A slave timer instance might be still accessible in a racy way while
operating the master instance as it lacks of locking.  Since the
master operation is mostly protected with timer->lock, we should cope
with it while changing the slave instance, too.  Also, some linked
lists (active_list and ack_list) of slave instances aren't unlinked
immediately at stopping or closing, and this may lead to unexpected
accesses.

This patch tries to address these issues.  It adds spin lock of
timer->lock (either from master or slave, which is equivalent) in a
few places.  For avoiding a deadlock, we ensure that the global
slave_active_lock is always locked at first before each timer lock.

Also, ack and active_list of slave instances are properly unlinked at
snd_timer_stop() and snd_timer_close().

Last but not least, remove the superfluous call of _snd_timer_stop()
at removing slave links.  This is a noop, and calling it may confuse
readers wrt locking.  Further cleanup will follow in a later patch.

Actually we've got reports of use-after-free by syzkaller fuzzer, and
this hopefully fixes these issues.
Reported-by: NDmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

ALSA timer ioctls have an open race and this may lead to a
use-after-free of timer instance object.  A simplistic fix is to make
each ioctl exclusive.  We have already tread_sem for controlling the
tread, and extend this as a global mutex to be applied to each ioctl.

The downside is, of course, the worse concurrency.  But these ioctls
aren't to be parallel accessible, in anyway, so it should be fine to
serialize there.
Reported-by: NDmitry Vyukov <dvyukov@google.com>
Tested-by: NDmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

ALSA timer instance object has a couple of linked lists and they are
unlinked unconditionally at snd_timer_stop().  Meanwhile
snd_timer_interrupt() unlinks it, but it calls list_del() which leaves
the element list itself unchanged.  This ends up with unlinking twice,
and it was caught by syzkaller fuzzer.

The fix is to use list_del_init() variant properly there, too.
Reported-by: NDmitry Vyukov <dvyukov@google.com>
Tested-by: NDmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

Currently the info in /proc/interrupts doesn't allow to figure out which
interrupt belongs to which card (HDMI, PCH, ..).
Therefore add card details to the interrupt description.
With the patch the info in /proc/interrupts looks like this:

PCI-MSI 442368-edge      snd_hda_intel:card1
PCI-MSI 49152-edge      snd_hda_intel:card0

NOTE: this patch adds the new irq_descr field snd_card struct that is
filled automatically at a card object creation.  This can be used
generically for other drivers as well.  The changes for others will
follow later -- tiwai
Signed-off-by: NHeiner Kallweit <hkallweit1@gmail.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

ALSA sequencer code has an open race between the timer setup ioctl and
the close of the client.  This was triggered by syzkaller fuzzer, and
a use-after-free was caught there as a result.

This patch papers over it by adding a proper queue->timer_mutex lock
around the timer-related calls in the relevant code path.
Reported-by: NDmitry Vyukov <dvyukov@google.com>
Tested-by: NDmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear()
unconditionally even if there is no FIFO assigned, and this leads to
an Oops due to NULL dereference.  The fix is just to add a proper NULL
check.
Reported-by: NDmitry Vyukov <dvyukov@google.com>
Tested-by: NDmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

This is an API consolidation only. The use of kmalloc + memset to 0
is equivalent to kzalloc.
Signed-off-by: NNicholas Mc Guire <hofrat@osadl.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

Compress offload does not support ioctl calls from a 32bit userspace
in a 64 bit kernel. This patch adds support for ioctls from a 32bit
userspace in a 64bit kernel
Signed-off-by: NRavindra Lokhande <rlokhande@nvidia.com>
Acked-by: NVinod Koul <vinod.koul@intel.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

The ALSA PCM, mixer and sequencer OSS emulations provide the 32bit
compatible ioctl, but they just call the 64bit native ioctl as is.
Although this works in most cases, passing the argument value as-is
isn't guaranteed to work on all architectures.  We need to convert it
via compat_ptr() instead.

This patch addresses the missing conversions.  Since all relevant
ioctls in these functions take the argument as a pointer, we do the
pointer conversion in each compat_ioctl and pass it as a 64bit value
to the native ioctl.
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

Make snd_compress_new take an id string (like snd_pcm_new).
This string can be included in the procfs info.

This patch also updates soc_new_compress() to create an ID
based on the stream and dai name, as done for PCM streams.
Signed-off-by: NRichard Fitzgerald <rf@opensource.wolfsonmicro.com>
Acked-by: NVinod Koul <vinod.koul@intel.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

This patch implements a procfs info file for compr nodes when
SND_VERBOSE_PROCFS is enabled. This is equivalent to what the PCM
core already does for pcm nodes.
Signed-off-by: NRichard Fitzgerald <rf@opensource.wolfsonmicro.com>
Acked-by: NVinod Koul <vinod.koul@intel.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

The action_ops structures are never modified, so declare them as const.

Done with the help of Coccinelle.
Signed-off-by: NJulia Lawall <Julia.Lawall@lip6.fr>
Reviewed-by: NTakashi Sakamoto <o-takashi@sakamocchi.jp>
Tested-by: NTakashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

The snd_rawmidi_global_ops structures are never modified, so declare them
as const.

Done with the help of Coccinelle.
Signed-off-by: NJulia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

The ALSA core does not modify the constraints provided by a driver. Most
constraint helper functions already take a const pointer to the constraint
description, the exception at the moment being the ratden and ratnum
constraints. Make those const as well, this allows a driver to declare them
as const.
Signed-off-by: NLars-Peter Clausen <lars@metafoo.de>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

While there is nothing wrong with the transfer_ack_begin and
transfer_ack_end callbacks per-se, the last documented user was part of the
alsa-driver 0.5.12a package, which was released 14 years ago and even
predates the upstream integration of the ALSA core and has subsequently
been superseded by newer alsa-driver releases.

This seems to indicate that there is no need for having these callbacks and
they are just cruft that can be removed.
Signed-off-by: NLars-Peter Clausen <lars@metafoo.de>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

PCM timer is not always used. For embedded device, we need an interface
to disable it when it is not needed, to shrink the kernel size and
memory footprint, here add CONFIG_SND_PCM_TIMER for it.

When both CONFIG_SND_PCM_TIMER and CONFIG_SND_TIMER is unselected,
about 25KB saving bonus we can get.

Please be noted that when disabled, those stubs who using pcm timer
(e.g. dmix, dsnoop & co) may work incorrectlly.
Suggested-by: NTakashi Iwai <tiwai@suse.de>
Signed-off-by: NJie Yang <yang.jie@intel.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

We cap the upper bound of "idx" but not the negative side.  Let's make
it unsigned to fix this.
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

snd_seq_oss_readq_put_event() seems to be missing a memory barrier which
might cause the waker to not notice the waiter and miss sending a
wake_up as in the following figure.

    snd_seq_oss_readq_put_event		    snd_seq_oss_readq_wait
------------------------------------------------------------------------
					/* wait_event_interruptible_timeout */
					 /* __wait_event_interruptible_timeout */
					  /* ___wait_event */
					  for (;;) {									 prepare_to_wait_event(&wq, &__wait,
					    state);
spin_lock_irqsave(&q->lock, flags);
if (waitqueue_active(&q->midi_sleep))
/* The CPU might reorder the test for
   the waitqueue up here, before
   prior writes complete */
					  if ((q->qlen>0 || q->head==q->tail)
					  ...
					  __ret = schedule_timeout(__ret)
if (q->qlen >= q->maxlen - 1) {
memcpy(&q->q[q->tail], ev, sizeof(*ev));
q->tail = (q->tail + 1) % q->maxlen;
q->qlen++;
------------------------------------------------------------------------

There are two other place in sound/core/seq/oss/ which have similar
code.  The attached patch removes the call to waitqueue_active() leaving
just wake_up() behind.  This fixes the problem because the call to
spin_lock_irqsave() in wake_up() will be an ACQUIRE operation.

I found this issue when I was looking through the linux source code
for places calling waitqueue_active() before wake_up*(), but without
preceding memory barriers, after sending a patch to fix a similar
issue in drivers/tty/n_tty.c  (Details about the original issue can be
found here: https://lkml.org/lkml/2015/9/28/849).
Signed-off-by: NKosuke Tatsukawa <tatsu@ab.jp.nec.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

snd_pcm_release_substream() always calls hw_free op when the stream
was opened.  This is superfluous in most cases because it's been
already released via explicit hw_free ioctl.  Although this double
call is usually OK as this callback should be written to be called
multiple times, it's better to avoid superfluous calls.
Reported-by: NVinod Koul <vinod.koul@intel.com>
Tested-by: NJeeja Kp <jeeja.kp@intel.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

As far as I can see, having an invalid ->tstamp_mode is harmless, but
adding a check silences a static checker warning.
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

ALSA: pcm: remove structure member of 'struct snd_pcm_hwptr_log *' type because this structure had been removed

This structure was added by 4d96eb25 ('ALSA: pcm_lib - add possibility
to log last 10 DMA ring buffer positions') to store PCM pointers
information of latest 10 pointer movements (=XRUN_LOG_CNT). When
CONFIG_SND_PCM_XRUN_DEBUG is configured, 'struct snd_pcm_runtime' has
'hwptr_log' member with a pointer to the structure. When calling
xrun_log() in pcm_lib.c, the structure was allocated to the pointer.
When calling snd_pcm_detach_substream() in pcm.c, the allocated pointer
is released.

In f5914908 ('ALSA: pcm: Replace PCM hwptr tracking with tracepoints'),
the pointer logging is replaced with using Linux Kernel Tracepoints. The
structure was also removed, while it's just declared. The member and kfree
still remains.

This commit removes the member and related codes. I think this was
overlooked because it brings no errors/warnings to C compilers.

Fixes: f5914908 ('ALSA: pcm: Replace PCM hwptr tracking with tracepoints')
Signed-off-by: NTakashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

With the nonatomic PCM ops, the system may spew lockdep warnings like:

 =============================================
 [ INFO: possible recursive locking detected ]
 4.2.0-rc1-jeejaval3 #12 Not tainted
 ---------------------------------------------
 aplay/4029 is trying to acquire lock:
  (snd_pcm_link_rwsem){.+.+.+}, at: [<ffffffff816fd473>] snd_pcm_stream_lock+0x43/0x60

 but task is already holding lock:
  (snd_pcm_link_rwsem){.+.+.+}, at: [<ffffffff816fcf29>] snd_pcm_action_nonatomic+0x29/0x80

 other info that might help us debug this:
  Possible unsafe locking scenario:

        CPU0
        ----
   lock(snd_pcm_link_rwsem);
   lock(snd_pcm_link_rwsem);

Although this is false-positive as the rwsem is taken always as
read-only for these code paths, it's certainly annoying to see this at
any occasion.  A simple fix is to use down_read_nested() in
snd_pcm_stream_lock() that can be called inside another lock.
Reported-by: NVinod Koul <vinod.koul@intel.com>
Reported-by: NJeeja Kp <jeeja.kp@intel.com>
Tested-by: NJeeja Kp <jeeja.kp@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

To be consistent with other kernel interface namings, rename
of_get_named_gen_pool() to of_gen_pool_get().  In the original function
name "_named" suffix references to a device tree property, which contains
a phandle to a device and the corresponding device driver is assumed to
register a gen_pool object.

Due to a weak relation and to avoid any confusion (e.g.  in future
possible scenario if gen_pool objects are named) the suffix is removed.

[sfr@canb.auug.org.au: crypto/marvell/cesa - fix up for of_get_named_gen_pool() rename]
Signed-off-by: NVladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
Cc: Nicolas Ferre <nicolas.ferre@atmel.com>
Cc: Philipp Zabel <p.zabel@pengutronix.de>
Cc: Shawn Guo <shawn.guo@linaro.org>
Cc: Sascha Hauer <kernel@pengutronix.de>
Cc: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Cc: Vinod Koul <vinod.koul@intel.com>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: NStephen Rothwell <sfr@canb.auug.org.au>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Boris BREZILLON <boris.brezillon@free-electrons.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Static analysis with cppcheck found the following error:
  [sound/core/init.c:118]: (error) Uninitialized variable: err

..this was introduced by commit 2471b6c8
("ALSA: info: Register proc entries recursively, too") where the call
to snd_info_card_register was removed and no longer setting the error
return in err.  When snd_info_create_card_entry fails to allocate a
an entry, the error path exits with garbage in err.  Fix is to return
-ENOMEM if entry fails to be allocated.

Fixes: 2471b6c8 ("ALSA: info: Register proc entries recursively, too")
Signed-off-by: NColin Ian King <colin.king@canonical.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

While the commit [d0a601c2: ALSA: jack: Fix the id uniqueness
check] fixes the wrong string check, it leads to a worse result -- the
loop in get_available_index() goes into an endless loop.  The cause is
that snd_ctl_find_id() returns the object assigned to the numid if
it's set.  Thus it points to the previous entry again.

This patch clears the numid field for the next call properly.
Reported-and-tested-by: NTomáš Pružina <pruzinat@gmail.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

The pcm_class sysfs of each PCM substream gives only "none" since the
recent code change to embed the struct device.  Fix the code to point
directly to the embedded device object properly.

Fixes: ef46c7af ('ALSA: pcm: Embed struct device')
Cc: <stable@vger.kernel.org> # v4.0+
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

snd_kctl_jack_new() tries to assign a unique index number when a name
string that has been already registered is passed.  However, it checks
with the base string without "Jack" suffix, so it never hits.
Fix the call with the properly processed name string instead.

Fixes: b8dd0866 'ALSA: Jack: handle jack embedded kcontrol creating within ctljack')
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

There are a few leftover CONFIG_PROC_FS forgotten to replace with
CONFIG_SND_PROC_FS.

Fixes: cd6a6503 ('ALSA: replace CONFIG_PROC_FS with CONFIG_SND_PROC_FS')
Reported-by: NJim Davis <jim.epost@gmail.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

We may disable proc fs only for sound part, to reduce ALSA
memory footprint. So add CONFIG_SND_PROC_FS and replace the
old CONFIG_PROC_FSs in alsa code.

With sound proc fs disabled, we can save about 9KB memory
size on X86_64 platform.
Signed-off-by: NJie Yang <yang.jie@intel.com>
Reviewed-by: NMark Brown <broonie@kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

For some embedded devices, we need reduce code size and data
footprint as much as possible, e.g. disabling procfs, hw/sw
params refinement, mmap, dpcm, dapm, compressed API...

Here add SND_PROC_FS item for expert, we can unselect it to
disable sound proc FS and reduce memory footprint.
Signed-off-by: NJie Yang <yang.jie@intel.com>
Reviewed-by: NMark Brown <broonie@kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

Add a helper to create the IEC958 channel status from an ALSA
snd_pcm_runtime structure, taking account of the sample rate and
sample size.
Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>
Reviwed-by: NMark Brown <broonie@kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

Add a helper for the EDID like data structure, which is typically passed
from a HDMI adapter to its associated audio driver.  This informs the
audio driver of the capabilities of the attached HDMI sink.
Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>
Reviewed-by: NMark Brown <broonie@kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

The jack interface is statically included in sound core.  Having
doubly module information is rather confusing.
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

Currently in snd_pcm_update_hw_ptr0 during interrupt,
we consider there were double acknowledged interrupts when:
1. HW reported pointer is smaller than expected, and
2. Time from last update time (hdelta) is over half a buffer time.

However, when HW reported pointer is only a few bytes smaller than
expected, and when hdelta is just a little larger than half a buffer time
(e.g. ping-pong buffer), it wrongly treats this IRQ as double acknowledged.

The condition #2 uses jiffies, but jiffies is not high resolution
since it is integer. We should consider jiffies inaccuracy.
Signed-off-by: NKoro Chen <koro.chen@mediatek.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

It's no longer a part of API but merely a local function.
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

Just a minor refactoring, no functional changes.
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

The commit [c560a679: ALSA: core: Remove child proc file elements
recursively] converted snd_card_proc_new() with the normal
snd_info_*() call and removed snd_device chain for such info
entries. However, it misses one point: the creation of the proc entry
was managed by snd_device chain in the former code, and now it's also
gone, which results in no proc files creation at all.  Mea culpa.

This patch makes snd_info_card_register() creating the all pending
child proc entries in a shot.  Also, since snd_card_register() might
be called multiple times, this function is also changed to be callable
multiple times.

Along with the changes above, now the linked list of snd_info_entry is
added at creation time instead of snd_info_register() for keeping eyes
of pending info entries.

Fixes: c560a679 ('ALSA: core: Remove child proc file elements recursively')
Reported-by: N"Lu, Han" <han.lu@intel.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

snd_info_free_entry() releases the all children nodes as well, but due
to the wrong timing of releasing the link, the children nodes may be
disconnected but left unreleased.  This patch fixes it by moving the
link free at the right position.  Also it eases list_for_each_entry()
without _safe option in snd_info_disconnect() because it no longer
frees the children nodes there.

Fixes: c560a679 ('ALSA: core: Remove child proc file elements recursively')
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

Another fixes for NULL jack->input_dev in some places in jack.c.

Fixes: 2ba2dfa1 ('ALSA: hda - Update to use the new jack kctls method')
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

There is no input_dev for phantom jack, we should not report
input event for it, otherwise, NULL pointer dereference error
will occur.

Fixes: 2ba2dfa1 ('ALSA: hda - Update to use the new jack kctls method')
Signed-off-by: NJie Yang <yang.jie@intel.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>