snd_pcm_hw_params() (more exactly snd_pcm_hw_params_choose()) contains
a check of the return error from snd_pcm_hw_param_first() and _last()
with snd_BUG_ON() -- i.e. it may trigger WARN_ON() depending on the
kconfig.
This was a valid check in the past, as these functions shouldn't
return any error if the parameters have been already refined via
snd_pcm_hw_refine() beforehand. However, the recent rewrite
introduced a kmalloc() in snd_pcm_hw_refine() for removing VLA, and
this brought a possibility to trigger an error. As a result, syzbot
caught lots of superfluous kernel WARN_ON() and paniced via fault
injection.
As the WARN_ON() is no longer valid with the introduction of
kmalloc(), let's drop snd_BUG_ON() check, in order to make the world
peaceful place again.
Reported-by: syzbot+803e0047ac3a3096bb4f@syzkaller.appspotmail.com
Fixes: 5730f9f744 ("ALSA: pcm: Remove VLA usage")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The commit 02a5d6925c ("ALSA: pcm: Avoid potential races between OSS
ioctls and read/write") split the PCM preparation code to a locked
version, and it added a sanity check of runtime->oss.prepare flag
along with the change. This leaded to an endless loop when the stream
gets XRUN: namely, snd_pcm_oss_write3() and co call
snd_pcm_oss_prepare() without setting runtime->oss.prepare flag and
the loop continues until the PCM state reaches to another one.
As the function is supposed to execute the preparation
unconditionally, drop the invalid state check there.
The bug was triggered by syzkaller.
Fixes: 02a5d6925c ("ALSA: pcm: Avoid potential races between OSS ioctls and read/write")
Reported-by: syzbot+150189c103427d31a053@syzkaller.appspotmail.com
Reported-by: syzbot+7e3f31a52646f939c052@syzkaller.appspotmail.com
Reported-by: syzbot+4f2016cf5185da7759dc@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The UAC3 clock parser codes lack of the sanity checks for malformed
descriptors like UAC2 parser does. Without it, the driver may lead to
a potential crash.
Fixes: 9a2fe9b801 ("ALSA: usb: initial USB Audio Device Class 3.0 support")
Tested-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Reviewed-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The sanity checks introduced for malformed descriptors loosely check
the given descriptor size, although the size greater than the defined
description is invalid. It was due to a concern of any funky firmware
in the actual products. But this doesn't look hitting, and any sane
products must have the defined descriptors.
So in this patch, we make the validators more strict, allowing only
with the defined descriptor sizes. The value in clock selector
validator is corrected from 5 to 7 to count the two unlisted fields
after baCSourceID[].
Suggested-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Reviewed-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
There are lots of open-coded functions to find a clock source,
selector and multiplier. Now there are both v2 and v3, so six
variants.
This patch refactors the code to use a common helper for the main
loop, and define each validator function for each target.
There is no functional change.
Fixes: 9a2fe9b801 ("ALSA: usb: initial USB Audio Device Class 3.0 support")
Reviewed-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The PCM runtime object is created and freed dynamically at PCM stream
open / close time. This is tracked via substream->runtime, and it's
cleared at snd_pcm_detach_substream().
The runtime object assignment is protected by PCM open_mutex, so for
all PCM operations, it's safely handled. However, each PCM substream
provides also an ALSA timer interface, and user-space can access to
this while closing a PCM substream. This may eventually lead to a
UAF, as snd_pcm_timer_resolution() tries to access the runtime while
clearing it in other side.
Fortunately, it's the only concurrent access from the PCM timer, and
it merely reads runtime->timer_resolution field. So, we can avoid the
race by reordering kfree() and wrapping the substream->runtime
clearance with the corresponding timer lock.
Reported-by: syzbot+8e62ff4e07aa2ce87826@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
This is a *very* big release for ASoC. Not much change in the core but
there s the transition of all the individual drivers over to components
which is intended to support further core work. The goal is to make it
easier to do further core work by removing the need to special case all
the different driver classes in the core, many of the devices end up
being used in multiple roles in modern systems.
We also have quite a lot of new drivers added this month of all kinds,
quite a few for simple devices but also some more advanced ones with
more substantial code.
- The biggest thing is the huge series from Morimoto-san which
converted everything over to components. This is a huge change by
code volume but was fairly mechanical
- Many fixes for some of the Realtek based Baytrail systems covering
both the CODECs and the CPUs, contributed by Hans de Goode.
- Lots of cleanups for Samsung based Odroid systems from Sylwester
Nawrocki.
- The Freescale SSI driver also got a lot of cleanups from Nicolin
Chen.
- The Blackfin drivers have been removed as part of the removal of the
architecture.
- New drivers for AKM AK4458 and AK5558, several AMD based machines,
several Intel based machines, Maxim MAX9759, Motorola CPCAP,
Socionext Uniphier SoCs, and TI PCM1789 and TDA7419
-----BEGIN PGP SIGNATURE-----
iQFHBAABCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAlrCUIYTHGJyb29uaWVA
a2VybmVsLm9yZwAKCRAk1otyXVSH0A29B/sGkDyeoSTkvAIIu1cmVAIdpxz/MniC
2/KOVlZkIPV2WqS7wdzadJhTw8Xv/yX+By6w5dYQZyBsw9elYr/AvDomqetEwJfo
229jJGWxFbxNxgSo0gNeo5bL44ISjLK8TUw72YN3M1a15XvxF4NQwxmw3/5FYLHB
i3bxUd+nBTtshnnBTZFCvraF7kgm2OT1wQJgOiD6fWD4eSrIUrnp5kmUzvkrtMEA
PjKWV3k8d4xc1r5IDraX/saUYeoXQ/3cGkktWtc/AmqEf+mLI1iYpdhbAeiEqyNU
mkhcuMwF4E1qaMP0GgifhWnDgEyp4GvMUYkM21EjgKrOxgraMw3NcgX9
=JfFJ
-----END PGP SIGNATURE-----
Merge tag 'asoc-v4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
ASoC: Updates for v4.17
This is a *very* big release for ASoC. Not much change in the core but
there s the transition of all the individual drivers over to components
which is intended to support further core work. The goal is to make it
easier to do further core work by removing the need to special case all
the different driver classes in the core, many of the devices end up
being used in multiple roles in modern systems.
We also have quite a lot of new drivers added this month of all kinds,
quite a few for simple devices but also some more advanced ones with
more substantial code.
- The biggest thing is the huge series from Morimoto-san which
converted everything over to components. This is a huge change by
code volume but was fairly mechanical
- Many fixes for some of the Realtek based Baytrail systems covering
both the CODECs and the CPUs, contributed by Hans de Goode.
- Lots of cleanups for Samsung based Odroid systems from Sylwester
Nawrocki.
- The Freescale SSI driver also got a lot of cleanups from Nicolin
Chen.
- The Blackfin drivers have been removed as part of the removal of the
architecture.
- New drivers for AKM AK4458 and AK5558, several AMD based machines,
several Intel based machines, Maxim MAX9759, Motorola CPCAP,
Socionext Uniphier SoCs, and TI PCM1789 and TDA7419
We recently made "format" a u64 variable so now static checkers complain
that this shift will wrap around if format is more than 31. I don't
think it makes a difference for runtime, but it's simple to silence the
warning.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
