/core/hcd.c:1845
   dummy_timer+0xba9/0x39f0 drivers/usb/gadget/udc/dummy_hcd.c:1965
   call_timer_fn+0x2a2/0x940 kernel/time/timer.c:1281
   ....

Since the whole clean-up procedure is done in line6_disconnect()
callback, we can simply call it in the error path instead of
open-coding the whole again.  It'll fix such an issue automagically.

The bug was spotted by syzkaller.

Fixes: eedd0e95d3 ("ALSA: line6: Don't forget to call driver's destructor at error path")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-09 16:17:18 +02:00
Takashi Iwai 54a4b2b458 ALSA: line6: Fix NULL dereference at podhd_disconnect()
When podhd_init() failed with the acquiring a ctrl i/f, the line6
helper still calls the disconnect callback that eventually calls again
usb_driver_release_interface() with the NULL intf.

Put the proper NULL check before calling it for avoiding an Oops.

Fixes: fc90172ba2 ("ALSA: line6: Claim pod x3 usb data interface")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-09 16:17:09 +02:00
Takashi Iwai cb02ffc76a ALSA: line6: Fix missing initialization before error path
The error path in podhd_init() tries to clear the pending timer, while
the timer object is initialized at the end of init sequence, thus it
may hit the uninitialized object, as spotted by syzkaller:

  INFO: trying to register non-static key.
  the code is fine but needs lockdep annotation.
  turning off the locking correctness validator.
  CPU: 1 PID: 1845 Comm: kworker/1:2 Not tainted
  4.14.0-rc2-42613-g1488251d1a98 #238
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  Workqueue: usb_hub_wq hub_event
  Call Trace:
   __dump_stack lib/dump_stack.c:16
   dump_stack+0x292/0x395 lib/dump_stack.c:52
   register_lock_class+0x6c4/0x1a00 kernel/locking/lockdep.c:769
   __lock_acquire+0x27e/0x4550 kernel/locking/lockdep.c:3385
   lock_acquire+0x259/0x620 kernel/locking/lockdep.c:4002
   del_timer_sync+0x12c/0x280 kernel/time/timer.c:1237
   podhd_disconnect+0x8c/0x160 sound/usb/line6/podhd.c:299
   line6_probe+0x844/0x1310 sound/usb/line6/driver.c:783
   podhd_probe+0x64/0x70 sound/usb/line6/podhd.c:474
   ....

For addressing it, assure the initializations of timer and work by
moving them to the beginning of podhd_init().

Fixes: 790869dacc ("ALSA: line6: Add support for POD X3")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-09 16:16:51 +02:00
Takashi Iwai a6aa6cdcec ALSA: usb-audio: Apply vendor ID matching for sample rate quirk
So far, lots of Plantronics, MS and Phoenix Audio devices need the
quirk not to read sample rate back, and the list just grows.
In this patch, instead of adding each device, apply the quirk by
matching with these vendors.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-09 14:11:38 +02:00
Takashi Iwai 545633f6fe Merge branch 'for-linus' into for-next 2017-10-09 14:11:30 +02:00
Takashi Iwai 5803b02388 ALSA: seq: Fix copy_from_user() call inside lock
The event handler in the virmidi sequencer code takes a read-lock for
the linked list traverse, while it's calling snd_seq_dump_var_event()
in the loop.  The latter function may expand the user-space data
depending on the event type.  It eventually invokes copy_from_user(),
which might be a potential dead-lock.

The sequencer core guarantees that the user-space data is passed only
with atomic=0 argument, but snd_virmidi_dev_receive_event() ignores it
and always takes read-lock().  For avoiding the problem above, this
patch introduces rwsem for non-atomic case, while keeping rwlock for
atomic case.

Also while we're at it: the superfluous irq flags is dropped in
snd_virmidi_input_open().

Reported-by: Jia-Ju Bai <baijiaju1990@163.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-09 14:10:13 +02:00
Kai-Heng Feng c247487c0d ALSA: usb-audio: Add sample rate quirk for Plantronics P610
Like other Plantronics devices, P610 does not support sample
rate reading. Apply sample rate quirk to it.

BugLink: https://bugs.launchpad.net/bugs/1719853

Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-09 14:10:11 +02:00
Linus Torvalds 8a5776a5f4 Linux 4.14-rc4 2017-10-08 20:53:29 -07:00
Linus Torvalds 85b1bb2480 SCSI fixes on 20171007
A couple of serious fixes (use after free and blacklist for WRITE
 SAME).  One error leg fix (write_pending failure) and one user
 experience problem (do not override max_sectors_kb) and one minor
 unused function removal.
 
 Signed-off-by: James E.J. Bottomley <jejb@linux.vnet.ibm.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABAgAGBQJZ2P68AAoJEAVr7HOZEZN48hEP/0d7RH77AjV1smqQHJpel7b8
 WFh7zWHfhyHEmDMf1xtepqw1RAsrkXfRy12wOOc3ppnaozBIh1GIvjHRWXtaEIaA
 qsTJkROWro3XskxfKL8n0CqeATuk6EjfE+ehRFyXQ9F9yhIB4FxaYROzGUfM9rON
 ScD2vHH0sE4PIUiavizjxSk6G4KNvGyqM/xtgUIymH7Dcd7MorOq1WBvGXp7etkG
 QSCV1tvB63yg2jcqatANTLO0LuI9N023VGA/QrTLzpu6M54QZwMGAmVwZfkQ1/nO
 RLGWTj6jrB4RSF690NN1QLRnf58GYEyIEa37Dlwp/bLyHv4Y9NxO3KB/M0MIf/x2
 PJ5FmUw7IwPVzAk6WmGoUIvscDnrDplzVL0fMZKlnW3+8mQav+IIev7sBvPjMkMw
 HA7PLNXrEpR1tOBhr9je2V2Jz9KxARZFRUqm238Rq03W6kjYQQbSG+dC06A7o2DQ
 UYuXCWp+CZhbBSG29qPf8wzNbdndpkmXatwLrwVmmRn+/eo3BGF5/SfOKu0M8PTu
 M4apqkZTZdMAzPckIe0lg6RIJ+F5lWPPX454CZqivM8MFNyjHbf2VJAvQbU9dNhM
 dfrPsLogZNgCop13H06xAFS6m3dIP5YqUEo/yWXciC6hnvCP7z6ZkiqHTHJIIJMm
 vwQJLkkB2Ex4NscJcZfw
 =X/MK
 -----END PGP SIGNATURE-----

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:

 - a couple of serious fixes: use after free and blacklist for WRITE
   SAME

 - one error leg fix: write_pending failure

 - one user experience problem: do not override max_sectors_kb

 - one minor unused function removal

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  scsi: ibmvscsis: Fix write_pending failure path
  scsi: libiscsi: Remove iscsi_destroy_session
  scsi: libiscsi: Fix use-after-free race during iscsi_session_teardown
  scsi: sd: Do not override max_sectors_kb sysfs setting
  scsi: sd: Implement blacklist option for WRITE SAME w/ UNMAP
2017-10-07 12:34:16 -07:00
Linus Torvalds 67936a41e5 Merge branch 'i2c/for-current-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
Pull i2c fixes from Wolfram Sang:
 "I2C has three driver fixes for the newly introduced drivers and one ID
  addition for the i801 driver"

* 'i2c/for-current-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
  i2c: i2c-stm32f7: make structure stm32f7_setup static const
  i2c: ensure termination of *_device_id tables
  i2c: i801: Add support for Intel Cedar Fork
  i2c: stm32f7: fix setup structure
2017-10-07 10:07:51 -07:00
Linus Torvalds 031b814030 MMC core:
- Fix driver strength selection when selecting hs400es
  - Delete bounce buffer handling:
    This change fixes a problem related to how bounce buffers are being
    allocated. However, instead of trying to fix that, let's just remove
    the mmc bounce buffer code altogether, as it has practically no use.
 
 MMC host:
  - meson-gx: A couple of fixes related to clock/phase/tuning
  - sdhci-xenon: Fix clock resource by adding an optional bus clock
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJZ2IGlAAoJEP4mhCVzWIwpi5gP/2dyF4FOK02BS24iV5LjElVV
 TkwpfNWDYguU9eBwCSrDZnCBsfeKgRobpTlre5qtNqGK2YqAwEO9n5lsZQL8HG/6
 8LyVKSy9a7DWbuiK58dvswHKabjeZXZo1JdBx1JONTSfezNGGL5ZvyiDS7mHWv10
 MsX+VukX31kFmS1HOd85Ayhdz9NlYZjnNSfmUN8UMuGMMysV007icwp8QX1uwW1s
 2uPS0DFdtOlCoSs1ln6cyQMSoRZjRJ5Dm/SUFvRec4X7LC3ORxVbBXtbxtDGO8dS
 6TIZHPILMpTHJcah/ONAk1LTXHO5Wt+x5o6vkca6uaEQEnvyUhKqK2NpwXCINRit
 OW+eJkAPv4J1a6/geZ99C7V+SDCCMsHeRrzfWxO1wkj/2ptu2OKtLPPJst2lLYgU
 QEXTgW920SxSWvWQaXcBmgkGZ67cyw3h2pI09QsmZJ9M4jmQpyZVIGWHgfsMFRkj
 iwtzuRL15qqnQqrs62eWJN383/b+BYfKzTnilVWExs+ozcpjYMYxYTGFTOKC1YV1
 yeV+qL60gaK41HobWMJnbv0ckaPTLGZ1oOgB6F9OX6fGZz0LBh1yiOjYG1j66fwb
 KgDzN5sX4Ab/gDOT8zH1G8fGLYGBLDZMciuXrZfYf+mzJF8rpTI0he8BUwJm6KGC
 YJ+kW1MnnWATW+U63hRs
 =0WJ+
 -----END PGP SIGNATURE-----

Merge tag 'mmc-v4.14-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc

Pull MMC fixes from Ulf Hansson:
 "MMC core:

   - Fix driver strength selection when selecting hs400es

   - Delete bounce buffer handling:

     This change fixes a problem related to how bounce buffers are being
     allocated. However, instead of trying to fix that, let's just
     remove the mmc bounce buffer code altogether, as it has practically
     no use.

  MMC host:

   - meson-gx: A couple of fixes related to clock/phase/tuning

   - sdhci-xenon: Fix clock resource by adding an optional bus clock"

* tag 'mmc-v4.14-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
  mmc: sdhci-xenon: Fix clock resource by adding an optional bus clock
  mmc: meson-gx: include tx phase in the tuning process
  mmc: meson-gx: fix rx phase reset
  mmc: meson-gx: make sure the clock is rounded down
  mmc: Delete bounce buffer handling
  mmc: core: add driver strength selection when selecting hs400es
2017-10-07 10:03:03 -07:00
Linus Torvalds 1c86f2e4c8 Fix up error path in xgene driver
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJZ2CTPAAoJEMsfJm/On5mBIV0P/3iM6i9Vnp35Q0Q2NI7GaNZb
 TK//TOyjJRNQHOoVPkbD4inX8O5ZSnkk1Eky1A5jzfoue48QZsT2ROwTsLWhMo+Q
 ITlZLTEWoSUcN7QiFanC40xM206Cfo3aJhMFFyuiFHPhKAPjD1bO8AErTdnFOGEm
 EwS86g5Cf8DceEl39+6scm+WPxQfBUngKBgSnKS2wtwpfFDK0zOoJnevPitkGlMO
 UVdK9xECQWQJUHGGhhJgURoL30MxgLz4UdgbuXkKNFxusINNsCHvnn3rPvZaM/cS
 pSuabxENYzpoEY9EaTdFfRj5+3t/4DPKBkM7LrEpkoQQkHIkuI53oaTMLGqO7cc1
 F+6Vz+ZUPg3zYuEHbxo1/YI/4yxd8Sgl0rGvwaI+VqkrZacqSNNo90BmiwFo0FuM
 j7UgI0Izu8fGSvOhaSnAKUI70NiSRf6hTi94krDl4XTQXSpky+nnWT23H8PZjDLE
 u7v3W72h2jeVIqOAeRDppIRKD8TI7lb+8JMwK+xndcIGY6vFZDIOg9abQD54oyp6
 0d79J99bm9FimuIW9Dvrl2NvAC5fh5h02TcYwSlOreY60CqAqxd2rl0Taqy/BuK5
 OHRnqnZVqG0mC/69PBCayoCebiVzJnPWNrPHW7IJoK+Anku0S4MeLpnlMSLsOFOi
 fren+nO00BOFiBb+6eCI
 =TFNX
 -----END PGP SIGNATURE-----

Merge tag 'hwmon-for-linus-v4.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging

Pull hwmon fix from Guenter Roeck:
 "Fix up error path in xgene driver"

* tag 'hwmon-for-linus-v4.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
  hwmon: (xgene) Fix up error handling path mixup in 'xgene_hwmon_probe()'
2017-10-06 17:59:32 -07:00
Linus Torvalds dbeb1a8ff5 - Build fix to export the clk_bulk_prepare() symbol
- Suspend fix for Samsung Exynos SoCs where we need to keep clks on
    across suspend
 
  - Two critical clk markings for clks that shouldn't ever turn off on
    Rockchip SoCs
 
  - A fix for a copy-paste mistake on Rockchip rk3128 causing some clks to
    touch the same bit and trample over one another
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABCAAGBQJZ2A7QAAoJEK0CiJfG5JUlbeMQAJZ6rty/oz0mMSt0V621pQ+0
 FJo9Kv+mmWfdZ/WMUgfmqhvty5S5BYW69dQFZuwB4eWVZ8rFa8ZLDi85sAxmd8Q2
 mTnhwz1QhCiXbllTHTAx024h2CvTe/fScw0+SEXoTTCDnHVnnNwLcElb8YdBNUKF
 dm1fd26hmZpqrW9vRKYuxa96+aSfRzS1DnrRyn9a+KSmA4XTTJkfU8W2qxCEn2Em
 rkIBVdWlRGA4Xk/e2pct9Ov/CMiMMNWE3pHGdzS3FtLUd+c0ocs9XO/2NVvBJQ7R
 AIiWmkdUTLEkRwos/u1JqvtPxXx+qouEV3hsdWfJQL65Hz0clOcbyh6DtytOu7vi
 I7QxF92fkOl1kQhUSWkzdKCVnZklUSEJQkkibyDksiVENgk+UASWyVTE+INR12tT
 7jO+aj/u1nMRlZ0lgTjvh0uWioZyL/+6DWSphuh0W6xcRsG4T2kTQDt463WHBkxM
 YjZQurtUZN2SKnCzTNInHAjJ0agqkD3rR67yZTxSOFJM6Coeu2faoe/Jke7in7lV
 HAMWpxonvRHt9P+wu8CNwuyR1z9ZdlUTrOLkB2tBoXF8WpEUCdK4yIbTD940uQvG
 Od3ltW4HzyCRXl4tlcklDyGj08McxL4Cv8OYf4PjVq2XSWaxlVDhoXbZJG8OfFnN
 CJgJVOw4JWB7tEMhpL9U
 =jV1S
 -----END PGP SIGNATURE-----

Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux

Pull clk fixes from Stephen Boyd:

 - build fix to export the clk_bulk_prepare() symbol

 - suspend fix for Samsung Exynos SoCs where we need to keep clks on
   across suspend

 - two critical clk markings for clks that shouldn't ever turn off on
   Rockchip SoCs

 - a fix for a copy-paste mistake on Rockchip rk3128 causing some clks
   to touch the same bit and trample over one another

* tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
  clk: samsung: exynos4: Enable VPLL and EPLL clocks for suspend/resume cycle
  clk: Export clk_bulk_prepare()
  clk: rockchip: add sclk_timer5 as critical clock on rk3128
  clk: rockchip: fix up rk3128 pvtm and mipi_24m gate regs error
  clk: rockchip: add pclk_pmu as critical clock on rk3128
2017-10-06 16:25:08 -07:00