- Feb 18, 2016
-
-
Takashi Iwai authored
A non-atomic PCM stream may take snd_pcm_link_rwsem rw semaphore twice in the same code path, e.g. one in snd_pcm_action_nonatomic() and another in snd_pcm_stream_lock(). Usually this is OK, but when a write lock is issued between these two read locks, the problem happens: the write lock is blocked due to the first reade lock, and the second read lock is also blocked by the write lock. This eventually deadlocks. The reason is the way rwsem manages waiters; it's queued like FIFO, so even if the writer itself doesn't take the lock yet, it blocks all the waiters (including reads) queued after it. As a workaround, in this patch, we replace the standard down_write() with an spinning loop. This is far from optimal, but it's good enough, as the spinning time is supposed to be relatively short for normal PCM operations, and the code paths requiring the write lock aren't called so often. Reported-by:
Vinod Koul <vinod.koul@intel.com> Tested-by:
Ramesh Babu <ramesh.babu@intel.com> Cc: <stable@vger.kernel.org> # v3.18+ Signed-off-by:
Takashi Iwai <tiwai@suse.de>
-
- Feb 16, 2016
-
-
Takashi Iwai authored
The commit [7f0973e9: ALSA: seq: Fix lockdep warnings due to double mutex locks] split the management of two linked lists (source and destination) into two individual calls for avoiding the AB/BA deadlock. However, this may leave the possible double deletion of one of two lists when the counterpart is being deleted concurrently. It ends up with a list corruption, as revealed by syzkaller fuzzer. This patch fixes it by checking the list emptiness and skipping the deletion and the following process. BugLink: http://lkml.kernel.org/r/CACT4Y+bay9qsrz6dQu31EcGaH9XwfW7o3oBzSQUG9fMszoh=Sg@mail.gmail.com Fixes: 7f0973e9 ('ALSA: seq: Fix lockdep warnings due to 'double mutex locks) Reported-by:
Dmitry Vyukov <dvyukov@google.com> Tested-by:
-
- Feb 15, 2016
-
-
Takashi Iwai authored
The commit [991f86d7: ALSA: hda - Flush the pending probe work at remove] introduced the sync of async probe work at remove for fixing the race. However, this may lead to another hangup when the module removal is performed quickly before starting the probe work, because it issues flush_work() and it's blocked forever. The workaround is to use cancel_work_sync() instead of flush_work() there. Fixes: 991f86d7 ('ALSA: hda - Flush the pending probe work at remove') Cc: <stable@vger.kernel.org> # v3.17+ Signed-off-by:
-
Takashi Iwai authored
When multiple concurrent writes happen on the ALSA sequencer device right after the open, it may try to allocate vmalloc buffer for each write and leak some of them. It's because the presence check and the assignment of the buffer is done outside the spinlock for the pool. The fix is to move the check and the assignment into the spinlock. (The current implementation is suboptimal, as there can be multiple unnecessary vmallocs because the allocation is done before the check in the spinlock. But the pool size is already checked beforehand, so this isn't a big problem; that is, the only possible path is the multiple writes before any pool assignment, and practically seen, the current coverage should be "good enough".) The issue was triggered by syzkaller fuzzer. BugLink: http://lkml.kernel.org/r/CACT4Y+bSzazpXNvtAr=WXaL8hptqjHwqEyFA+VN2AWEx=aurkg@mail.gmail.com Reported-by:
-
- Feb 13, 2016
-
-
Andrey Konovalov authored
The 'umidi' object will be free'd on the error path by snd_usbmidi_free() when tearing down the rawmidi interface. So we shouldn't try to free it in snd_usbmidi_create() after having registered the rawmidi interface. Found by KASAN. Signed-off-by:
Andrey Konovalov <andreyknvl@gmail.com> Acked-by:
Clemens Ladisch <clemens@ladisch.de> Cc: <stable@vger.kernel.org> Signed-off-by:
-
- Feb 10, 2016
-
-
Richard Fitzgerald authored
When the FLL is in pseudo-fractional mode there is an additional limit on fref based on the fratio, to prevent aliasing around the Nyquist frequency. If fref exceeds this limit the refclk divider must be increased and the calculation tried again until a suitable combination of fref and fratio is found or we have to fall back to integer mode. This patch also adds some debug log prints around this code. Signed-off-by:
Richard Fitzgerald <rf@opensource.wolfsonmicro.com> Signed-off-by:
Mark Brown <broonie@kernel.org>
-
Pascal Huerst authored
Forwarding the return value of i2c_master_send, leads to errors later on, since i2c_master_send returns the number of bytes transmittet. Check for ret < 0 instead and return 0 otherwise. Signed-off-by:
Pascal Huerst <pascal.huerst@gmail.com> Acked-by:
Lars-Peter Clausen <lars@metafoo.de> Signed-off-by:
-
- Feb 09, 2016
-
-
Takashi Iwai authored
snd_timer_user_read() has a potential race among parallel reads, as qhead and qused are updated outside the critical section due to copy_to_user() calls. Move them into the critical section, and also sanitize the relevant code a bit. Cc: <stable@vger.kernel.org> Signed-off-by: -
Geert Uytterhoeven authored
sound/firewire/digi00x/amdtp-dot.c:67: warning: type qualifiers ignored on function return type Drop the bogus "const" type qualifier on the return type of dot_scrt() to fix this. Signed-off-by:
Geert Uytterhoeven <geert@linux-m68k.org> Reviewed-by:
Takashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by:
-
Takashi Iwai authored
The hda_jack_tbl entries are managed by snd_array for allowing multiple jacks. It's good per se, but the problem is that struct hda_jack_callback keeps the hda_jack_tbl pointer. Since snd_array doesn't preserve each pointer at resizing the array, we can't keep the original pointer but have to deduce the pointer at each time via snd_array_entry() instead. Actually, this resulted in the deference to the wrong pointer on codecs that have many pins such as CS4208. This patch replaces the pointer to the NID value as the search key. As an unexpected good side effect, this even simplifies the code, as only NID is needed in most cases. Cc: <stable@vger.kernel.org> Signed-off-by: -
Takashi Iwai authored
A slave timer element also unlinks at snd_timer_stop() but it takes only slave_active_lock. When a slave is assigned to a master, however, this may become a race against the master's interrupt handling, eventually resulting in a list corruption. The actual bug could be seen with a syzkaller fuzzer test case in BugLink below. As a fix, we need to take timeri->timer->lock when timer isn't NULL, i.e. assigned to a master, while the assignment to a master itself is protected by slave_active_lock. BugLink: http://lkml.kernel.org/r/CACT4Y+Y_Bm+7epAb=8Wi=AaWd+DYS7qawX52qxdCfOfY49vozQ@mail.gmail.com Cc: <stable@vger.kernel.org> Signed-off-by:
-
- Feb 08, 2016
-
-
Takashi Iwai authored
In snd_timer_notify1(), the wrong timer instance was passed for slave ccallback function. This leads to the access to the wrong data when an incompatible master is handled (e.g. the master is the sequencer timer and the slave is a user timer), as spotted by syzkaller fuzzer. This patch fixes that wrong assignment. BugLink: http://lkml.kernel.org/r/CACT4Y+Y_Bm+7epAb=8Wi=AaWd+DYS7qawX52qxdCfOfY49vozQ@mail.gmail.com Reported-by:
-
Vinod Koul authored
The match module lacked module license and description, so add it Acked-by:
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com> Signed-off-by:
-
Pierre-Louis Bossart authored
DPCM driver is recommended for BYT, CHT based platforms, so if CONFIG_SND_SST_IPC_ACPI is selected then don't compile the BYT Device IDs in common ACPI driver to avoid probe conflicts. Signed-off-by:
Jie Yang <yang.jie@intel.com> Signed-off-by:
-
Vinod Koul authored
The ACPI match module is common to all three drivers, HSW, SKL and Atom-DPCM driver. But Atom-DPCM driver does not use common sst code so we cannot include the common SST module in Atom-DPCM driver. So the solution is to have a independent sst-match-acpi module which helps in matching for all the three drivers. Now all driver can be inbuilt in a single image This patch really fixes the regression introduced by the commit 95f09801 ("ASoC: Intel: Move apci find machine routines") Acked-by:
-
Vinod Koul authored
This reverts commit dc901a35 ("ASoC: Intel: fix ACPI probe regression with Atom DPCM driver") as the fix prevented the probe on HSW/BDW if Atom-DPCM was selected Acked-by:
-
Takashi Iwai authored
Currently the selected timer backend is referred at any moment from the running PCM callbacks. When the backend is switched, it's possible to lead to inconsistency from the running backend. This was pointed by syzkaller fuzzer, and the commit [7ee96216: ALSA: dummy: Disable switching timer backend via sysfs] disabled the dynamic switching for avoiding the crash. This patch improves the handling of timer backend switching. It keeps the reference to the selected backend during the whole operation of an opened stream so that it won't be changed by other streams. Together with this change, the hrtimer parameter is reenabled as writable now. NOTE: this patch also turned out to fix the still remaining race. Namely, ops was still replaced dynamically at dummy_pcm_open: static int dummy_pcm_open(struct snd_pcm_substream *substream) { .... dummy->timer_ops = &dummy_systimer_ops; if (hrtimer) dummy->timer_ops = &dummy_hrtimer_ops; Since dummy->timer_ops is common among all streams, and when the replacement happens during accesses of other streams, it may lead to a crash. This was actually triggered by syzkaller fuzzer and KASAN. This patch rewrites the code not to use the ops shared by all streams any longer, too. BugLink: http://lkml.kernel.org/r/CACT4Y+aZ+xisrpuM6cOXbL21DuM0yVxPYXf4cD4Md9uw0C3dBQ@mail.gmail.com Reported-by:
-
- Feb 07, 2016
-
-
Takashi Iwai authored
Some Sony VAIO AiO models (VGC-JS4EF and VGC-JS25G, both with PCI SSID 104d:9044) need the same quirk to make the speaker working properly. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=112031 Cc: <stable@vger.kernel.org> Signed-off-by:
-
- Feb 05, 2016
-
-
Takashi Iwai authored
This reverts commit 0c25ad80. The original commit disabled the aamixer path due to the noise problem, but it turned out that some mobo with the same PCI SSID doesn't suffer from the issue, and the disabled function (analog loopback) is still demanded by users. Since the recent commit [e7fdd527: ALSA: hda - Implement loopback control switch for Realtek and other codecs], we have the dynamic mixer switch to enable/disable the aamix path, and we don't have to disable the path statically any longer. So, let's revert the disablement, so that only the user suffering from the noise problem can turn off the aamix on the fly. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=108301 Reported-by:
<mutedbytes@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by:
-
Takashi Sakamoto authored
Commit 3beab0f8 added a member for control and status message, while it's planned and not implemented yet. This commit removes it. Fixes: 3beab0f8('ALSA: firewire-tascam: add support for outgoing MIDI messages by asynchronous transaction') Signed-off-by:
-
Takashi Sakamoto authored
Currently, 'struct snd_tscm_spec' has a member named as 'is_controller' to identify MIDI controller. This member was originally added to skip parse control and status messages in isochronous packets for non-controller model. As long as I investigate, FW-1804 (non-controller) also transfers the control and status message, thus it becomes meaningless. This commit removes it. Signed-off-by:
-
Takashi Sakamoto authored
This model supports: * maximum 12 PCM channels for PCM playback * maximum 18 PCM channels for PCM capture * 4 ports for MIDI playback * 4 ports for MIDI capture * control and status messages in tx isochronous packets * up to 96.0 kHz This commit adds support for the model. As the other supported models, all of available PCM channels are always enabled. As I described in commit c0949b27, Ilya Zimnovich had investigated TASCAM FireWire series in 2011 with his FW-1804. In his report, this model has internal multiplexer and any software implementation can control it. Following to the design of ALSA firewire stack, this commit won't implement it. It should be in userspace via Linux fw character device. Signed-off-by:
-
Takashi Sakamoto authored
When unsupported models are connected, snd-firewire-tascam module causes NULL pointer dereference in fw_core_remove_address_handler() (due to list_del_rcu()). This commit prevents this bug. Signed-off-by:
-
David Henningsson authored
The static checker warning is: sound/pci/hda/patch_hdmi.c:460 hdmi_eld_ctl_get() error: __memcpy() 'eld->eld_buffer' too small (256 vs 512) I have a hard time figuring out if this can ever cause an information leak (I don't think so), but nonetheless it does not hurt to increase the robustness of the code. Fixes: 68e03de9 ('ALSA: hda - hdmi: Do not expose eld data when eld is invalid') Reported-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
David Henningsson <david.henningsson@canonical.com> Cc: <stable@vger.kernel.org> # v3.9+ Signed-off-by:
-
- Feb 04, 2016
-
-
Takashi Iwai authored
In ALSA timer core, the active timer instance is managed in active_list linked list. Each element is added / removed dynamically at timer start, stop and in timer interrupt. The problem is that snd_timer_interrupt() has a thinko and leaves the element in active_list when it's the last opened element. This eventually leads to list corruption or use-after-free error. This hasn't been revealed because we used to delete the list forcibly in snd_timer_stop() in the past. However, the recent fix avoids the double-stop behavior (in commit [f784beb7: ALSA: timer: Fix link corruption due to double start or stop]), and this leak hits reality. This patch fixes the link management in snd_timer_interrupt(). Now it simply unlinks no matter which stream is. BugLink: http://lkml.kernel.org/r/CACT4Y+Yy2aukHP-EDp8-ziNqNNmb-NTf=jDWXMP7jB8HDa2vng@mail.gmail.com Reported-by:
-
Vinod Koul authored
The driver used autosuspend delay to delay going to D3. But per HW recommendation we should go to D3 soon, so remove the delay from driver Signed-off-by:
Subhransu S. Prusty <subhransu.s.prusty@intel.com> Signed-off-by:
-
Jeeja KP authored
DMIC BE can have 2 or 4 channels supported. The DMIC fixup needs to take this into account. Signed-off-by:
Jeeja KP <jeeja.kp@intel.com> Signed-off-by:
-
Jeeja KP authored
Some modules may be directly connected to a pipeline without a mixer module. For these modules, we require PRE_PMU and POST_PMU handler which will do bind between the pipelines, so add these missing handlers. Signed-off-by:
-
Jeeja KP authored
skl_tplg_bind_sinks() takes only the first sink widget. This breaks in case we have multiple sinks for a module. So pass source widget to skl_tplg_bind_sinks() and bind for all sinks by calling this recursively Signed-off-by:
-
Jeeja KP authored
We should not stop the sink pipe in it's pmd handler for a mixin module as this module may still be connected to other pipes. This will be stopped and freed by current implementation on last connected pipe unbind. Signed-off-by:
-
Jeeja KP authored
For binding modules we should check if source or destination module is in UNINT state. We canot bind even if one of them is in this state. So update the check from logical AND to logical OR and do not bind modules for this case Signed-off-by:
-
Jeeja KP authored
In unbind modules, the skl_get_queue_index() can return error if the pin is dynamic and module is not bound yet. So instead of returning error this check should return success as modules is not yet bound. This will let the module be bound when connected pipes are enabled and will bind this as well. So change the return value to 0 Signed-off-by:
-
Dharageswari.R authored
We check and allocate pipeline resources in one shot. That causes leaks if module creation fails later as that is not freed. So split the resource allocation into two, first check if resources are available and then add the resources upon successful creation. So two new functions are added for checking and current functions are re-purposed to only add the resources for memory and MCPS. Signed-off-by:
Dharageswari.R <dharageswari.r@intel.com> Signed-off-by:
-
Guneshwor Singh authored
While cleaning resources on module pmd event, we check for return of skl_unbind_modules(). On failure this causes leak as all modules attached do not have resources freed. So ignore return value of module unbind and continue freeing resources. This makes dapm state and resources correct. Signed-off-by:
Guneshwor Singh <guneshwor.o.singh@intel.com> Signed-off-by:
-
Guneshwor Singh authored
When delay reported by HW is equal to buffersize, it means the value is wrapped so we should report as 0. So add the condition to check this while reporting the delay from LPIB. Signed-off-by:
-
Vinod Koul authored
TLV buffer can be smaller than the module data, so update the size of data to be copied before doing the copy. Also TLV header consists of two unsigned ints, this is also taken into account here and size modified to reflect this Suggested-by:
-
Lars-Peter Clausen authored
When a DAPM context has a prefix the autodisable widgets get prefixed twice, once for the control and once for the widget. To avoid this use the un-prefixed control name to construct the autodisable widget name. This change is purely cosmetic. Signed-off-by:
-
- Feb 03, 2016
-
-
Takashi Iwai authored
The port subscription code uses double mutex locks for source and destination ports, and this may become racy once when wrongly set up. It leads to lockdep warning splat, typically triggered by fuzzer like syzkaller, although the actual deadlock hasn't been seen, so far. This patch simplifies the handling by reducing to two single locks, so that no lockdep warning will be trigger any longer. By splitting to two actions, a still-in-progress element shall be added in one list while handling another. For ignoring this element, a new check is added in deliver_to_subscribers(). Along with it, the code to add/remove the subscribers list element was cleaned up and refactored. BugLink: http://lkml.kernel.org/r/CACT4Y+aKQXV7xkBW9hpQbzaDO7LrUvohxWh-UwMxXjDy-yBD=A@mail.gmail.com Reported-by:
-
Takashi Iwai authored
The rawmidi read and write functions manage runtime stream status such as runtime->appl_ptr and runtime->avail. These point where to copy the new data and how many bytes have been copied (or to be read). The problem is that rawmidi read/write call copy_from_user() or copy_to_user(), and the runtime spinlock is temporarily unlocked and relocked while copying user-space. Since the current code advances and updates the runtime status after the spin unlock/relock, the copy and the update may be asynchronous, and eventually runtime->avail might go to a negative value when many concurrent accesses are done. This may lead to memory corruption in the end. For fixing this race, in this patch, the status update code is performed in the same lock before the temporary unlock. Also, the spinlock is now taken more widely in snd_rawmidi_kernel_read1() for protecting more properly during the whole operation. BugLink: http://lkml.kernel.org/r/CACT4Y+b-dCmNf1GpgPKfDO0ih+uZCL2JV4__j-r1kdhPLSgQCQ@mail.gmail.com Reported-by:
-
Takashi Iwai authored
A kernel WARNING in snd_rawmidi_transmit_ack() is triggered by syzkaller fuzzer: WARNING: CPU: 1 PID: 20739 at sound/core/rawmidi.c:1136 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff82999e2d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50 [<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482 [<ffffffff813522b9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515 [<ffffffff84f80bd5>] snd_rawmidi_transmit_ack+0x275/0x400 sound/core/rawmidi.c:1136 [<ffffffff84fdb3c1>] snd_virmidi_output_trigger+0x4b1/0x5a0 sound/core/seq/seq_virmidi.c:163 [< inline >] snd_rawmidi_output_trigger sound/core/rawmidi.c:150 [<ffffffff84f87ed9>] snd_rawmidi_kernel_write1+0x549/0x780 sound/core/rawmidi.c:1223 [<ffffffff84f89fd3>] snd_rawmidi_write+0x543/0xb30 sound/core/rawmidi.c:1273 [<ffffffff817b0323>] __vfs_write+0x113/0x480 fs/read_write.c:528 [<ffffffff817b1db7>] vfs_write+0x167/0x4a0 fs/read_write.c:577 [< inline >] SYSC_write fs/read_write.c:624 [<ffffffff817b50a1>] SyS_write+0x111/0x220 fs/read_write.c:616 [<ffffffff86336c36>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 Also a similar warning is found but in another path: Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff82be2c0d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50 [<ffffffff81355139>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482 [<ffffffff81355369>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515 [<ffffffff8527e69a>] rawmidi_transmit_ack+0x24a/0x3b0 sound/core/rawmidi.c:1133 [<ffffffff8527e851>] snd_rawmidi_transmit_ack+0x51/0x80 sound/core/rawmidi.c:1163 [<ffffffff852d9046>] snd_virmidi_output_trigger+0x2b6/0x570 sound/core/seq/seq_virmidi.c:185 [< inline >] snd_rawmidi_output_trigger sound/core/rawmidi.c:150 [<ffffffff85285a0b>] snd_rawmidi_kernel_write1+0x4bb/0x760 sound/core/rawmidi.c:1252 [<ffffffff85287b73>] snd_rawmidi_write+0x543/0xb30 sound/core/rawmidi.c:1302 [<ffffffff817ba5f3>] __vfs_write+0x113/0x480 fs/read_write.c:528 [<ffffffff817bc087>] vfs_write+0x167/0x4a0 fs/read_write.c:577 [< inline >] SYSC_write fs/read_write.c:624 [<ffffffff817bf371>] SyS_write+0x111/0x220 fs/read_write.c:616 [<ffffffff86660276>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 In the former case, the reason is that virmidi has an open code calling snd_rawmidi_transmit_ack() with the value calculated outside the spinlock. We may use snd_rawmidi_transmit() in a loop just for consuming the input data, but even there, there is a race between snd_rawmidi_transmit_peek() and snd_rawmidi_tranmit_ack(). Similarly in the latter case, it calls snd_rawmidi_transmit_peek() and snd_rawmidi_tranmit_ack() separately without protection, so they are racy as well. The patch tries to address these issues by the following ways: - Introduce the unlocked versions of snd_rawmidi_transmit_peek() and snd_rawmidi_transmit_ack() to be called inside the explicit lock. - Rewrite snd_rawmidi_transmit() to be race-free (the former case). - Make the split calls (the latter case) protected in the rawmidi spin lock. BugLink: http://lkml.kernel.org/r/CACT4Y+YPq1+cYLkadwjWa5XjzF1_Vki1eHnVn-Lm0hzhSpu5PA@mail.gmail.com BugLink: http://lkml.kernel.org/r/CACT4Y+acG4iyphdOZx47Nyq_VHGbpJQK-6xNpiqUjaZYqsXOGw@mail.gmail.com Reported-by:
-
