1. 30 10月, 2017 1 次提交
  2. 26 10月, 2017 2 次提交
  3. 25 10月, 2017 5 次提交
  4. 24 10月, 2017 2 次提交
  5. 19 10月, 2017 1 次提交
    • T
      ALSA: hda: Avoid racy recreation of widget kobjects · 9780ded3
      Takashi Iwai 提交于
      The refresh of HD-audio widget sysfs kobjects via
      snd_hdac_refresh_widget_sysfs() is slightly racy.
      The driver recreates the whole tree from scratch after deleting the
      whole.  When CONFIG_DEBUG_KOBJECT_RELEASE option is used, kobject
      release doesn't happen immediately but delayed, while the re-creation
      of the same named kobject happens soon after invoking kobject_put().
      This may end up with the conflicts of duplicated kobjects, as found in
      the bug report below.
      
      In this patch, we take another approach to refresh the tree: instead
      of recreating the whole tree, just add the new nodes and delete the
      non-existing nodes.  Since the refresh happens only once at
      initialization, no longer race would happen.
      
      Along with the code change, merge snd_hdac_refresh_widget_sysfs() with
      the existing snd_hdac_refresh_widgets() with an additional bool flag
      for simplifying the code.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=197307Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      9780ded3
  6. 18 10月, 2017 4 次提交
  7. 17 10月, 2017 3 次提交
  8. 16 10月, 2017 5 次提交
  9. 13 10月, 2017 2 次提交
  10. 11 10月, 2017 13 次提交
    • T
      ALSA: caiaq: Fix stray URB at probe error path · 99fee508
      Takashi Iwai 提交于
      caiaq driver doesn't kill the URB properly at its error path during
      the probe, which may lead to a use-after-free error later.  This patch
      addresses it.
      Reported-by: NJohan Hovold <johan@kernel.org>
      Reviewed-by: NJohan Hovold <johan@kernel.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      99fee508
    • T
      Merge branch 'topic/usb-ep-check-v2' into for-next · 8ed5d192
      Takashi Iwai 提交于
      Pulling the EP validity checks in USB audio drivers.
      It also adds a new helper in USB core, which was acked by Greg.
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      8ed5d192
    • T
      ALSA: line6: Add yet more sanity checks for invalid EPs · 4f95646c
      Takashi Iwai 提交于
      There are a few other places calling usb_submit_urb() with the URB
      composed from the fixed endpoint without validation.  For avoiding the
      spurious kernel warnings, add the sanity checks to appropriate
      places.
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      4f95646c
    • T
      ALSA: caiaq: Add yet more sanity checks for invalid EPs · 96cd7962
      Takashi Iwai 提交于
      A few other places in caiaq driver have the URB handling with the
      fixed endpoints without checking the validity, too.  Add the sanity
      check with the new helper function at each appropriate place for
      avoiding the spurious kernel warnings due to invalid EPs.
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      96cd7962
    • T
      ALSA: hiface: Add sanity checks for invalid EPs · 5935b952
      Takashi Iwai 提交于
      hiface usb-audio driver sets up URBs containing the fixed endpoints
      without validation.  This may end up with an oops-like kernel warning
      when submitted.
      
      For avoiding it, this patch adds the calls of the new sanity-check
      helper for URBs.
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      5935b952
    • T
      ALSA: usx2y: Add sanity checks for invalid EPs · 1f100349
      Takashi Iwai 提交于
      usx2y driver sets up URBs containing the fixed endpoints without
      validation.  This may end up with an oops-like kernel warning when
      submitted.
      
      For avoiding it, this patch adds the calls of the new sanity-check
      helper for URBs.
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      1f100349
    • T
      ALSA: usb-audio: Add sanity checks for invalid EPs · 738d9edc
      Takashi Iwai 提交于
      USB-audio driver may set up a URB containing the fixed EP without
      validating its presence for some non-class-compliant devices.  This
      may end up with an oops-like kernel warning when submitted.
      
      For avoiding it, this patch adds the call of the new sanity-check
      helper for URBs.  The checks are needed only for MIDI I/O as the other
      places have already some other checks.
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      738d9edc
    • T
      ALSA: line6: Add a sanity check for invalid EPs · 2a4340c5
      Takashi Iwai 提交于
      As syzkaller spotted, currently line6 drivers submit a URB with the
      fixed EP without checking whether it's actually available, which may
      result in a kernel warning like:
        usb 1-1: BOGUS urb xfer, pipe 3 != type 1
        ------------[ cut here ]------------
        WARNING: CPU: 0 PID: 24 at drivers/usb/core/urb.c:449
        usb_submit_urb+0xf8a/0x11d0
        Modules linked in:
        CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc2-42613-g1488251d1a98 #238
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        Workqueue: usb_hub_wq hub_event
        Call Trace:
         line6_start_listen+0x55f/0x9e0 sound/usb/line6/driver.c:82
         line6_init_cap_control sound/usb/line6/driver.c:690
         line6_probe+0x7c9/0x1310 sound/usb/line6/driver.c:764
         podhd_probe+0x64/0x70 sound/usb/line6/podhd.c:474
         usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
         ....
      
      This patch adds a sanity check of validity of EPs at the device
      initialization phase for avoiding the call with an invalid EP.
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Tested-by: NAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      2a4340c5
    • T
      ALSA: caiaq: Add a sanity check for invalid EPs · 58fc7f73
      Takashi Iwai 提交于
      As syzkaller spotted, currently caiaq driver submits a URB with the
      fixed EP without checking whether it's actually available, which may
      result in a kernel warning like:
        usb 1-1: BOGUS urb xfer, pipe 3 != type 1
        ------------[ cut here ]------------
        WARNING: CPU: 1 PID: 1150 at drivers/usb/core/urb.c:449
        usb_submit_urb+0xf8a/0x11d0
        Modules linked in:
        CPU: 1 PID: 1150 Comm: kworker/1:1 Not tainted
        4.14.0-rc2-42660-g24b7bd59eec0 #277
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        Workqueue: usb_hub_wq hub_event
        Call Trace:
         init_card sound/usb/caiaq/device.c:467
         snd_probe+0x81c/0x1150 sound/usb/caiaq/device.c:525
         usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
         ....
      
      This patch adds a sanity check of validity of EPs at the device
      initialization phase for avoiding the call with an invalid EP.
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Tested-by: NAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      58fc7f73
    • T
      ALSA: bcd2000: Add a sanity check for invalid EPs · 6815a0b4
      Takashi Iwai 提交于
      As syzkaller spotted, currently bcd2000 driver submits a URB with the
      fixed EP without checking whether it's actually available, which may
      result in a kernel warning like:
        usb 1-1: BOGUS urb xfer, pipe 1 != type 3
        ------------[ cut here ]------------
        WARNING: CPU: 0 PID: 1846 at drivers/usb/core/urb.c:449
        usb_submit_urb+0xf8a/0x11d0
        Modules linked in:
        CPU: 0 PID: 1846 Comm: kworker/0:2 Not tainted
        4.14.0-rc2-42613-g1488251d1a98 #238
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        Workqueue: usb_hub_wq hub_event
        Call Trace:
         bcd2000_init_device sound/usb/bcd2000/bcd2000.c:289
         bcd2000_init_midi sound/usb/bcd2000/bcd2000.c:345
         bcd2000_probe+0xe64/0x19e0 sound/usb/bcd2000/bcd2000.c:406
         usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
         ....
      
      This patch adds a sanity check of validity of EPs at the device
      initialization phase for avoiding the call with an invalid EP.
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Tested-by: NAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      6815a0b4
    • T
      usb: core: Add a helper function to check the validity of EP type in URB · e901b987
      Takashi Iwai 提交于
      This patch adds a new helper function to perform a sanity check of the
      given URB to see whether it contains a valid endpoint.  It's a light-
      weight version of what usb_submit_urb() does, but without the kernel
      warning followed by the stack trace, just returns an error code.
      
      Especially for a driver that doesn't parse the descriptor but fills
      the URB with the fixed endpoint (e.g. some quirks for non-compliant
      devices), this kind of check is preferable at the probe phase before
      actually submitting the urb.
      Tested-by: NAndrey Konovalov <andreyknvl@google.com>
      Acked-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      e901b987
    • T
      ALSA: add snd_card_disconnect_sync() · c44027c8
      Takashi Iwai 提交于
      In case of user unbind ALSA driver during playing back / capturing,
      each driver needs to stop and remove it correctly. One note here is
      that we can't cancel from remove function in such case, because
      unbind operation doesn't check return value from remove function.
      So, we *must* stop and remove in this case.
      
      For this purpose, we need to sync (= wait) until the all top-level
      operations are canceled at remove function.
      For example, snd_card_free() processes the disconnection procedure at
      first, then waits for the completion. That's how the hot-unplug works
      safely. It's implemented, at least, in the top-level driver removal.
      
      Now for the lower level driver, we need a similar strategy. Notify to
      the toplevel for hot-unplug (disconnect in ALSA), and sync with the
      stop operation, then continue the rest of its own remove procedure.
      
      This patch adds snd_card_disconnect_sync(), and driver can use it from
      remove function.
      
      Note: the "lower level" driver here refers to a middle layer driver
      (e.g. ASoC components) that can be unbound freely during operation.
      Most of legacy ALSA helper drivers don't have such a problem because
      they can't be unbound.
      
      Note#2: snd_card_disconnect_sync() merely calls snd_card_disconnect()
      and syncs with closing all pending files.  It takes only the files
      opened by user-space into account, and doesn't care about object
      refcounts.  (The latter is handled by snd_card_free() completion call,
      BTW.)  Also, the function doesn't free resources by itself.
      Tested-by: NKuninori Morimoto <kuninori.morimoto.gx@renesas.com>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      c44027c8
    • T
      ALSA: seq: Fix use-after-free at creating a port · 71105998
      Takashi Iwai 提交于
      There is a potential race window opened at creating and deleting a
      port via ioctl, as spotted by fuzzing.  snd_seq_create_port() creates
      a port object and returns its pointer, but it doesn't take the
      refcount, thus it can be deleted immediately by another thread.
      Meanwhile, snd_seq_ioctl_create_port() still calls the function
      snd_seq_system_client_ev_port_start() with the created port object
      that is being deleted, and this triggers use-after-free like:
      
       BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
       =============================================================================
       BUG kmalloc-512 (Tainted: G    B          ): kasan: bad access detected
       -----------------------------------------------------------------------------
       INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
       	___slab_alloc+0x425/0x460
       	__slab_alloc+0x20/0x40
        	kmem_cache_alloc_trace+0x150/0x190
      	snd_seq_create_port+0x94/0x9b0 [snd_seq]
      	snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
       	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
       	snd_seq_ioctl+0x40/0x80 [snd_seq]
       	do_vfs_ioctl+0x54b/0xda0
       	SyS_ioctl+0x79/0x90
       	entry_SYSCALL_64_fastpath+0x16/0x75
       INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
       	__slab_free+0x204/0x310
       	kfree+0x15f/0x180
       	port_delete+0x136/0x1a0 [snd_seq]
       	snd_seq_delete_port+0x235/0x350 [snd_seq]
       	snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
       	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
       	snd_seq_ioctl+0x40/0x80 [snd_seq]
       	do_vfs_ioctl+0x54b/0xda0
       	SyS_ioctl+0x79/0x90
       	entry_SYSCALL_64_fastpath+0x16/0x75
       Call Trace:
        [<ffffffff81b03781>] dump_stack+0x63/0x82
        [<ffffffff81531b3b>] print_trailer+0xfb/0x160
        [<ffffffff81536db4>] object_err+0x34/0x40
        [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
        [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
        [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
        [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
        [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
        [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
        [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
        [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
        [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
        [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
        .....
      
      We may fix this in a few different ways, and in this patch, it's fixed
      simply by taking the refcount properly at snd_seq_create_port() and
      letting the caller unref the object after use.  Also, there is another
      potential use-after-free by sprintf() call in snd_seq_create_port(),
      and this is moved inside the lock.
      
      This fix covers CVE-2017-15265.
      Reported-and-tested-by: NMichael23 Yu <ycqzsy@gmail.com>
      Suggested-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      71105998
  11. 10 10月, 2017 2 次提交
    • T
      ALSA: usb-audio: Kill stray URB at exiting · 124751d5
      Takashi Iwai 提交于
      USB-audio driver may leave a stray URB for the mixer interrupt when it
      exits by some error during probe.  This leads to a use-after-free
      error as spotted by syzkaller like:
        ==================================================================
        BUG: KASAN: use-after-free in snd_usb_mixer_interrupt+0x604/0x6f0
        Call Trace:
         <IRQ>
         __dump_stack lib/dump_stack.c:16
         dump_stack+0x292/0x395 lib/dump_stack.c:52
         print_address_description+0x78/0x280 mm/kasan/report.c:252
         kasan_report_error mm/kasan/report.c:351
         kasan_report+0x23d/0x350 mm/kasan/report.c:409
         __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
         snd_usb_mixer_interrupt+0x604/0x6f0 sound/usb/mixer.c:2490
         __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779
         ....
      
        Allocated by task 1484:
         save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
         save_stack+0x43/0xd0 mm/kasan/kasan.c:447
         set_track mm/kasan/kasan.c:459
         kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
         kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
         kmalloc ./include/linux/slab.h:493
         kzalloc ./include/linux/slab.h:666
         snd_usb_create_mixer+0x145/0x1010 sound/usb/mixer.c:2540
         create_standard_mixer_quirk+0x58/0x80 sound/usb/quirks.c:516
         snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
         create_composite_quirk+0x1c4/0x3e0 sound/usb/quirks.c:59
         snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
         usb_audio_probe+0x1040/0x2c10 sound/usb/card.c:618
         ....
      
        Freed by task 1484:
         save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
         save_stack+0x43/0xd0 mm/kasan/kasan.c:447
         set_track mm/kasan/kasan.c:459
         kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
         slab_free_hook mm/slub.c:1390
         slab_free_freelist_hook mm/slub.c:1412
         slab_free mm/slub.c:2988
         kfree+0xf6/0x2f0 mm/slub.c:3919
         snd_usb_mixer_free+0x11a/0x160 sound/usb/mixer.c:2244
         snd_usb_mixer_dev_free+0x36/0x50 sound/usb/mixer.c:2250
         __snd_device_free+0x1ff/0x380 sound/core/device.c:91
         snd_device_free_all+0x8f/0xe0 sound/core/device.c:244
         snd_card_do_free sound/core/init.c:461
         release_card_device+0x47/0x170 sound/core/init.c:181
         device_release+0x13f/0x210 drivers/base/core.c:814
         ....
      
      Actually such a URB is killed properly at disconnection when the
      device gets probed successfully, and what we need is to apply it for
      the error-path, too.
      
      In this patch, we apply snd_usb_mixer_disconnect() at releasing.
      Also introduce a new flag, disconnected, to struct usb_mixer_interface
      for not performing the disconnection procedure twice.
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Tested-by: NAndrey Konovalov <andreyknvl@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      124751d5
    • T
      ALSA: seq: Add sanity check for user-space pointer delivery · 19b592da
      Takashi Iwai 提交于
      The sequencer event may contain a user-space pointer with its
      SNDRV_SEQ_EXT_USRPTR bit, and we assure that its delivery is limited
      with non-atomic mode.  Otherwise the copy_from_user() may hit the
      fault and cause a problem.  Although the core code doesn't set such a
      flag (only set at snd_seq_write()), any wild driver may set it
      mistakenly and lead to an unexpected crash.
      
      This patch adds a sanity check of such events at the delivery core
      code to filter out the invalid invocation in the atomic mode.
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      19b592da