- 15 7月, 2014 1 次提交
-
-
由 Takashi Iwai 提交于
Instead of hard-coded magic numbers, define constants for op_flag to tlv callbacks. Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 18 6月, 2014 5 次提交
-
-
由 Lars-Peter Clausen 提交于
The ALSA control code expects that the range of assigned indices to a control is continuous and does not overflow. Currently there are no checks to enforce this. If a control with a overflowing index range is created that control becomes effectively inaccessible and unremovable since snd_ctl_find_id() will not be able to find it. This patch adds a check that makes sure that controls with a overflowing index range can not be created. Signed-off-by: NLars-Peter Clausen <lars@metafoo.de> Acked-by: NJaroslav Kysela <perex@perex.cz> Cc: <stable@vger.kernel.org> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
由 Lars-Peter Clausen 提交于
Each control gets automatically assigned its numids when the control is created. The allocation is done by incrementing the numid by the amount of allocated numids per allocation. This means that excessive creation and destruction of controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to eventually overflow. Currently when this happens for the control that caused the overflow kctl->id.numid + kctl->count will also over flow causing it to be smaller than kctl->id.numid. Most of the code assumes that this is something that can not happen, so we need to make sure that it won't happen Signed-off-by: NLars-Peter Clausen <lars@metafoo.de> Acked-by: NJaroslav Kysela <perex@perex.cz> Cc: <stable@vger.kernel.org> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
由 Lars-Peter Clausen 提交于
A control that is visible on the card->controls list can be freed at any time. This means we must not access any of its memory while not holding the controls_rw_lock. Otherwise we risk a use after free access. Signed-off-by: NLars-Peter Clausen <lars@metafoo.de> Acked-by: NJaroslav Kysela <perex@perex.cz> Cc: <stable@vger.kernel.org> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
由 Lars-Peter Clausen 提交于
There are two issues with the current implementation for replacing user controls. The first is that the code does not check if the control is actually a user control and neither does it check if the control is owned by the process that tries to remove it. That allows userspace applications to remove arbitrary controls, which can cause a user after free if a for example a driver does not expect a control to be removed from under its feed. The second issue is that on one hand when a control is replaced the user_ctl_count limit is not checked and on the other hand the user_ctl_count is increased (even though the number of user controls does not change). This allows userspace, once the user_ctl_count limit as been reached, to repeatedly replace a control until user_ctl_count overflows. Once that happens new controls can be added effectively bypassing the user_ctl_count limit. Both issues can be fixed by instead of open-coding the removal of the control that is to be replaced to use snd_ctl_remove_user_ctl(). This function does proper permission checks as well as decrements user_ctl_count after the control has been removed. Note that by using snd_ctl_remove_user_ctl() the check which returns -EBUSY at beginning of the function if the control already exists is removed. This is not a problem though since the check is quite useless, because the lock that is protecting the control list is released between the check and before adding the new control to the list, which means that it is possible that a different control with the same settings is added to the list after the check. Luckily there is another check that is done while holding the lock in snd_ctl_add(), so we'll rely on that to make sure that the same control is not added twice. Signed-off-by: NLars-Peter Clausen <lars@metafoo.de> Acked-by: NJaroslav Kysela <perex@perex.cz> Cc: <stable@vger.kernel.org> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
由 Lars-Peter Clausen 提交于
The user-control put and get handlers as well as the tlv do not protect against concurrent access from multiple threads. Since the state of the control is not updated atomically it is possible that either two write operations or a write and a read operation race against each other. Both can lead to arbitrary memory disclosure. This patch introduces a new lock that protects user-controls from concurrent access. Since applications typically access controls sequentially than in parallel a single lock per card should be fine. Signed-off-by: NLars-Peter Clausen <lars@metafoo.de> Acked-by: NJaroslav Kysela <perex@perex.cz> Cc: <stable@vger.kernel.org> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 14 2月, 2014 1 次提交
-
-
由 Takashi Iwai 提交于
Use dev_err() & co as much as possible. If not available (no device assigned at the calling point), use pr_xxx() helpers instead. Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 10 2月, 2014 1 次提交
-
-
由 Takashi Iwai 提交于
Replace the lengthy #if defined(XXX) || defined(XXX_MODULE) with the new IS_ENABLED() macro. The patch still doesn't cover all ifdefs. For example, the dependency on CONFIG_GAMEPORT is still open-coded because this also has an extra dependency on MODULE. Similarly, an open-coded ifdef in pcm_oss.c and some sequencer-related stuff are left untouched. Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 12 3月, 2013 1 次提交
-
-
由 Yacine Belkadi 提交于
script/kernel-doc reports the following type of warnings (when run in verbose mode): Warning(sound/core/init.c:152): No description found for return value of 'snd_card_create' To fix that: - add missing descriptions of function return values - use "Return:" sections to describe those return values Along the way: - complete some descriptions - fix some typos Signed-off-by: NYacine Belkadi <yacine.belkadi.1@gmail.com> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 30 10月, 2012 2 次提交
-
-
由 Takashi Iwai 提交于
When disconnect callback is called, each component should wake up sleepers and check card->shutdown flag for avoiding the endless sleep blocking the proper resource release. Cc: <stable@vger.kernel.org> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
由 Takashi Iwai 提交于
For more strict protection for wild disconnections, a refcount is introduced to the card instance, and let it up/down when an object is referred via snd_lookup_*() in the open ops. The free-after-last-close check is also changed to check this refcount instead of the empty list, too. Reported-by: NMatthieu CASTET <matthieu.castet@parrot.com> Cc: <stable@vger.kernel.org> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 07 9月, 2012 1 次提交
-
-
由 Takashi Iwai 提交于
The SNDRV_CTL_ELEM_ACCESS_VOLATILE bit flag wasn't properly inherited at creating control elements via snd_ctl_new1(). Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 13 3月, 2012 1 次提交
-
-
由 Jeffrin Jose 提交于
Fixed a trailing white space error detected in sound/core/control.c by checkpatch.pl script. Signed-off-by: NJeffrin Jose <ahiliation@yahoo.co.in> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 06 11月, 2011 1 次提交
-
-
由 Olof Johansson 提交于
This was introduced by 'ALSA: control: add support for ENUMERATED user space controls' which adds a u64 variable that gets cast to a pointer: sound/core/control.c: In function 'snd_ctl_elem_init_enum_names': sound/core/control.c:1089: warning: cast to pointer from integer of different size Cast to uintptr_t before casting to pointer to avoid the warning. Signed-off-by: NOlof Johansson <olof@lixom.net> [cl: replace long with uintptr_t] Signed-off-by: NClemens Ladisch <clemens@ladisch.de> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 01 11月, 2011 1 次提交
-
-
由 Paul Gortmaker 提交于
Lots of sound drivers were getting module.h via the implicit presence of it in <linux/device.h> but we are going to clean that up. So fix up those users now. Signed-off-by: NPaul Gortmaker <paul.gortmaker@windriver.com>
-
- 09 10月, 2011 1 次提交
-
-
由 Clemens Ladisch 提交于
Handling of user control elements was implemented for all types except ENUMERATED. This type will be needed for the device-specific mixers of upcoming FireWire drivers. Signed-off-by: NClemens Ladisch <clemens@ladisch.de> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 24 8月, 2011 2 次提交
-
-
由 Lu Guanqun 提交于
Suppose the ALSA card already has a number of MAX_USER_CONTROLS controls, and the user wants to replace one, it should not fail at this condition check. Signed-off-by: NLu Guanqun <guanqun.lu@intel.com> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
由 Lu Guanqun 提交于
remove trailing tab on the line. Signed-off-by: NLu Guanqun <guanqun.lu@intel.com> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 26 5月, 2011 1 次提交
-
-
由 Luca Tettamanti 提交于
Drop a few variables that are never read. Signed-off-by: NLuca Tettamanti <kronos.it@gmail.com> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 22 3月, 2011 1 次提交
-
-
由 Dimitris Papastamos 提交于
Add a function to dynamically replace a given control. If the control does not already exist, a third parameter is used to determine whether to actually add that control. This is useful in cases where downloadable firmware at runtime can add or replace existing controls. A separate patch needs to be made to allow ALSA Mixer to render the replaced controls on the fly. Signed-off-by: NDimitris Papastamos <dp@opensource.wolfsonmicro.com> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 11 3月, 2011 1 次提交
-
-
由 Takashi Iwai 提交于
Added a new API function snd_ctl_activate_id() for activate / inactivate the control element dynamically. Signed-off-by: NTakashi Iwai <tiwai@suse.de> Signed-off-by: NMark Brown <broonie@opensource.wolfsonmicro.com>
-
- 08 3月, 2011 2 次提交
-
-
由 Clemens Ladisch 提交于
The return value of snd_ctl_hole_check() is used only to detect whether to continue the loop in snd_ctl_find_hole() or not, so we can simplify the code by changing this return type to a boolean. Also rename this function to better show what it actually does. Signed-off-by: NClemens Ladisch <clemens@ladisch.de> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
由 Clemens Ladisch 提交于
The purpose of the snd_ctl_hole_check() function is to find conflicts between the numerical IDs of the new control and those of any existing controls. However, it would fail to detect an existing control whose count is smaller than the new control's count and whose interval of IDs is entirely contained in the interval of the new control's IDs. To fix this, use the correct formula to detect overlapping intervals, which happens to simplify the condition. This problem was not encountered so far because ALSA does not yet allow drivers to allocate specific control IDs. Signed-off-by: NClemens Ladisch <clemens@ladisch.de> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 10 1月, 2011 1 次提交
-
-
由 Clemens Ladisch 提交于
Introduce the helper function snd_ctl_enum_info() to fill out the elem_info fields for an enumerated control. Signed-off-by: NClemens Ladisch <clemens@ladisch.de> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 29 9月, 2010 1 次提交
-
-
由 Dan Rosenberg 提交于
The snd_ctl_new() function in sound/core/control.c allocates space for a snd_kcontrol struct by performing arithmetic operations on a user-provided size without checking for integer overflow. If a user provides a large enough size, an overflow will occur, the allocated chunk will be too small, and a second user-influenced value will be written repeatedly past the bounds of this chunk. This code is reachable by unprivileged users who have permission to open a /dev/snd/controlC* device (on many distros, this is group "audio") via the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls. Signed-off-by: NDan Rosenberg <drosenberg@vsecurity.com> Cc: <stable@kernel.org> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 13 4月, 2010 1 次提交
-
-
由 Takashi Iwai 提交于
Set no_llseek to llseek file ops of each sound component (but for hwdep). This avoids the implicit BKL invocation via generic_file_llseek() used as default when fops.llseek is NULL. Also call nonseekable_open() at each open ops to ensure the file flags have no seek bit. Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 01 2月, 2010 2 次提交
-
-
由 Clemens Ladisch 提交于
Allow TLV blocks that do not have any values; the smallest possible TLV is an empty container or one where the information is only in the tag. Signed-off-by: NClemens Ladisch <clemens@ladisch.de> Signed-off-by: NJaroslav Kysela <perex@perex.cz>
-
由 Clemens Ladisch 提交于
Creating a control with TLV_COMMAND access was not possible because snd_ctl_new1() forgot to include it in the mask of allowable access bits. Signed-off-by: NClemens Ladisch <clemens@ladisch.de> Signed-off-by: NJaroslav Kysela <perex@perex.cz>
-
- 18 11月, 2009 1 次提交
-
-
由 Dan Carpenter 提交于
This function is only called from snd_ctl_ioctl() and the file parameter can never be null so there is no need to check it here. We dereference file at the start of the function: struct snd_card *card = file->card; and it confuses static checkers to dereference a pointer before checking it. Signed-off-by: NDan Carpenter <error27@gmail.com> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 06 11月, 2009 2 次提交
-
-
由 Clemens Ladisch 提交于
Instead of storing the PID number, take a reference to the task's pid structure. This protects against duplicates due to PID overflows, and using pid_vnr() ensures that the PID returned by snd_ctl_elem_info() is correct as seen from the current namespace. Signed-off-by: NClemens Ladisch <clemens@ladisch.de> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
由 Clemens Ladisch 提交于
We do not need to save the ID of the process that locked a control because that information is already available in the owner's file data. Signed-off-by: NClemens Ladisch <clemens@ladisch.de> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 17 8月, 2009 4 次提交
-
-
由 Clemens Ladisch 提交于
Ensure that userspace can remove only user controls. Controls created by kernel drivers must not be removed because they might be referenced in calls to snd_ctl_notify(). Signed-off-by: NClemens Ladisch <clemens@ladisch.de> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
由 Clemens Ladisch 提交于
Move the decrementing of the user controls counter from snd_ctl_elem_remove to snd_ctl_remove_unlocked_id; this saves the separate locking of the controls semaphore, and therefore removes a harmless race. Since the purpose of the function is to operate on user controls (the control being unlocked is just a prerequisite), rename it to snd_ctl_remove_user_ctl. Signed-off-by: NClemens Ladisch <clemens@ladisch.de> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
由 Clemens Ladisch 提交于
Use a common exit path to release the mutex and to return a possible error. Signed-off-by: NClemens Ladisch <clemens@ladisch.de> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
由 Clemens Ladisch 提交于
Make sure that no user element that has no values can be added. The check for count>1024 is not needed because the count is checked later for the individual control types. Signed-off-by: NClemens Ladisch <clemens@ladisch.de> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 14 4月, 2009 1 次提交
-
-
由 Li Zefan 提交于
Remove open-coded memdup_user(). Signed-off-by: NLi Zefan <lizf@cn.fujitsu.com> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 16 3月, 2009 1 次提交
-
-
由 Jonathan Corbet 提交于
Most fasync implementations do something like: return fasync_helper(...); But fasync_helper() will return a positive value at times - a feature used in at least one place. Thus, a number of other drivers do: err = fasync_helper(...); if (err < 0) return err; return 0; In the interests of consistency and more concise code, it makes sense to map positive return values onto zero where ->fasync() is called. Cc: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: NJonathan Corbet <corbet@lwn.net>
-
- 02 11月, 2008 1 次提交
-
-
由 Al Viro 提交于
As it is, all instances of ->release() for files that have ->fasync() need to remember to evict file from fasync lists; forgetting that creates a hole and we actually have a bunch that *does* forget. So let's keep our lives simple - let __fput() check FASYNC in file->f_flags and call ->fasync() there if it's been set. And lose that crap in ->release() instances - leaving it there is still valid, but we don't have to bother anymore. Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 29 10月, 2008 1 次提交
-
-
由 Mark Brown 提交于
This is likely to confuse user interfaces since the end of the control name is interpreted (eg, "Volume", "Switch"). Signed-off-by: NMark Brown <broonie@opensource.wolfsonmicro.com> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 09 9月, 2008 1 次提交
-
-
由 Takashi Iwai 提交于
The lock used in snd_ctl_dev_disconnect() should be card->ctl_files_rwlock for protection of card->ctl_files entries, instead of card->controls_rwsem. Reported-by: NVegard Nossum <vegard.nossum@gmail.com> Signed-off-by: NTakashi Iwai <tiwai@suse.de> Signed-off-by: NJaroslav Kysela <perex@perex.cz>
-