1. 04 12月, 2017 1 次提交
    • J
      ALSA: usb-audio: Fix out-of-bound error · 251552a2
      Jaejoong Kim 提交于
      The snd_usb_copy_string_desc() retrieves the usb string corresponding to
      the index number through the usb_string(). The problem is that the
      usb_string() returns the length of the string (>= 0) when successful, but
      it can also return a negative value about the error case or status of
      usb_control_msg().
      
      If iClockSource is '0' as shown below, usb_string() will returns -EINVAL.
      This will result in '0' being inserted into buf[-22], and the following
      KASAN out-of-bound error message will be output.
      
      AudioControl Interface Descriptor:
        bLength                 8
        bDescriptorType        36
        bDescriptorSubtype     10 (CLOCK_SOURCE)
        bClockID                1
        bmAttributes         0x07 Internal programmable Clock (synced to SOF)
        bmControls           0x07
        Clock Frequency Control (read/write)
        Clock Validity Control (read-only)
        bAssocTerminal          0
        iClockSource            0
      
      To fix it, check usb_string()'return value and bail out.
      
      ==================================================================
      BUG: KASAN: stack-out-of-bounds in parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
      Write of size 1 at addr ffff88007e66735a by task systemd-udevd/18376
      
      CPU: 0 PID: 18376 Comm: systemd-udevd Not tainted 4.13.0+ #3
      Hardware name: LG Electronics                   15N540-RFLGL/White Tip Mountain, BIOS 15N5
      Call Trace:
      dump_stack+0x63/0x8d
      print_address_description+0x70/0x290
      ? parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
      kasan_report+0x265/0x350
      __asan_store1+0x4a/0x50
      parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
      ? save_stack+0xb5/0xd0
      ? save_stack_trace+0x1b/0x20
      ? save_stack+0x46/0xd0
      ? kasan_kmalloc+0xad/0xe0
      ? kmem_cache_alloc_trace+0xff/0x230
      ? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
      ? usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
      ? usb_probe_interface+0x1f5/0x440
      ? driver_probe_device+0x3ed/0x660
      ? build_feature_ctl+0xb10/0xb10 [snd_usb_audio]
      ? save_stack_trace+0x1b/0x20
      ? init_object+0x69/0xa0
      ? snd_usb_find_csint_desc+0xa8/0xf0 [snd_usb_audio]
      snd_usb_mixer_controls+0x1dc/0x370 [snd_usb_audio]
      ? build_audio_procunit+0x890/0x890 [snd_usb_audio]
      ? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
      ? kmem_cache_alloc_trace+0xff/0x230
      ? usb_ifnum_to_if+0xbd/0xf0
      snd_usb_create_mixer+0x25b/0x4b0 [snd_usb_audio]
      ? snd_usb_create_stream+0x255/0x2c0 [snd_usb_audio]
      usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
      ? snd_usb_autosuspend.part.7+0x30/0x30 [snd_usb_audio]
      ? __pm_runtime_idle+0x90/0x90
      ? kernfs_activate+0xa6/0xc0
      ? usb_match_one_id_intf+0xdc/0x130
      ? __pm_runtime_set_status+0x2d4/0x450
      usb_probe_interface+0x1f5/0x440
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NJaejoong Kim <climbbb.kim@gmail.com>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      251552a2
  2. 30 11月, 2017 1 次提交
  3. 23 11月, 2017 2 次提交
  4. 22 11月, 2017 6 次提交
    • T
      ALSA: hda - Fix yet remaining issue with vmaster 0dB initialization · d6c0615f
      Takashi Iwai 提交于
      The previous fix for addressing the breakage in vmaster slave
      initialization, commit a91d6612 ("ALSA: hda - Fix incorrect TLV
      callback check introduced during set_fs() removal"), introduced a new
      helper to process over each slave kctl.  However, this helper passes
      only the original kctl, not the virtual slave kctl.  As a result,
      HD-audio driver (which is the only user so far) couldn't initialize
      the slave correctly because it's trying to update the value directly
      with the original kctl, not with the mapped kctl.
      
      This patch fixes the situation again by passing both the mapped slaved
      and original slave kctls to the function.  Luckily there is a single
      caller as of now, so changing the call signature is no big matter.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=197959
      Fixes: a91d6612 ("ALSA: hda - Fix incorrect TLV callback check introduced during set_fs() removal")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      d6c0615f
    • K
      treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts · 841b86f3
      Kees Cook 提交于
      With all callbacks converted, and the timer callback prototype
      switched over, the TIMER_FUNC_TYPE cast is no longer needed,
      so remove it. Conversion was done with the following scripts:
      
          perl -pi -e 's|\(TIMER_FUNC_TYPE\)||g' \
              $(git grep TIMER_FUNC_TYPE | cut -d: -f1 | sort -u)
      
          perl -pi -e 's|\(TIMER_DATA_TYPE\)||g' \
              $(git grep TIMER_DATA_TYPE | cut -d: -f1 | sort -u)
      
      The now unused macros are also dropped from include/linux/timer.h.
      Signed-off-by: NKees Cook <keescook@chromium.org>
      841b86f3
    • T
      ALSA: usb-audio: Add sanity checks in v2 clock parsers · 0a62d6c9
      Takashi Iwai 提交于
      The helper functions to parse and look for the clock source, selector
      and multiplier unit may return the descriptor with a too short length
      than required, while there is no sanity check in the caller side.
      Add some sanity checks in the parsers, at least, to guarantee the
      given descriptor size, for avoiding the potential crashes.
      
      Fixes: 79f920fb ("ALSA: usb-audio: parse clock topology of UAC2 devices")
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      0a62d6c9
    • T
      ALSA: usb-audio: Fix potential zero-division at parsing FU · 8428a8eb
      Takashi Iwai 提交于
      parse_audio_feature_unit() contains a code dividing potentially with
      zero when a malformed FU descriptor is passed.  Although there is
      already a sanity check, it checks only the value zero, hence it can
      still lead to a zero-division when a value 1 is passed there.
      
      Fix it by correcting the sanity check (and the error message
      thereof).
      
      Fixes: 23caaf19 ("ALSA: usb-mixer: Add support for Audio Class v2.0")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      8428a8eb
    • T
      ALSA: usb-audio: Fix potential out-of-bound access at parsing SU · f658f17b
      Takashi Iwai 提交于
      The usb-audio driver may trigger an out-of-bound access at parsing a
      malformed selector unit, as it checks the header length only after
      evaluating bNrInPins field, which can be already above the given
      length.  Fix it by adding the length check beforehand.
      
      Fixes: 99fc8645 ("ALSA: usb-mixer: parse descriptors with structs")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      f658f17b
    • T
      ALSA: usb-audio: Add sanity checks to FE parser · d937cd67
      Takashi Iwai 提交于
      When the usb-audio descriptor contains the malformed feature unit
      description with a too short length, the driver may access
      out-of-bounds.  Add a sanity check of the header size at the beginning
      of parse_audio_feature_unit().
      
      Fixes: 23caaf19 ("ALSA: usb-mixer: Add support for Audio Class v2.0")
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      d937cd67
  5. 21 11月, 2017 2 次提交
    • T
      ALSA: timer: Remove kernel warning at compat ioctl error paths · 3d4e8303
      Takashi Iwai 提交于
      Some timer compat ioctls have NULL checks of timer instance with
      snd_BUG_ON() that bring up WARN_ON() when the debug option is set.
      Actually the condition can be met in the normal situation and it's
      confusing and bad to spew kernel warnings with stack trace there.
      Let's remove snd_BUG_ON() invocation and replace with the simple
      checks.  Also, correct the error code to EBADFD to follow the native
      ioctl error handling.
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      3d4e8303
    • H
      ALSA: pcm: update tstamp only if audio_tstamp changed · 20e3f985
      Henrik Eriksson 提交于
      commit 3179f620 ("ALSA: core: add .get_time_info") had a side effect
      of changing the behaviour of the PCM runtime tstamp.  Prior to this
      change tstamp was not updated by snd_pcm_update_hw_ptr0() unless the
      hw_ptr had moved, after this change tstamp was always updated.
      
      For an application using alsa-lib, doing snd_pcm_readi() followed by
      snd_pcm_status() to estimate the age of the read samples by subtracting
      status->avail * [sample rate] from status->tstamp this change degraded
      the accuracy of the estimate on devices where the pcm hw does not
      provide a granular hw_ptr, e.g., devices using
      soc-generic-dmaengine-pcm.c and a dma-engine with residue_granularity
      DMA_RESIDUE_GRANULARITY_DESCRIPTOR.  The accuracy of the estimate
      depended on the latency between the PCM hw completing a period and the
      driver called snd_pcm_period_elapsed() to notify ALSA core, typically
      determined by interrupt handling latency.  After the change the accuracy
      of the estimate depended on the latency between the PCM hw completing a
      period and the application calling snd_pcm_status(), determined by the
      scheduling of the application process.  The maximum error of the
      estimate is one period length in both cases, but the error average and
      variance is smaller when it depends on interrupt latency.
      
      Instead of always updating tstamp, update it only if audio_tstamp
      changed.
      
      Fixes: 3179f620 ("ALSA: core: add .get_time_info")
      Suggested-by: NPierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
      Signed-off-by: NHenrik Eriksson <henrik.eriksson@axis.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      20e3f985
  6. 20 11月, 2017 1 次提交
  7. 17 11月, 2017 2 次提交
    • T
      ALSA: hda: Fix too short HDMI/DP chmap reporting · c2432466
      Takashi Iwai 提交于
      We got a regression report about the HD-audio HDMI chmap, where some
      surround channels are reported as UNKNOWN.  The git bisection pointed
      the culprit at the commit 9b3dc8aa ("ALSA: hda - Register chmap
      obj as priv data instead of codec").  The story behind scene is like
      this:
      
      - While moving the code out of the legacy HDA to the HDA common place,
        the patch modifies the code to obtain the chmap array indirectly in
        a byte array, and it expands it to kctl value array.
      - At the latter operation, the size of the array is wrongly passed by
        sizeof() to the pointer.
      - It can be 4 on 32bit arch, thus too short for 6+ channels.
        (And that's the reason why it didn't hit other persons; it's 8 on
        64bit arch, thus it's usually enough.)
      
      The code was further changed meanwhile, but the problem persisted.
      Let's fix it by correctly evaluating the array size.
      
      Fixes: 9b3dc8aa ("ALSA: hda - Register chmap obj as priv data instead of codec")
      Reported-by: NVDR User <user.vdr@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      c2432466
    • J
      ALSA: usb-audio: uac1: Invalidate ctl on interrupt · b2500b58
      Julian Scheel 提交于
      When an interrupt occurs, the value of at least one of the belonging
      controls should have changed. To make sure they get re-read from device
      on the next read, invalidate the cache. This was correctly implemented
      for uac2 already, but missing for uac1.
      Signed-off-by: NJulian Scheel <julian@jusst.de>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      b2500b58
  8. 16 11月, 2017 1 次提交
  9. 15 11月, 2017 1 次提交
  10. 11 11月, 2017 7 次提交
    • M
      ASoC: bcm2835: Support left/right justified and DSP modes · abd4f0e1
      Matthias Reichl 提交于
      DSP modes and left/right justified modes can be supported
      on bcm2835 by configuring the frame sync polarity and
      frame sync length registers and by adjusting the
      channel data position registers.
      
      Clock and frame sync polarity handling in hw_params has
      been refactored to make the interaction between logical
      rising/falling edge frame start and physical configuration
      (changed by normal/inverted polarity modes) clearer.
      
      Modes where the first active data bit is transmitted immediately
      after frame start (eg DSP mode B with slot 0 active)
      only work reliable if bcm2835 is configured as frame master.
      In frame slave mode channel swap (or shift, this isn't quite
      clear yet) can occur.
      
      Currently the driver only warns if an unstable configuration
      is detected but doensn't prevent using them.
      Signed-off-by: NMatthias Reichl <hias@horus.com>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      abd4f0e1
    • M
      ASoC: bcm2835: Enforce full symmetry · 3d2b3c70
      Matthias Reichl 提交于
      bcm2835's configuration registers can't be changed when a stream
      is running, which means asymmetric configurations aren't supported.
      
      Channel and rate symmetry are already enforced by constraints
      but samplebits had been missed.
      
      As hw_params doesn't check for symmetry constraints by itself
      and just returns success if a stream is running this led to
      situations where asymmetric configurations were seeming to
      succeed but of course didn't work because the hardware wasn't
      configured at all.
      
      Fix this by adding the missing samplerate symmetry constraint.
      Signed-off-by: NMatthias Reichl <hias@horus.com>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      3d2b3c70
    • M
      ASoC: bcm2835: Support additional samplerates up to 384kHz · 675c0ee5
      Matthias Reichl 提交于
      Sample rates are only restricted by the capabilities of the
      clock driver, so use SNDRV_PCM_RATE_CONTINUOUS instead of
      SNDRV_PCM_RATE_8000_192000.
      
      Tests (eg with pcm5122) have shown that bcm2835 works fine
      in 384kHz/32bit stereo mode, so change the maximum allowed
      rate from 192kHz to 384kHz.
      Signed-off-by: NMatthias Reichl <hias@horus.com>
      Reviewed-by: NEric Anholt <eric@anholt.net>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      675c0ee5
    • M
      ASoC: bcm2835: Add support for TDM modes · 9448572d
      Matthias Reichl 提交于
      bcm2835 supports arbitrary positioning of channel data within
      a frame and thus is capable of supporting TDM modes. Since
      the driver is limited to 2-channel operations only TDM setups
      with exactly 2 active slots are supported.
      
      Logical TDM slot numbering follows the usual convention:
      
      For I2S-like modes, with a 50% duty-cycle frame clock,
      slots 0, 2, ... are transmitted in the first half of a frame,
      slots 1, 3, ... are transmitted in the second half.
      
      For DSP modes slot numbering is ascending: 0, 1, 2, 3, ...
      
      Channel position calculation has been refactored to use
      TDM info and moved out of hw_params.
      
      set_tdm_slot, set_bclk_ratio and hw_params now check more
      strictly if the configuration is valid. Illegal configurations
      like odd number of slots in I2S mode, data lengths exceeding
      slot width or frame sizes larger than the hardware limit of
      1024 are rejected. Also hw_params now properly checks for
      errors from clk_set_rate.
      
      Allowed PCM formats are already guarded by stream constraints,
      thus the formats check in hw_params has been removed and
      data_length is now retrieved via params_width().
      
      Also standard functions like snd_soc_params_to_bclk are now
      being used instead of manual calculations to make the code
      more readable.
      
      Special care has been taken to ensure that set_bclk_ratio works
      as before. The bclk ratio is mapped to a 2-channel TDM config
      with a slot width of half the ratio. In order to support odd ratios,
      which can't be expressed via a TDM config, the ratio (frame length)
      is stored and used by hw_params.
      Signed-off-by: NMatthias Reichl <hias@horus.com>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      9448572d
    • O
      ASoC: add mclk-fs support to audio graph card · 757652dd
      Olivier Moysan 提交于
      Add mclk-fs support to audio graph card
      as it was previously implemented in simple card.
      Signed-off-by: NOlivier Moysan <olivier.moysan@st.com>
      Acked-by: NKuninori Morimoto <kuninori.morimoto.gx@renesas.com>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      757652dd
    • A
      ASoC: rt5514: work around link error · c5630877
      Arnd Bergmann 提交于
      The main rt5514 driver optionally calls into the SPI back-end to load
      the firmware. This causes a link error when one driver selects rt5514
      as built-in and another driver selects rt5514-spi as a loadable module:
      
      sound/soc/codecs/rt5514.o: In function `rt5514_dsp_voice_wake_up_put':
      rt5514.c:(.text+0xac8): undefined reference to `rt5514_spi_burst_write'
      
      As a workaround, this adds another silent symbol, to force rt5514-spi
      to be built-in for that configuration. I'm not overly happy with
      that solution, but couldn't come up with anything better. Using
      'IS_REACHABLE()' would break the case that relies on the loadable
      module, and all other ideas would result in more complexity.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      c5630877
    • A
      ASoC: rt5514: mark PM functions as __maybe_unused · 7e6358ec
      Arnd Bergmann 提交于
      The new functions are only used when CONFIG_PM is enabled,
      leading to a harmless warning:
      
      sound/soc/codecs/rt5514-spi.c:474:12: error: 'rt5514_resume' defined but not used [-Werror=unused-function]
      sound/soc/codecs/rt5514-spi.c:464:12: error: 'rt5514_suspend' defined but not used [-Werror=unused-function]
      
      This marks them as __maybe_unused to make the build silent
      again.
      
      Fixes: 58f1c07d ("ASoC: rt5514: Voice wakeup support.")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      7e6358ec
  11. 10 11月, 2017 3 次提交
  12. 09 11月, 2017 13 次提交