1. 22 Jan, 2019 1 commit
  2. 21 Jan, 2019 1 commit
  3. 18 Jan, 2019 1 commit
    • Russell King's avatar
      ASoC: hdmi-codec: fix oops on re-probe · 0ce23d6d
      Russell King authored
      hdmi-codec oopses the kernel when it is unbound from a successfully
      bound audio subsystem, and is then rebound:
      
      Unable to handle kernel NULL pointer dereference at virtual address 0000001c
      pgd = ee3f0000
      [0000001c] *pgd=3cc59831
      Internal error: Oops: 817 [#1] PREEMPT ARM
      Modules linked in: ext2 snd_soc_spdif_tx vmeta dove_thermal snd_soc_kirkwood ofpart marvell_cesa m25p80 orion_wdt mtd spi_nor des_generic gpio_ir_recv snd_soc_kirkwood_spdif bmm_dmabuf auth_rpcgss nfsd autofs4 etnaviv thermal_sys hwmon gpu_sched tda9950
      CPU: 0 PID: 1005 Comm: bash Not tainted 4.20.0+ #1762
      Hardware name: Marvell Dove (Cubox)
      PC is at hdmi_dai_probe+0x68/0x80
      LR is at find_held_lock+0x20/0x94
      pc : [<c04c7de0>]    lr : [<c0063bf4>]    psr: 600f0013
      sp : ee15bd28  ip : eebd8b1c  fp : c093b488
      r10: ee048000  r9 : eebdab18  r8 : ee048600
      r7 : 00000001  r6 : 00000000  r5 : 00000000  r4 : ee82c100
      r3 : 00000006  r2 : 00000001  r1 : c067e38c  r0 : ee82c100
      Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none[  297.318599] Control: 10c5387d  Table: 2e3f0019  DAC: 00000051
      Process bash (pid: 1005, stack limit = 0xee15a248)
      ...
      [<c04c7de0>] (hdmi_dai_probe) from [<c04b7060>] (soc_probe_dai.part.9+0x34/0x70)
      [<c04b7060>] (soc_probe_dai.part.9) from [<c04b81a8>] (snd_soc_instantiate_card+0x734/0xc9c)
      [<c04b81a8>] (snd_soc_instantiate_card) from [<c04b8b6c>] (snd_soc_add_component+0x29c/0x378)
      [<c04b8b6c>] (snd_soc_add_component) from [<c04b8c8c>] (snd_soc_register_component+0x44/0x54)
      [<c04b8c8c>] (snd_soc_register_component) from [<c04c64b4>] (devm_snd_soc_register_component+0x48/0x84)
      [<c04c64b4>] (devm_snd_soc_register_component) from [<c04c7be8>] (hdmi_codec_probe+0x150/0x260)
      [<c04c7be8>] (hdmi_codec_probe) from [<c0373124>] (platform_drv_probe+0x48/0x98)
      
      This happens because hdmi_dai_probe() attempts to access the HDMI
      codec private data, but this has not been assigned by hdmi_dai_probe()
      before it calls devm_snd_soc_register_component().  Move the call to
      dev_set_drvdata() before devm_snd_soc_register_component() to avoid
      this oops.
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      0ce23d6d
  4. 15 Jan, 2019 7 commits
    • Gustavo A. R. Silva's avatar
      ASoC: amd: Fix potential NULL pointer dereference · 4cb79ef9
      Gustavo A. R. Silva authored
      Check return value from call to devm_kzalloc() in order to prevent a
      potential NULL pointer dereference.
      
      Also, notice that it makes no sense to allocate any resources if
      res = platform_get_resource(pdev, IORESOURCE_MEM, 0); fails,
      so move the call to devm_kzalloc() below the mentioned code.
      
      Lastly, improve the use of sizeof in the call to devm_kzalloc() by
      changing it from sizeof(struct i2s_dev_data) to sizeof(*adata)
      
      This issue was detected with the help of Coccinelle.
      
      Fixes: ac289c7e ("ASoC: amd: add ACP3x PCM platform driver")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      4cb79ef9
    • Silvio Cesare's avatar
      ASoC: imx-audmux: change snprintf to scnprintf for possible overflow · c407cd00
      Silvio Cesare authored
      Change snprintf to scnprintf. There are generally two cases where using
      snprintf causes problems.
      
      1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
      In this case, if snprintf would have written more characters than what the
      buffer size (SIZE) is, then size will end up larger than SIZE. In later
      uses of snprintf, SIZE - size will result in a negative number, leading
      to problems. Note that size might already be too large by using
      size = snprintf before the code reaches a case of size += snprintf.
      
      2) If size is ultimately used as a length parameter for a copy back to user
      space, then it will potentially allow for a buffer overflow and information
      disclosure when size is greater than SIZE. When the size is used to index
      the buffer directly, we can have memory corruption. This also means when
      size = snprintf... is used, it may also cause problems since size may become
      large.  Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
      configuration.
      
      The solution to these issues is to use scnprintf which returns the number of
      characters actually written to the buffer, so the size variable will never
      exceed SIZE.
      Signed-off-by: default avatarSilvio Cesare <silvio.cesare@gmail.com>
      Cc: Timur Tabi <timur@kernel.org>
      Cc: Nicolin Chen <nicoleotsuka@gmail.com>
      Cc: Mark Brown <broonie@kernel.org>
      Cc: Xiubo Li <Xiubo.Lee@gmail.com>
      Cc: Fabio Estevam <fabio.estevam@nxp.com>
      Cc: Dan Carpenter <dan.carpenter@oracle.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Greg KH <greg@kroah.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      Acked-by: default avatarNicolin Chen <nicoleotsuka@gmail.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      c407cd00
    • Gustavo A. R. Silva's avatar
      ASoC: rt5514-spi: Fix potential NULL pointer dereference · 060d0bf4
      Gustavo A. R. Silva authored
      There is a potential NULL pointer dereference in case devm_kzalloc()
      fails and returns NULL.
      
      Fix this by adding a NULL check on rt5514_dsp.
      
      This issue was detected with the help of Coccinelle.
      
      Fixes: 6eebf35b ("ASoC: rt5514: add rt5514 SPI driver")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      060d0bf4
    • Silvio Cesare's avatar
      ASoC: dapm: change snprintf to scnprintf for possible overflow · e581e151
      Silvio Cesare authored
      Change snprintf to scnprintf. There are generally two cases where using
      snprintf causes problems.
      
      1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
      In this case, if snprintf would have written more characters than what the
      buffer size (SIZE) is, then size will end up larger than SIZE. In later
      uses of snprintf, SIZE - size will result in a negative number, leading
      to problems. Note that size might already be too large by using
      size = snprintf before the code reaches a case of size += snprintf.
      
      2) If size is ultimately used as a length parameter for a copy back to user
      space, then it will potentially allow for a buffer overflow and information
      disclosure when size is greater than SIZE. When the size is used to index
      the buffer directly, we can have memory corruption. This also means when
      size = snprintf... is used, it may also cause problems since size may become
      large.  Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
      configuration.
      
      The solution to these issues is to use scnprintf which returns the number of
      characters actually written to the buffer, so the size variable will never
      exceed SIZE.
      Signed-off-by: default avatarSilvio Cesare <silvio.cesare@gmail.com>
      Cc: Liam Girdwood <lgirdwood@gmail.com>
      Cc: Mark Brown <broonie@kernel.org>
      Cc: Dan Carpenter <dan.carpenter@oracle.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Greg KH <greg@kroah.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      e581e151
    • Shuming Fan's avatar
      ASoC: rt5682: Fix PLL source register definitions · ee7ea2a9
      Shuming Fan authored
      Fix typo which causes headphone no sound while using BCLK
      as PLL source.
      Signed-off-by: default avatarShuming Fan <shumingf@realtek.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      ee7ea2a9
    • Matthias Reichl's avatar
      ASoC: core: Don't defer probe on optional, NULL components · 2833548e
      Matthias Reichl authored
      cpu and platform are optional components in DAI links. For example
      codec-codec links usually have no platform set.
      
      Call snd_soc_find_component only if the name or of_node of
      a cpu or platform is set. Otherwise it will return NULL and
      soc_init_dai_link bails out immediately with -EPROBE_DEFER,
      meaning registering a card with NULL cpu or platform in DAI links
      can never succeed.
      
      Fixes: 8780cf11 ("ASoC: soc-core: defer card probe until all component is added to list")
      Signed-off-by: default avatarMatthias Reichl <hias@horus.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      2833548e
    • Mark Brown's avatar
      ASoC: core: Make snd_soc_find_component() more robust · 5a7b2aab
      Mark Brown authored
      There are some use cases where you're checking for a lot of things on a
      card and it makes sense that you might end up trying to call
      snd_soc_find_component() without either a name or an of_node.  Currently
      in that case we try to dereference the name and crash but it's more
      useful to allow the caller to just treat that as a case where we don't
      find anything, that error handling will already exist.
      
      Inspired by a patch from Ajit Pandey fixing some callers.
      
      Fixes: 8780cf11 ("ASoC: soc-core: defer card probe until all component is added to list")
      Reported-by: default avatarPierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      5a7b2aab
  5. 14 Jan, 2019 1 commit
    • Curtis Malainey's avatar
      ASoC: soc-core: fix init platform memory handling · 09ac6a81
      Curtis Malainey authored
      snd_soc_init_platform initializes pointers to snd_soc_dai_link which is
      statically allocated and it does this by devm_kzalloc. In the event of
      an EPROBE_DEFER the memory will be freed and the pointers are left
      dangling. snd_soc_init_platform sees the dangling pointers and assumes
      they are pointing to initialized memory and does not reallocate them on
      the second probe attempt which results in a use after free bug since
      devm has freed the memory from the first probe attempt.
      
      Since the intention for snd_soc_dai_link->platform is that it can be set
      statically by the machine driver we need to respect the pointer in the
      event we did not set it but still catch dangling pointers. The solution
      is to add a flag to track whether the pointer was dynamically allocated
      or not.
      Signed-off-by: default avatarCurtis Malainey <cujomalainey@chromium.org>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      09ac6a81
  6. 10 Jan, 2019 1 commit
  7. 09 Jan, 2019 2 commits
  8. 07 Jan, 2019 2 commits
  9. 04 Jan, 2019 2 commits
  10. 03 Jan, 2019 12 commits
  11. 18 Dec, 2018 10 commits