commit f4351a199cc120ff9d59e06d02e8657d08e6cc46 upstream.

The parser for the processing unit reads bNrInPins field before the
bLength sanity check, which may lead to an out-of-bound access when a
malformed descriptor is given.  Fix it by assignment after the bLength
check.

Cc: <stable@vger.kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

In preparation to enabling -Wimplicit-fallthrough, mark switch cases
where we are expecting to fall through.

Addresses-Coverity-ID: 1357413 ("Missing break in switch")
Addresses-Coverity-ID: 114917 ("Missing break in switch")
Signed-off-by: NGustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

This patch refactors the processing units min/max calculation logic
for the mixer controls and fixes an issue where the Mode Select
checking of the Up/Down mixers doesn't differentiate between the
UAC1 and UAC2 Control Selector (0x02) and the UAC3 one which is
different (0x01).
Signed-off-by: NJorge Sanjuan <jorge.sanjuan@codethink.co.uk>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

The Audio Control interface descriptor subtypes do not match
across all the UAC versions. That makes reusability of the
"virtual type" (Mixer, Processors, Selectors, etc) terminals
difficult. It also makes the mixer get the default names for
the virtual terminals wrong due to the overlap.

This patch proposes an unified approach by always using the most
comprehensive spec version to define them all (in this case UAC3).
Signed-off-by: NJorge Sanjuan <jorge.sanjuan@codethink.co.uk>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

This patch adds support for the Processig Units defined in
the UAC3 spec. The main difference with the previous specs
is the lack of on/off switches in the controls for these
units and the addiction of the new Multi Function Processing
Unit.

The current version of the UAC3 spec doesn't define any
useful controls for the new Multi Function Processing Unit
so no control will get created once this unit is parsed.
Signed-off-by: NJorge Sanjuan <jorge.sanjuan@codethink.co.uk>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

Current support for UAC2 Processing Units does the parsing
as one control per bit in the bitmap. However, the UAC2 spec
defines the controls as bit pairs where b01 means read-only
and b11 means read/write control.

This patch fixes that and uses the helper functions for checking
controls readability/writability when the control is defined as
bit pairs (UAC2 and UAC3).
Signed-off-by: NJorge Sanjuan <jorge.sanjuan@codethink.co.uk>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

This patch add support for Selector Units and Clock Selector Units
defined in the new UAC3 spec.

Selector Units play a really important role in the new UAC3 spec as
Processing Units do not define an on/off switch control anymore.
This forces topology designers to add bypass paths in the topology
to enable/dissable the Processing Units.
Signed-off-by: NJorge Sanjuan <jorge.sanjuan@codethink.co.uk>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

An UAC3 BADD device may also include an interrupt status pipe
to report changes on the HEADSET ADAPTER terminals. The creation
of the status pipe is dependent on the device reporting that it
has it.
Signed-off-by: NJorge Sanjuan <jorge.sanjuan@codethink.co.uk>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

The HEADSET ADAPTER profile for BADD devices is meant to support
Insertion Control for the Input and Output Terminals of the headset.

This patch defines the BADD inferred input and output terminals and
builds the connector controls.
Signed-off-by: NJorge Sanjuan <jorge.sanjuan@codethink.co.uk>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

Change build_connector_control() and get_connector_control_name()
so they take `struct usb_mixer_interface` as input argument instead
of `struct mixer_build`.

This is preliminary work to add support for connectors control
for UAC3 BADD devices. No functional change.
Signed-off-by: NJorge Sanjuan <jorge.sanjuan@codethink.co.uk>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

The kmalloc() function has a 2-factor argument form, kmalloc_array(). This
patch replaces cases of:

        kmalloc(a * b, gfp)

with:
        kmalloc_array(a * b, gfp)

as well as handling cases of:

        kmalloc(a * b * c, gfp)

with:

        kmalloc(array3_size(a, b, c), gfp)

as it's slightly less ugly than:

        kmalloc_array(array_size(a, b), c, gfp)

This does, however, attempt to ignore constant size factors like:

        kmalloc(4 * 1024, gfp)

though any constants defined via macros get caught up in the conversion.

Any factors with a sizeof() of "unsigned char", "char", and "u8" were
dropped, since they're redundant.

The tools/ directory was manually excluded, since it has its own
implementation of kmalloc().

The Coccinelle script used for this was:

// Fix redundant parens around sizeof().
@@
type TYPE;
expression THING, E;
@@

(
  kmalloc(
-	(sizeof(TYPE)) * E
+	sizeof(TYPE) * E
  , ...)
|
  kmalloc(
-	(sizeof(THING)) * E
+	sizeof(THING) * E
  , ...)
)

// Drop single-byte sizes and redundant parens.
@@
expression COUNT;
typedef u8;
typedef __u8;
@@

(
  kmalloc(
-	sizeof(u8) * (COUNT)
+	COUNT
  , ...)
|
  kmalloc(
-	sizeof(__u8) * (COUNT)
+	COUNT
  , ...)
|
  kmalloc(
-	sizeof(char) * (COUNT)
+	COUNT
  , ...)
|
  kmalloc(
-	sizeof(unsigned char) * (COUNT)
+	COUNT
  , ...)
|
  kmalloc(
-	sizeof(u8) * COUNT
+	COUNT
  , ...)
|
  kmalloc(
-	sizeof(__u8) * COUNT
+	COUNT
  , ...)
|
  kmalloc(
-	sizeof(char) * COUNT
+	COUNT
  , ...)
|
  kmalloc(
-	sizeof(unsigned char) * COUNT
+	COUNT
  , ...)
)

// 2-factor product with sizeof(type/expression) and identifier or constant.
@@
type TYPE;
expression THING;
identifier COUNT_ID;
constant COUNT_CONST;
@@

(
- kmalloc
+ kmalloc_array
  (
-	sizeof(TYPE) * (COUNT_ID)
+	COUNT_ID, sizeof(TYPE)
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	sizeof(TYPE) * COUNT_ID
+	COUNT_ID, sizeof(TYPE)
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	sizeof(TYPE) * (COUNT_CONST)
+	COUNT_CONST, sizeof(TYPE)
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	sizeof(TYPE) * COUNT_CONST
+	COUNT_CONST, sizeof(TYPE)
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	sizeof(THING) * (COUNT_ID)
+	COUNT_ID, sizeof(THING)
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	sizeof(THING) * COUNT_ID
+	COUNT_ID, sizeof(THING)
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	sizeof(THING) * (COUNT_CONST)
+	COUNT_CONST, sizeof(THING)
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	sizeof(THING) * COUNT_CONST
+	COUNT_CONST, sizeof(THING)
  , ...)
)

// 2-factor product, only identifiers.
@@
identifier SIZE, COUNT;
@@

- kmalloc
+ kmalloc_array
  (
-	SIZE * COUNT
+	COUNT, SIZE
  , ...)

// 3-factor product with 1 sizeof(type) or sizeof(expression), with
// redundant parens removed.
@@
expression THING;
identifier STRIDE, COUNT;
type TYPE;
@@

(
  kmalloc(
-	sizeof(TYPE) * (COUNT) * (STRIDE)
+	array3_size(COUNT, STRIDE, sizeof(TYPE))
  , ...)
|
  kmalloc(
-	sizeof(TYPE) * (COUNT) * STRIDE
+	array3_size(COUNT, STRIDE, sizeof(TYPE))
  , ...)
|
  kmalloc(
-	sizeof(TYPE) * COUNT * (STRIDE)
+	array3_size(COUNT, STRIDE, sizeof(TYPE))
  , ...)
|
  kmalloc(
-	sizeof(TYPE) * COUNT * STRIDE
+	array3_size(COUNT, STRIDE, sizeof(TYPE))
  , ...)
|
  kmalloc(
-	sizeof(THING) * (COUNT) * (STRIDE)
+	array3_size(COUNT, STRIDE, sizeof(THING))
  , ...)
|
  kmalloc(
-	sizeof(THING) * (COUNT) * STRIDE
+	array3_size(COUNT, STRIDE, sizeof(THING))
  , ...)
|
  kmalloc(
-	sizeof(THING) * COUNT * (STRIDE)
+	array3_size(COUNT, STRIDE, sizeof(THING))
  , ...)
|
  kmalloc(
-	sizeof(THING) * COUNT * STRIDE
+	array3_size(COUNT, STRIDE, sizeof(THING))
  , ...)
)

// 3-factor product with 2 sizeof(variable), with redundant parens removed.
@@
expression THING1, THING2;
identifier COUNT;
type TYPE1, TYPE2;
@@

(
  kmalloc(
-	sizeof(TYPE1) * sizeof(TYPE2) * COUNT
+	array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
  , ...)
|
  kmalloc(
-	sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+	array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
  , ...)
|
  kmalloc(
-	sizeof(THING1) * sizeof(THING2) * COUNT
+	array3_size(COUNT, sizeof(THING1), sizeof(THING2))
  , ...)
|
  kmalloc(
-	sizeof(THING1) * sizeof(THING2) * (COUNT)
+	array3_size(COUNT, sizeof(THING1), sizeof(THING2))
  , ...)
|
  kmalloc(
-	sizeof(TYPE1) * sizeof(THING2) * COUNT
+	array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
  , ...)
|
  kmalloc(
-	sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+	array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
  , ...)
)

// 3-factor product, only identifiers, with redundant parens removed.
@@
identifier STRIDE, SIZE, COUNT;
@@

(
  kmalloc(
-	(COUNT) * STRIDE * SIZE
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  kmalloc(
-	COUNT * (STRIDE) * SIZE
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  kmalloc(
-	COUNT * STRIDE * (SIZE)
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  kmalloc(
-	(COUNT) * (STRIDE) * SIZE
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  kmalloc(
-	COUNT * (STRIDE) * (SIZE)
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  kmalloc(
-	(COUNT) * STRIDE * (SIZE)
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  kmalloc(
-	(COUNT) * (STRIDE) * (SIZE)
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  kmalloc(
-	COUNT * STRIDE * SIZE
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
)

// Any remaining multi-factor products, first at least 3-factor products,
// when they're not all constants...
@@
expression E1, E2, E3;
constant C1, C2, C3;
@@

(
  kmalloc(C1 * C2 * C3, ...)
|
  kmalloc(
-	(E1) * E2 * E3
+	array3_size(E1, E2, E3)
  , ...)
|
  kmalloc(
-	(E1) * (E2) * E3
+	array3_size(E1, E2, E3)
  , ...)
|
  kmalloc(
-	(E1) * (E2) * (E3)
+	array3_size(E1, E2, E3)
  , ...)
|
  kmalloc(
-	E1 * E2 * E3
+	array3_size(E1, E2, E3)
  , ...)
)

// And then all remaining 2 factors products when they're not all constants,
// keeping sizeof() as the second factor argument.
@@
expression THING, E1, E2;
type TYPE;
constant C1, C2, C3;
@@

(
  kmalloc(sizeof(THING) * C2, ...)
|
  kmalloc(sizeof(TYPE) * C2, ...)
|
  kmalloc(C1 * C2 * C3, ...)
|
  kmalloc(C1 * C2, ...)
|
- kmalloc
+ kmalloc_array
  (
-	sizeof(TYPE) * (E2)
+	E2, sizeof(TYPE)
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	sizeof(TYPE) * E2
+	E2, sizeof(TYPE)
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	sizeof(THING) * (E2)
+	E2, sizeof(THING)
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	sizeof(THING) * E2
+	E2, sizeof(THING)
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	(E1) * E2
+	E1, E2
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	(E1) * (E2)
+	E1, E2
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	E1 * E2
+	E1, E2
  , ...)
)
Signed-off-by: NKees Cook <keescook@chromium.org>

Avoid if ((err = ...) style and expand to multiple lines instead.
No change in the end result, but just the beautification.
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

Obtain the number of channels for the Input Terminal from the
Logical Cluster Descriptor. This achieves a useful minimal parsing
of this unit so it can be used in other units in the topology.
Signed-off-by: NJorge Sanjuan <jorge.sanjuan@codethink.co.uk>
Reviewed-by: NRuslan Bilovol <ruslan.bilovol@gmail.com>
Tested-by: NRuslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

This adds support for the UAC3 insertion controls. The status
is reported as a boolean value in the same way it used to do
for UAC2. Hence, the presence of any connector in the response
will make the control saying the jack is connected.

The UAC2 support for this control has been moved to a dedicated
control for connectors as both UAC2 and UAC3 follow a specific
Control Request Parameter Block for this control. This parameter
block for UAC3 could not be read in the same simplistic
manner as in UAC2.

This implementation is not requesting additional information
from the HIGH CAPABILITY Connectors descriptor.

Tested with an UAC3 device with UAC2 as legacy configuration.
The connector status can be read with `amixer` and the interrupt
is also caught with `alsactl monitor`.
Signed-off-by: NJorge Sanjuan <jorge.sanjuan@codethink.co.uk>
Reviewed-by: NRuslan Bilovol <ruslan.bilovol@gmail.com>
Tested-by: NRuslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

This adds support for the MIXER UNIT in UAC3. All the information
is obtained from the (HIGH CAPABILITY) Cluster's header. We don't
read the rest of the logical cluster to obtain the channel config
as that wont make any difference in the current mixer behaviour.

The name of the mixer unit is not yet requested as there is not
support for the UAC3 Class Specific String requests.

Tested in an UAC3 device working as a HEADSET with a basic mixer
unit (same as the one in the BADD spec) with no controls.
Signed-off-by: NJorge Sanjuan <jorge.sanjuan@codethink.co.uk>
Reviewed-by: NRuslan Bilovol <ruslan.bilovol@gmail.com>
Tested-by: NRuslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

Currently it's not possible to set volume lower than 26% (it just mutes).

Also fixes this warning:

  Warning! Unlikely big volume range (=9472), cval->res is probably wrong.
  [13] FU [PCM Playback Volume] ch = 2, val = -9473/-1/1

, and volume works fine for full range.
Signed-off-by: NFederico Cuello <fedux@fedux.com.ar>
Cc: <stable@vger.kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

Recently released USB Audio Class 3.0 specification
contains BADD (Basic Audio Device Definition) document
which describes pre-defined UAC3 configurations.

BADD support is mandatory for UAC3 devices, it should be
implemented as a separate USB device configuration.
As per BADD document, class-specific descriptors
shall not be included in the Device’s Configuration
descriptor ("inferred"), but host can guess them
from BADD profile number, number of endpoints and
their max packed sizes.

This patch adds support of all BADD profiles from the spec
Signed-off-by: NRuslan Bilovol <ruslan.bilovol@gmail.com>
Tested-by: NJorge Sanjuan <jorge.sanjuan@codethink.co.uk>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

Functions like snd_usb_copy_string_desc() or
get_term_name() don't actually need mixer_build
state but can use snd_usb_audio structure instead
to get usb device.

This patch has no functional change but prepares
to future UAC3 BADD profiles support which don't
have class-specific descriptors so won't have
mixer_build state.
Signed-off-by: NRuslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

Introduce a new macro for iterating over mixer element list for
avoiding the open codes in many places.  Also the open-coded
container_of() and the forced cast to struct usb_mixer_elem_info are
replaced with another simple macro, too.

No functional changes but just readability improvement.
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

This patch adds "Keep Interface" control for each USB-audio device.
The control element is with SND_CTL_IFACE_CARD, so that it won't
appear on any sane mixer applications.  For a device that is confirmed
to work well with "keep-interface" mode, user can flip the control via
amixer, e.g.
  % amixer -c1 cset iface=CARD,name='Keep Interface' on

and save/restore the state via alsactl.

The reason to provide this via control API is that the behavior must
be pretty depending on the device (and the firmware in it), so it's
not ideal to apply via module option.

For a device that certainly works, we may set it statically via a
quirk table entry.  But a device like Dell WD15 dock behaves so
differently depending on the firmware, and we can't set it
statically.  So leave this as a dynamic switch each user can adjust
freely.
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

In the early commit adcdd0d5 ("ALSA: usb-audio: Skip volume
controls triggers hangup on Dell USB Dock"), we add the mixer quirks
for Dell dock to skip two mixer FU's for playback.  This supposed that
the device has always the proper initial volume, but it doesn't seem
always correct.

This patch adds the explicit initialization of the volumes to the
fixed 0dB at the device probe time.  Also, such a fixup is needed
after the resume, so a new function is hooked to the resume callback
as well.

Bugzilla: http://bugzilla.suse.com/show_bug.cgi?id=1089467Signed-off-by: NTakashi Iwai <tiwai@suse.de>

The UAC2 jack detection support introduced the bmControls checks in a
couple of places, but they forgot the endian conversion; the
bmControls of UAC2 terminal descriptor is __le16, not a byte like in
UAC1.

Fixes: 5a222e84 ("ALSA: usb-audio: UAC2 jack detection")
Tested-by: NAndrew Chant <achant@google.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

The recent code refactoring made the argument for some helper
functions to be the explicit UAC_CS_* and UAC2_CS_* value instead of
0-based offset.  However, there was one place left forgotten, and it
caused a regression on some devices appearing as the inconsistent
mixer setup.

This patch corrects the forgotten conversion.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199449
Fixes: 21e9b3e9 ("ALSA: usb-audio: fix uac control query argument")
Tested-by: NNazar Mokrynskyi <nazar@mokrynskyi.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

With the current exit return path of the ctl_info allocation failure
cval is not being freed resulting in a memory leak. Fix this by kfree'ing
it on the return.

Detected by CoverityScan, CID#1466878 ("Resource Leak")

Fixes: 21e9b3e9 ("ALSA: usb-audio: fix uac control query argument")
Signed-off-by: NColin Ian King <colin.king@canonical.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

Make the "clock valid" control a global control instead of a mixer
so that it doesn't appear in mixer applications.

Additionally, remove the check for writeability prohibited by spec, and
Use common code to read the control value.

Tested with a UAC2 Audio device that presents a clock validity
control.  The control still shows up in /proc usbmixer but not
in alsamixer.
Signed-off-by: NAndrew Chant <achant@google.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

This implements UAC2 jack detection support, presenting
jack status as a boolean read-only mono mixer.

The presence of any channel in the UAC2_TE_CONNECTOR
control for a terminal will result in the mixer saying
the jack is connected.

Mixer naming follows the convention in sound/core/ctljack.c,
terminating the mixer with " Jack".
For additional clues as to which jack is being presented,
the name is prefixed with " - Input Jack" or " - Output Jack"
depending on if it's an input or output terminal.

This is required because terminal names are ambiguous
between inputs and outputs and often duplicated -
Bidirectional terminal types (0x400 -> 0x4FF)
"... may be used separately for input only or output only.
These types require two Terminal descriptors. Both have the same type."
(quote from "USB Device Class Definition for Terminal Types")

Since bidirectional terminal types are common for headphone adapters,
this distinguishes between two otherwise identically-named
jack controls.

Tested with a UAC2 audio device with connector control capability.
Signed-off-by: NAndrew Chant <achant@google.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

This patch fixes code readability and should have no functional change.

Correct uac control query functions to account for the 1-based indexing
of USB Audio Class control identifiers.

The function parameter, u8 control, should be the
constant defined in audio-v2.h to identify the control to be checked for
readability or writeability.

This patch fixes all callers that had adjusted, and makes explicit
the mapping between audio_feature_info[] array index and the associated
control identifier.
Signed-off-by: NAndrew Chant <achant@google.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

Recently released USB Audio Class 3.0 specification
introduces many significant changes comparing to
previous versions, like
 - new Power Domains, support for LPM/L1
 - new Cluster descriptor
 - changed layout of all class-specific descriptors
 - new High Capability descriptors
 - New class-specific String descriptors
 - new and removed units
 - additional sources for interrupts
 - removed Type II Audio Data Formats
 - ... and many other things (check spec)

It also provides backward compatibility through
multiple configurations, as well as requires
mandatory support for BADD (Basic Audio Device
Definition) on each ADC3.0 compliant device

This patch adds initial support of UAC3 specification
that is enough for Generic I/O Profile (BAOF, BAIF)
device support from BADD document.
Signed-off-by: NRuslan Bilovol <ruslan.bilovol@gmail.com>
Reviewed-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

The layout of the UAC2 Control request and response varies depending on
the request type. With the current implementation, only the Layout 2
Parameter Block (with the 2-byte sized RANGE attribute) is handled
properly. For the Control requests with the 1-byte sized RANGE attribute
(Bass Control, Mid Control, Tremble Control), the response is parsed
incorrectly.

This commit:
* fixes the wLength field value in the request
* fixes parsing the range values from the response

Fixes: 23caaf19 ("ALSA: usb-mixer: Add support for Audio Class v2.0")
Signed-off-by: NKirill Marinushkin <k.marinushkin@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

get_term_name() calls snd_usb_copy_string_desc() for retrieving the
name when a specific ID (name field) is given.  When this returns an
error (zero), however, it simply returns as is.  This will end up in a
fixed name string in the caller side, which often is meaningless.

For giving a bit more useful name string depending on the terminal
type, change the get_term_name() function to go through the fallback
mode.
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

The commit 89b89d12 ("ALSA: usb-audio: Add check return value for
usb_string()") added the check of the return value from
snd_usb_copy_string_desc(), which is correct per se, but it introduced
a regression.  In the original code, either the "Clock Source",
"Playback Source" or "Capture Source" suffix is added after the
terminal string, while the commit changed it to add the suffix only
when get_term_name() is failing.  It ended up with an incorrect ctl
name like "PCM" instead of "PCM Capture Source".

Also, even the original code has a similar bug: when the ctl name is
generated from snd_usb_copy_string_desc() for the given iSelector, it
also doesn't put the suffix.

This patch addresses these issues: the suffix is added always when no
static mapping is found.  Also the patch tries to put more comments
and cleans up the if/else block for better readability in order to
avoid the same pitfall again.

Fixes: 89b89d12 ("ALSA: usb-audio: Add check return value for usb_string()")
Reported-and-tested-by: NMauro Santos <registo.mailling@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

snd_usb_copy_string_desc() returns zero if usb_string() fails.
In case of failure, we need to check the snd_usb_copy_string_desc()'s
return value and add an exception case
Signed-off-by: NJaejoong Kim <climbbb.kim@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

The snd_usb_copy_string_desc() retrieves the usb string corresponding to
the index number through the usb_string(). The problem is that the
usb_string() returns the length of the string (>= 0) when successful, but
it can also return a negative value about the error case or status of
usb_control_msg().

If iClockSource is '0' as shown below, usb_string() will returns -EINVAL.
This will result in '0' being inserted into buf[-22], and the following
KASAN out-of-bound error message will be output.

AudioControl Interface Descriptor:
  bLength                 8
  bDescriptorType        36
  bDescriptorSubtype     10 (CLOCK_SOURCE)
  bClockID                1
  bmAttributes         0x07 Internal programmable Clock (synced to SOF)
  bmControls           0x07
  Clock Frequency Control (read/write)
  Clock Validity Control (read-only)
  bAssocTerminal          0
  iClockSource            0

To fix it, check usb_string()'return value and bail out.

==================================================================
BUG: KASAN: stack-out-of-bounds in parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
Write of size 1 at addr ffff88007e66735a by task systemd-udevd/18376

CPU: 0 PID: 18376 Comm: systemd-udevd Not tainted 4.13.0+ #3
Hardware name: LG Electronics                   15N540-RFLGL/White Tip Mountain, BIOS 15N5
Call Trace:
dump_stack+0x63/0x8d
print_address_description+0x70/0x290
? parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
kasan_report+0x265/0x350
__asan_store1+0x4a/0x50
parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
? save_stack+0xb5/0xd0
? save_stack_trace+0x1b/0x20
? save_stack+0x46/0xd0
? kasan_kmalloc+0xad/0xe0
? kmem_cache_alloc_trace+0xff/0x230
? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
? usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
? usb_probe_interface+0x1f5/0x440
? driver_probe_device+0x3ed/0x660
? build_feature_ctl+0xb10/0xb10 [snd_usb_audio]
? save_stack_trace+0x1b/0x20
? init_object+0x69/0xa0
? snd_usb_find_csint_desc+0xa8/0xf0 [snd_usb_audio]
snd_usb_mixer_controls+0x1dc/0x370 [snd_usb_audio]
? build_audio_procunit+0x890/0x890 [snd_usb_audio]
? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
? kmem_cache_alloc_trace+0xff/0x230
? usb_ifnum_to_if+0xbd/0xf0
snd_usb_create_mixer+0x25b/0x4b0 [snd_usb_audio]
? snd_usb_create_stream+0x255/0x2c0 [snd_usb_audio]
usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
? snd_usb_autosuspend.part.7+0x30/0x30 [snd_usb_audio]
? __pm_runtime_idle+0x90/0x90
? kernfs_activate+0xa6/0xc0
? usb_match_one_id_intf+0xdc/0x130
? __pm_runtime_set_status+0x2d4/0x450
usb_probe_interface+0x1f5/0x440

Cc: <stable@vger.kernel.org>
Signed-off-by: NJaejoong Kim <climbbb.kim@gmail.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

The commit 8428a8eb ("ALSA: usb-audio: Fix potential zero-division
at parsing FU") is utterly bogus and breaks the case with csize=1
instead of fixing anything.  Just take it back again.
Reported-by: NJörg Otte <jrg.otte@gmail.com>
Fixes: 8428a8eb ("ALSA: usb-audio: Fix potential zero-division at parsing FU"
Signed-off-by: NTakashi Iwai <tiwai@suse.de>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

parse_audio_feature_unit() contains a code dividing potentially with
zero when a malformed FU descriptor is passed.  Although there is
already a sanity check, it checks only the value zero, hence it can
still lead to a zero-division when a value 1 is passed there.

Fix it by correcting the sanity check (and the error message
thereof).

Fixes: 23caaf19 ("ALSA: usb-mixer: Add support for Audio Class v2.0")
Cc: <stable@vger.kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

The usb-audio driver may trigger an out-of-bound access at parsing a
malformed selector unit, as it checks the header length only after
evaluating bNrInPins field, which can be already above the given
length.  Fix it by adding the length check beforehand.

Fixes: 99fc8645 ("ALSA: usb-mixer: parse descriptors with structs")
Cc: <stable@vger.kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

When the usb-audio descriptor contains the malformed feature unit
description with a too short length, the driver may access
out-of-bounds.  Add a sanity check of the header size at the beginning
of parse_audio_feature_unit().

Fixes: 23caaf19 ("ALSA: usb-mixer: Add support for Audio Class v2.0")
Reported-by: NAndrey Konovalov <andreyknvl@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

When an interrupt occurs, the value of at least one of the belonging
controls should have changed. To make sure they get re-read from device
on the next read, invalidate the cache. This was correctly implemented
for uac2 already, but missing for uac1.
Signed-off-by: NJulian Scheel <julian@jusst.de>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

USB-audio driver may leave a stray URB for the mixer interrupt when it
exits by some error during probe.  This leads to a use-after-free
error as spotted by syzkaller like:
  ==================================================================
  BUG: KASAN: use-after-free in snd_usb_mixer_interrupt+0x604/0x6f0
  Call Trace:
   <IRQ>
   __dump_stack lib/dump_stack.c:16
   dump_stack+0x292/0x395 lib/dump_stack.c:52
   print_address_description+0x78/0x280 mm/kasan/report.c:252
   kasan_report_error mm/kasan/report.c:351
   kasan_report+0x23d/0x350 mm/kasan/report.c:409
   __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
   snd_usb_mixer_interrupt+0x604/0x6f0 sound/usb/mixer.c:2490
   __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779
   ....

  Allocated by task 1484:
   save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
   save_stack+0x43/0xd0 mm/kasan/kasan.c:447
   set_track mm/kasan/kasan.c:459
   kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
   kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
   kmalloc ./include/linux/slab.h:493
   kzalloc ./include/linux/slab.h:666
   snd_usb_create_mixer+0x145/0x1010 sound/usb/mixer.c:2540
   create_standard_mixer_quirk+0x58/0x80 sound/usb/quirks.c:516
   snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
   create_composite_quirk+0x1c4/0x3e0 sound/usb/quirks.c:59
   snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
   usb_audio_probe+0x1040/0x2c10 sound/usb/card.c:618
   ....

  Freed by task 1484:
   save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
   save_stack+0x43/0xd0 mm/kasan/kasan.c:447
   set_track mm/kasan/kasan.c:459
   kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
   slab_free_hook mm/slub.c:1390
   slab_free_freelist_hook mm/slub.c:1412
   slab_free mm/slub.c:2988
   kfree+0xf6/0x2f0 mm/slub.c:3919
   snd_usb_mixer_free+0x11a/0x160 sound/usb/mixer.c:2244
   snd_usb_mixer_dev_free+0x36/0x50 sound/usb/mixer.c:2250
   __snd_device_free+0x1ff/0x380 sound/core/device.c:91
   snd_device_free_all+0x8f/0xe0 sound/core/device.c:244
   snd_card_do_free sound/core/init.c:461
   release_card_device+0x47/0x170 sound/core/init.c:181
   device_release+0x13f/0x210 drivers/base/core.c:814
   ....

Actually such a URB is killed properly at disconnection when the
device gets probed successfully, and what we need is to apply it for
the error-path, too.

In this patch, we apply snd_usb_mixer_disconnect() at releasing.
Also introduce a new flag, disconnected, to struct usb_mixer_interface
for not performing the disconnection procedure twice.
Reported-by: NAndrey Konovalov <andreyknvl@google.com>
Tested-by: NAndrey Konovalov <andreyknvl@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

A few calls to snd_usb_ctl_msg wrap the function in a retry loop. In
the worst case, the timeout for snd_usb_ctl_msg is 5 seconds, which when
retried 10 times (for example, if a device is removed) could cause a
probe to hang for ~50 seconds.

Example stack trace from 3.14 which triggered a hung task timeout:
Call Trace:
 [<ffffffffa2c1f720>] ? inet6_set_link_af.part.35+0x12/0x12
 [<ffffffffa2c20309>] schedule+0x6e/0x70
 [<ffffffffa2c1f81c>] schedule_timeout+0xfc/0x13c
 [<ffffffffa2667bbc>] ? rcu_read_unlock_sched_notrace+0x17/0x17
 [<ffffffffa2c20d68>] __wait_for_common+0x153/0x190
 [<ffffffffa2c20d68>] ? __wait_for_common+0x153/0x190
 [<ffffffffa26890e5>] ? wake_up_state+0x12/0x12
 [<ffffffffa2c20e0e>] wait_for_completion_timeout+0x1d/0x1f
 [<ffffffffa2a07c70>] usb_start_wait_urb+0x93/0xf1
 [<ffffffffa2a07daf>] usb_control_msg+0xe1/0x11d
 [<ffffffffc02cd254>] snd_usb_ctl_msg+0x9c/0xf1 [snd_usb_audio]
 [<ffffffffc02ce191>] snd_usb_mixer_set_ctl_value+0x124/0xab1 [snd_usb_audio]
 [<ffffffffc02ce230>] snd_usb_mixer_set_ctl_value+0x1c3/0xab1 [snd_usb_audio]
 [<ffffffffc02ce58e>] snd_usb_mixer_set_ctl_value+0x521/0xab1 [snd_usb_audio]
 [<ffffffffc02cee88>] snd_usb_mixer_add_control+0x36a/0x1264 [snd_usb_audio]
 [<ffffffffc02cf323>] snd_usb_mixer_add_control+0x805/0x1264 [snd_usb_audio]
 [<ffffffffa2a06e11>] ? usb_free_urb+0x1a/0x1c
 [<ffffffffc02cfcf7>] snd_usb_mixer_add_control+0x11d9/0x1264 [snd_usb_audio]
 [<ffffffffc02d000f>] snd_usb_create_mixer+0xbc/0x286 [snd_usb_audio]
 [<ffffffffc02cac18>] 0xffffffffc02cac17
 [<ffffffffa2a0aaf1>] usb_probe_interface+0x17c/0x21c
 [<ffffffffa29a65bc>] driver_probe_device+0xae/0x1fa
 [<ffffffffa29a6767>] __device_attach_driver+0x5f/0x66
 [<ffffffffa29a6708>] ? driver_probe_device+0x1fa/0x1fa
 [<ffffffffa29a4a60>] bus_for_each_drv+0x87/0xaa
 [<ffffffffa29a688a>] __device_attach+0x9d/0x101
 [<ffffffffa29a6913>] device_initial_probe+0x13/0x15
 [<ffffffffa29a5ae6>] bus_probe_device+0x33/0x96
 [<ffffffffa29a3d19>] device_add+0x328/0x547
 [<ffffffffa2a09355>] usb_set_configuration+0x624/0x674
 [<ffffffffa2a11949>] generic_probe+0x45/0x77
 [<ffffffffa2a0a962>] usb_probe_device+0x2d/0x40
 [<ffffffffa29a65bc>] driver_probe_device+0xae/0x1fa
 [<ffffffffa29a6767>] __device_attach_driver+0x5f/0x66
 [<ffffffffa29a6708>] ? driver_probe_device+0x1fa/0x1fa
 [<ffffffffa29a4a60>] bus_for_each_drv+0x87/0xaa
 [<ffffffffa29a688a>] __device_attach+0x9d/0x101
 [<ffffffffa29a6913>] device_initial_probe+0x13/0x15
 [<ffffffffa29a5ae6>] bus_probe_device+0x33/0x96
 [<ffffffffa29a3d19>] device_add+0x328/0x547
 [<ffffffffa29030bc>] ? add_device_randomness+0x111/0x130
 [<ffffffffa2a00967>] usb_new_device+0x2a2/0x3c0
 [<ffffffffa2a02ddc>] hub_thread+0xa3d/0xeed
 [<ffffffffa2c2010d>] ? __schedule+0x41e/0x5ac
 [<ffffffffa26957ce>] ? finish_wait+0x62/0x62
 [<ffffffffa2a0239f>] ? usb_reset_device+0x16a/0x16a
 [<ffffffffa267b255>] kthread+0x108/0x110
 [<ffffffffa267b14d>] ? __kthread_parkme+0x67/0x67
 [<ffffffffa2c23b2c>] ret_from_fork+0x7c/0xb0
 [<ffffffffa267b14d>] ? __kthread_parkme+0x67/0x67
Signed-off-by: NStephen Barber <smbarber@chromium.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>