10 Jan, 2019
1 commit
-
commit 94ffb030b6d31ec840bb811be455dd2e26a4f43e upstream.
stream is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.This issue was detected with the help of Smatch:
sound/core/pcm.c:140 snd_pcm_control_ioctl() warn: potential spectre issue 'pcm->streams' [r] (local cap)
Fix this by sanitizing stream before using it to index pcm->streams
Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
Signed-off-by: Gustavo A. R. Silva
Cc: stable@vger.kernel.org
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman
24 Apr, 2018
1 commit
-
commit a820ccbe21e8ce8e86c39cd1d3bc8c7d1cbb949b upstream.
The PCM runtime object is created and freed dynamically at PCM stream
open / close time. This is tracked via substream->runtime, and it's
cleared at snd_pcm_detach_substream().The runtime object assignment is protected by PCM open_mutex, so for
all PCM operations, it's safely handled. However, each PCM substream
provides also an ALSA timer interface, and user-space can access to
this while closing a PCM substream. This may eventually lead to a
UAF, as snd_pcm_timer_resolution() tries to access the runtime while
clearing it in other side.Fortunately, it's the only concurrent access from the PCM timer, and
it merely reads runtime->timer_resolution field. So, we can avoid the
race by reordering kfree() and wrapping the substream->runtime
clearance with the corresponding timer lock.Reported-by: syzbot+8e62ff4e07aa2ce87826@syzkaller.appspotmail.com
Cc:
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman
14 Dec, 2017
1 commit
-
commit 362bca57f5d78220f8b5907b875961af9436e229 upstream.
When the device descriptor is closed, the `substream->runtime` pointer
is freed. But another thread may be in the ioctl handler, case
SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which
calls snd_pcm_info() which accesses the now freed `substream->runtime`.Note: this fixes CVE-2017-0861
Signed-off-by: Robb Glasser
Signed-off-by: Nick Desaulniers
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman
25 Aug, 2017
1 commit
-
The commit c8da9be4a75f ("ALSA: pcm: Adjust nine function calls
together with a variable assignment") contained a badly incorrect
conversion, a "status" PCM procfs creation was replaced with the next
one. Luckily, this could be spotted easily by the kernel runtime
warning.Fixes: c8da9be4a75f ("ALSA: pcm: Adjust nine function calls together...")
Reported-by: Fabio Estevam
Tested-by: Fabio Estevam
Signed-off-by: Takashi Iwai
23 Aug, 2017
2 commits
-
The script "checkpatch.pl" pointed information out like the following.
ERROR: do not use assignment in if condition
Thus fix the affected source code places.
Signed-off-by: Markus Elfring
Signed-off-by: Takashi Iwai -
Add a jump target so that a bit of exception handling can be better reused
at the end of this function.This issue was detected by using the Coccinelle software.
Signed-off-by: Markus Elfring
Signed-off-by: Takashi Iwai
30 Jun, 2017
1 commit
-
attribute_groups are not supposed to change at runtime. All functions
working with attribute_groups provided by work with const
attribute_group. So mark the non-const structs as const.File size before:
text data bss dec hex filename
9781 240 8 10029 272d sound/core/pcm.oFile size After adding 'const':
text data bss dec hex filename
9813 176 8 9997 270d sound/core/pcm.oSigned-off-by: Arvind Yadav
Signed-off-by: Takashi Iwai
26 May, 2017
1 commit
-
Several files are used to construct PCM core module, a.k.a snd-pcm.
Although available APIs are described in 'include/sound/pcm.h', some of
them are not exported as symbols in kernel space. Such APIs are just for
module local usage.This commit adds module local header file and move some function prototypes
into it so that scopes of them are controlled properly and developers
get no confusion from unavailable symbols.Signed-off-by: Takashi Sakamoto
Signed-off-by: Takashi Iwai
18 May, 2017
1 commit
-
Recent compilers produce a harmless warning for the new pcm_call_notify()
macro when CONFIG_SND_PCM_OSS is disabled:sound/core/pcm.c: In function 'snd_pcm_free':
sound/core/pcm.c:905:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body]This turns the empty macro into a 'do {} while (0)' statement to avoid
the warning.Fixes: 58f30d650c7f ("ALSA: pcm: Build pcm notifier code conditionally")
Signed-off-by: Arnd Bergmann
Signed-off-by: Takashi Iwai
17 May, 2017
1 commit
-
The PCM notifier code is used only by OSS emulation layer, so we can
build it conditionally for reducing the size.Signed-off-by: Takashi Iwai
08 Jul, 2016
1 commit
-
The chmap ctls assigned to PCM streams are freed in the PCM disconnect
callback. However, since the disconnect callback isn't called when
the card gets freed before registering, the chmap ctls may still be
left assigned. They are eventually freed together with other ctls,
but it may cause an Oops at pcm_chmap_ctl_private_free(), as the
function refers to the assigned PCM stream, while the PCM objects have
been already freed beforehand.The fix is to free the chmap ctls also at PCM free callback, not only
at PCM disconnect.Reported-by: Laxminath Kasam
Cc:
Signed-off-by: Takashi Iwai
13 Sep, 2015
1 commit
-
…this structure had been removed
This structure was added by 4d96eb255c53 ('ALSA: pcm_lib - add possibility
to log last 10 DMA ring buffer positions') to store PCM pointers
information of latest 10 pointer movements (=XRUN_LOG_CNT). When
CONFIG_SND_PCM_XRUN_DEBUG is configured, 'struct snd_pcm_runtime' has
'hwptr_log' member with a pointer to the structure. When calling
xrun_log() in pcm_lib.c, the structure was allocated to the pointer.
When calling snd_pcm_detach_substream() in pcm.c, the allocated pointer
is released.In f5914908a5b7 ('ALSA: pcm: Replace PCM hwptr tracking with tracepoints'),
the pointer logging is replaced with using Linux Kernel Tracepoints. The
structure was also removed, while it's just declared. The member and kfree
still remains.This commit removes the member and related codes. I think this was
overlooked because it brings no errors/warnings to C compilers.Fixes: f5914908a5b7 ('ALSA: pcm: Replace PCM hwptr tracking with tracepoints')
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
23 Jun, 2015
1 commit
-
The pcm_class sysfs of each PCM substream gives only "none" since the
recent code change to embed the struct device. Fix the code to point
directly to the embedded device object properly.Fixes: ef46c7af93f9 ('ALSA: pcm: Embed struct device')
Cc: # v4.0+
Signed-off-by: Takashi Iwai
28 May, 2015
1 commit
-
We may disable proc fs only for sound part, to reduce ALSA
memory footprint. So add CONFIG_SND_PROC_FS and replace the
old CONFIG_PROC_FSs in alsa code.With sound proc fs disabled, we can save about 9KB memory
size on X86_64 platform.Signed-off-by: Jie Yang
Reviewed-by: Mark Brown
Signed-off-by: Takashi Iwai
10 Mar, 2015
1 commit
-
The kernel memory allocators already report the errors when the
requested allocation fails, thus we don't need to warn it again in
each caller side.Signed-off-by: Takashi Iwai
21 Feb, 2015
4 commits
-
Some codes in snd_pcm_dev_disconnect() are still valid even for
internal PCMs, but they are skipped because of the check of
list_empty(&pcm->list) at the beginning. Remove this check and put
pcm->internal checks appropriately for internal PCM object to process
through this function.Acked-by: Liam Girdwood
Signed-off-by: Takashi Iwai -
Notifier shouldn't listen to the changes of internal PCMs.
Acked-by: Liam Girdwood
Signed-off-by: Takashi Iwai -
An internal PCM object shouldn't be added to the PCM device list, as
it's never accessed directly from the user-space, and it has no proc
or any similar accesses. Currently, it's excluded in snd_pcm_get()
and snd_pcm_next(), but it's easier not to add such an object to the
list.Actually, the whole snd_pcm_dev_register() can be skipped for an
internal PCM. So this patch changes the code there, but also
addresses the uninitialized list_head access.Acked-by: Liam Girdwood
Signed-off-by: Takashi Iwai -
No functional changes at all.
Acked-by: Liam Girdwood
Signed-off-by: Takashi Iwai
03 Feb, 2015
1 commit
-
Now that all callers have been replaced with
snd_device_register_for_dev(), let's drop the obsolete device
registration code and concentrate only on the code handling struct
device directly. That said,- remove the old snd_device_register(),
- rename snd_device_register_for_dev() with snd_device_register(),
- drop superfluous arguments from snd_device_register(),
- change snd_unregister_device() to pass the device pointer directlyReviewed-by: Jaroslav Kysela
Signed-off-by: Takashi Iwai
02 Feb, 2015
3 commits
-
Like previous patches, at this time we embed the struct device into
PCM object. However, this needs a bit more caution: struct snd_pcm
doesn't own one device but two, for both playback and capture! Thus
not struct snd_pcm but struct snd_pcm_str object contains the device.Along with this change, pcm->dev field is dropped for avoiding
confusion. It was meant to point to a non-standard parent. But,
since now we can touch each struct device directly, we can manipulate
the parent field easily there, too.Reviewed-by: Jaroslav Kysela
Signed-off-by: Takashi Iwai -
Instead of open-coding the search over the control file loop, provide
a helper function for the preferred subdevice assigned to the current
process.Reviewed-by: Jaroslav Kysela
Signed-off-by: Takashi Iwai -
This is a preliminary patch for the further work on embedding struct
device into each sound device instance. It changes
snd_register_device*() helpers to receive the device object directly
for skipping creating a device there.Reviewed-by: Jaroslav Kysela
Signed-off-by: Takashi Iwai
29 Nov, 2014
1 commit
-
The commit [7a2e9ddc: ALSA: usb-audio: Add native DSD support for
Denon/Marantz DACs] requires the new format definition that has
landed only in for-next branch.
21 Nov, 2014
1 commit
-
This patch fixes XMOS DSD sample format to DSD_U32_BE and also adds
DSD_U16_BE and DSD_U32_BE sample formats.Signed-off-by: Jussi Laako
Acked-by: Jurgen Kramer
Signed-off-by: Takashi Iwai
04 Nov, 2014
1 commit
-
This patch adds a new proc entry for PCM substreams to inject an
XRUN. When a PCM substream is running and any value is written to its
xrun_injection proc file, the driver triggers XRUN. This is a useful
feature for debugging XRUN and error handling code paths.Note that this entry is enabled only when CONFIG_SND_PCM_XRUN_DEBUG is
set.Signed-off-by: Takashi Iwai
30 Oct, 2014
1 commit
-
Add proper kerneldoc comments to the exported functions.
Signed-off-by: Takashi Iwai
08 Sep, 2014
1 commit
-
XMOS based USB DACs with native DSD support expose this feature via a USB
alternate setting. The audio format is either 32-bit raw or a 32-bit PCM format.
To utilize this feature on linux this patch introduces a new 32-bit DSD
sampleformat DSD_U32_LE.
A follow up patch will add a quirk for XMOS based devices to utilize the new format.
Further patches will add support to alsa-lib.Signed-off-by: Jurgen Kramer
Signed-off-by: Takashi Iwai
03 Sep, 2014
1 commit
-
Currently, many PCM operations are performed in a critical section
protected by spinlock, typically the trigger and pointer callbacks are
assumed to be atomic. This is basically because some trigger action
(e.g. PCM stop after drain or xrun) is done in the interrupt handler.
If a driver runs in a threaded irq, however, this doesn't have to be
atomic. And many devices want to handle trigger in a non-atomic
context due to lengthy communications.This patch tries all PCM calls operational in non-atomic context.
What it does is very simple: replaces the substream spinlock with the
corresponding substream mutex when pcm->nonatomic flag is set. The
driver that wants to use the non-atomic PCM ops just needs to set the
flag and keep the rest as is. (Of course, it must not handle any PCM
ops in irq context.)Note that the code doesn't check whether it's atomic-safe or not, but
trust in 100% that the driver sets pcm->nonatomic correctly.One possible problem is the case where linked PCM substreams have
inconsistent nonatomic states. For avoiding this, snd_pcm_link()
returns an error if one tries to link an inconsistent PCM substream.Signed-off-by: Takashi Iwai
25 Feb, 2014
1 commit
-
Instead of calling each time device_create_file(), create the groups
of sysfs attribute files at once in a normal way. Add a new helper
function, snd_get_device(), to return the associated device object,
so that we can handle the sysfs addition locally.Since the sysfs file addition is done differently now,
snd_add_device_sysfs_file() helper function is removed.Signed-off-by: Takashi Iwai
14 Feb, 2014
1 commit
-
Use dev_err() & co as much as possible. If not available (no device
assigned at the calling point), use pr_xxx() helpers instead.For simplicity, introduce new helpers for pcm stream, pcm_err(), etc.
Signed-off-by: Takashi Iwai
10 Feb, 2014
1 commit
-
Replace the lengthy #if defined(XXX) || defined(XXX_MODULE) with the
new IS_ENABLED() macro.The patch still doesn't cover all ifdefs. For example, the dependency
on CONFIG_GAMEPORT is still open-coded because this also has an extra
dependency on MODULE. Similarly, an open-coded ifdef in pcm_oss.c and
some sequencer-related stuff are left untouched.Signed-off-by: Takashi Iwai
01 Nov, 2013
1 commit
-
Unable to handle kernel NULL pointer dereference at virtual address 00000008
pgd = d5300000
[00000008] *pgd=0d265831, *pte=00000000, *ppte=00000000
Internal error: Oops: 17 [#1] PREEMPT ARM
CPU: 0 PID: 2295 Comm: vlc Not tainted 3.11.0+ #755
task: dee74800 ti: e213c000 task.ti: e213c000
PC is at snd_pcm_info+0xc8/0xd8
LR is at 0x30232065
pc : [] lr : [] psr: a0070013
sp : e213dea8 ip : d81cb0d0 fp : c05f7678
r10: c05f7770 r9 : fffffdfd r8 : 00000000
r7 : d8a968a8 r6 : d8a96800 r5 : d8a96200 r4 : d81cb000
r3 : 00000000 r2 : d81cb000 r1 : 00000001 r0 : d8a96200
Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
Control: 10c5387d Table: 15300019 DAC: 00000015
Process vlc (pid: 2295, stack limit = 0xe213c248)
[] (snd_pcm_info) from [] (snd_pcm_info_user+0x34/0x9c)
[] (snd_pcm_info_user) from [] (snd_pcm_control_ioctl+0x274/0x280)
[] (snd_pcm_control_ioctl) from [] (snd_ctl_ioctl+0xc0/0x55c)
[] (snd_ctl_ioctl) from [] (do_vfs_ioctl+0x80/0x31c)
[] (do_vfs_ioctl) from [] (SyS_ioctl+0x3c/0x60)
[] (SyS_ioctl) from [] (ret_fast_syscall+0x0/0x48)
Code: e1a00005 e59530dc e3a01001 e1a02004 (e5933008)
---[ end trace cb3d9bdb8dfefb3c ]---This is provoked when the ASoC front end is open along with its backend,
(which causes the backend to have a runtime assigned to it) and then the
SNDRV_CTL_IOCTL_PCM_INFO is requested for the (visible) backend device.Resolve this by ensuring that ASoC internal backend devices are not
visible to userspace, just as the commentry for snd_pcm_new_internal()
says it should be.Signed-off-by: Russell King
Acked-by: Mark Brown
Cc: [v3.4+]
Signed-off-by: Takashi Iwai
18 Apr, 2013
1 commit
-
This patch adds two formats for Direct Stream Digital (DSD), a
pulse-density encoding format which is described here:
https://en.wikipedia.org/wiki/Direct_Stream_DigitalDSD operates on 2.8, 5.6 or 11.2MHz sample rates and as a 1-bit
stream.The two new types added by this patch describe streams that are capable
of handling DSD samples in DOP format as 8-bit or in 16-bit (or at a x8
or x16 data rate, respectively).DSD itself specifies samples in *bit*, while DOP and ALSA handle them
as *bytes*. Hence, a factor of 8 or 16 has to be applied for the sample
rare configuration, according to the following table:configured hardware
176.4KHz 352.8kHz 705.6KHz
Signed-off-by: Takashi Iwai
12 Mar, 2013
1 commit
-
script/kernel-doc reports the following type of warnings (when run in verbose
mode):Warning(sound/core/init.c:152): No description found for return value of
'snd_card_create'To fix that:
- add missing descriptions of function return values
- use "Return:" sections to describe those return valuesAlong the way:
- complete some descriptions
- fix some typosSigned-off-by: Yacine Belkadi
Signed-off-by: Takashi Iwai
21 Nov, 2012
1 commit
-
kfree on a null pointer is a no-op.
Signed-off-by: Sachin Kamat
Signed-off-by: Takashi Iwai
30 Oct, 2012
2 commits
-
When disconnect callback is called, each component should wake up
sleepers and check card->shutdown flag for avoiding the endless sleep
blocking the proper resource release.Cc:
Signed-off-by: Takashi Iwai -
Fix races at PCM disconnection:
- while a PCM device is being opened or closed
- while the PCM state is being changed without lock in prepare,
hw_params, hw_free opsReported-by: Matthieu CASTET
Cc:
Signed-off-by: Takashi Iwai
07 Sep, 2012
1 commit
-
This patch implements the basic data types for the standard channel
mapping API handling.- The definitions of the channel positions and the new TLV types are
added in sound/asound.h and sound/tlv.h, so that they can be
referred from user-space.- Introduced a new helper function snd_pcm_add_chmap_ctls() to create
control elements representing the channel maps for each PCM
(sub)stream.- Some standard pre-defined channel maps are provided for
convenience.Signed-off-by: Takashi Iwai
25 Mar, 2012
1 commit
-
Pull avoidance patches from Paul Gortmaker:
"Nearly every subsystem has some kind of header with a proto like:void foo(struct device *dev);
and yet there is no reason for most of these guys to care about the
sub fields within the device struct. This allows us to significantly
reduce the scope of headers including headers. For this instance, a
reduction of about 40% is achieved by replacing the include with the
simple fact that the device is some kind of a struct.Unlike the much larger module.h cleanup, this one is simply two
commits. One to fix the implicit users, and then one
to delete the device.h includes from the linux/include/ dir wherever
possible."* tag 'device-for-3.4' of git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux:
device.h: audit and cleanup users in main include dir
device.h: cleanup users outside of linux/include (C files)
