Skip to content

K
kernel_linux

OpenHarmony / kernel_linux
上一次同步 4 年多

通知 15
Star 8
Fork 2
K
kernel_linux
切换分支/标签
  1. 18 6月, 2014 3 次提交
    • L
      ALSA: control: Don't access controls outside of protected regions · fd9f26e4
      Lars-Peter Clausen 提交于 
      A control that is visible on the card->controls list can be freed at any time.
This means we must not access any of its memory while not holding the
controls_rw_lock. Otherwise we risk a use after free access.
Signed-off-by: NLars-Peter Clausen <lars@metafoo.de>
Acked-by: NJaroslav Kysela <perex@perex.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      fd9f26e4
    • L
      ALSA: control: Fix replacing user controls · 82262a46
      Lars-Peter Clausen 提交于 
      There are two issues with the current implementation for replacing user
controls. The first is that the code does not check if the control is actually a
user control and neither does it check if the control is owned by the process
that tries to remove it. That allows userspace applications to remove arbitrary
controls, which can cause a user after free if a for example a driver does not
expect a control to be removed from under its feed.

The second issue is that on one hand when a control is replaced the
user_ctl_count limit is not checked and on the other hand the user_ctl_count is
increased (even though the number of user controls does not change). This allows
userspace, once the user_ctl_count limit as been reached, to repeatedly replace
a control until user_ctl_count overflows. Once that happens new controls can be
added effectively bypassing the user_ctl_count limit.

Both issues can be fixed by instead of open-coding the removal of the control
that is to be replaced to use snd_ctl_remove_user_ctl(). This function does
proper permission checks as well as decrements user_ctl_count after the control
has been removed.

Note that by using snd_ctl_remove_user_ctl() the check which returns -EBUSY at
beginning of the function if the control already exists is removed. This is not
a problem though since the check is quite useless, because the lock that is
protecting the control list is released between the check and before adding the
new control to the list, which means that it is possible that a different
control with the same settings is added to the list after the check. Luckily
there is another check that is done while holding the lock in snd_ctl_add(), so
we'll rely on that to make sure that the same control is not added twice.
Signed-off-by: NLars-Peter Clausen <lars@metafoo.de>
Acked-by: NJaroslav Kysela <perex@perex.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      82262a46
    • L
      ALSA: control: Protect user controls against concurrent access · 07f4d9d7
      Lars-Peter Clausen 提交于 
      The user-control put and get handlers as well as the tlv do not protect against
concurrent access from multiple threads. Since the state of the control is not
updated atomically it is possible that either two write operations or a write
and a read operation race against each other. Both can lead to arbitrary memory
disclosure. This patch introduces a new lock that protects user-controls from
concurrent access. Since applications typically access controls sequentially
than in parallel a single lock per card should be fine.
Signed-off-by: NLars-Peter Clausen <lars@metafoo.de>
Acked-by: NJaroslav Kysela <perex@perex.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      07f4d9d7
  3. 13 6月, 2014 3 次提交
  5. 12 6月, 2014 3 次提交
  7. 10 6月, 2014 1 次提交
  9. 09 6月, 2014 2 次提交
  11. 06 6月, 2014 4 次提交
  13. 05 6月, 2014 1 次提交
  15. 04 6月, 2014 8 次提交
  17. 03 6月, 2014 3 次提交
    • T
      ASoC: Fix wrong argument for card remove callbacks · 16088cb6
      Takashi Iwai 提交于 
      The commit [e1d4d3c8: ASoC: free jack GPIOs before the sound card is
freed] introduced snd_soc_card remove callbacks to a few drivers, but
they are implemented with a wrong argument type.  The callback should
receive snd_soc_card pointer instead of snd_soc_pcm_runtime.

Fixes: e1d4d3c8 ('ASoC: free jack GPIOs before the sound card is freed')
Acked-by: NMark Brown <broonie@linaro.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      16088cb6
    • S
      ASoC: free jack GPIOs before the sound card is freed · e1d4d3c8
      Stephen Warren 提交于 
      This is the same change as commit fb6b8e71 "ASoC: tegra: free jack
GPIOs before the sound card is freed", but applied to all other ASoC
machine drivers where code inspection indicates the same problem exists.

That commit's description is:
==========
snd_soc_jack_add_gpios() schedules a work queue item to poll the GPIO to
generate an initial jack status report. If sound card initialization
fails, that work item needs to be cancelled, so it doesn't run after the
card has been freed. Specifically, freeing the card calls
snd_jack_dev_free() which calls snd_jack_dev_disconnect() which sets
jack->input_dev = NULL, and input_dev is used by snd_jack_report(), which
is called from the work queue item.

snd_soc_jack_free_gpios() cancels the work item. The Tegra ASoC machine
drivers do call this function in the platform driver remove() callback.
However, this happens after the sound card is freed, at least when the
card is freed due to errors late during snd_soc_instantiate_card(). This
leaves a window where the work item can execute after the card is freed.
In next-20140522, sound card initialization does fail for unrelated
reasons, and hits the problem described above.

To solve this, fix the Tegra ASoC machine drivers to clean up the Jack
GPIOs during the snd_soc_card's .remove() callback, which is executed
before the overall card object is freed. also, guard the cleanup call
based on whether we actually setup up the GPIOs in the first place.
Ideally, we'd do the cleanup in a struct snd_soc_dai_link .fini/remove
function to match where the GPIOs get set up. However, there is no such
callback.
==========

Note that I have not even compile-tested this in most cases, since most
of the drivers rely on specific mach-* support I don't have enabled, and
don't support COMPILE_TEST. Testing by the relevant board maintainers
would be useful.
Signed-off-by: NStephen Warren <swarren@nvidia.com>
Signed-off-by: NMark Brown <broonie@linaro.org>
      e1d4d3c8
    • T
      ALSA: firewire-lib: Remove a comment about restriction of asynchronous operation · c8109b57
      Takashi Sakamoto 提交于 
      The comment for fcp_avc_transaction() describes it doesn't support this type
of operation. But it was already supported by this commit.

00a7bb81
ALSA: firewire-lib: Add support for deferred transaction
Signed-off-by: NTakashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      c8109b57
  19. 02 6月, 2014 11 次提交
  21. 01 6月, 2014 1 次提交