1. 15 Jan, 2019 6 commits
    • Silvio Cesare's avatar
      ASoC: imx-audmux: change snprintf to scnprintf for possible overflow · c407cd00
      Silvio Cesare authored
      Change snprintf to scnprintf. There are generally two cases where using
      snprintf causes problems.
      
      1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
      In this case, if snprintf would have written more characters than what the
      buffer size (SIZE) is, then size will end up larger than SIZE. In later
      uses of snprintf, SIZE - size will result in a negative number, leading
      to problems. Note that size might already be too large by using
      size = snprintf before the code reaches a case of size += snprintf.
      
      2) If size is ultimately used as a length parameter for a copy back to user
      space, then it will potentially allow for a buffer overflow and information
      disclosure when size is greater than SIZE. When the size is used to index
      the buffer directly, we can have memory corruption. This also means when
      size = snprintf... is used, it may also cause problems since size may become
      large.  Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
      configuration.
      
      The solution to these issues is to use scnprintf which returns the number of
      characters actually written to the buffer, so the size variable will never
      exceed SIZE.
      Signed-off-by: default avatarSilvio Cesare <silvio.cesare@gmail.com>
      Cc: Timur Tabi <timur@kernel.org>
      Cc: Nicolin Chen <nicoleotsuka@gmail.com>
      Cc: Mark Brown <broonie@kernel.org>
      Cc: Xiubo Li <Xiubo.Lee@gmail.com>
      Cc: Fabio Estevam <fabio.estevam@nxp.com>
      Cc: Dan Carpenter <dan.carpenter@oracle.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Greg KH <greg@kroah.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      Acked-by: default avatarNicolin Chen <nicoleotsuka@gmail.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      c407cd00
    • Gustavo A. R. Silva's avatar
      ASoC: rt5514-spi: Fix potential NULL pointer dereference · 060d0bf4
      Gustavo A. R. Silva authored
      There is a potential NULL pointer dereference in case devm_kzalloc()
      fails and returns NULL.
      
      Fix this by adding a NULL check on rt5514_dsp.
      
      This issue was detected with the help of Coccinelle.
      
      Fixes: 6eebf35b ("ASoC: rt5514: add rt5514 SPI driver")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      060d0bf4
    • Silvio Cesare's avatar
      ASoC: dapm: change snprintf to scnprintf for possible overflow · e581e151
      Silvio Cesare authored
      Change snprintf to scnprintf. There are generally two cases where using
      snprintf causes problems.
      
      1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
      In this case, if snprintf would have written more characters than what the
      buffer size (SIZE) is, then size will end up larger than SIZE. In later
      uses of snprintf, SIZE - size will result in a negative number, leading
      to problems. Note that size might already be too large by using
      size = snprintf before the code reaches a case of size += snprintf.
      
      2) If size is ultimately used as a length parameter for a copy back to user
      space, then it will potentially allow for a buffer overflow and information
      disclosure when size is greater than SIZE. When the size is used to index
      the buffer directly, we can have memory corruption. This also means when
      size = snprintf... is used, it may also cause problems since size may become
      large.  Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
      configuration.
      
      The solution to these issues is to use scnprintf which returns the number of
      characters actually written to the buffer, so the size variable will never
      exceed SIZE.
      Signed-off-by: default avatarSilvio Cesare <silvio.cesare@gmail.com>
      Cc: Liam Girdwood <lgirdwood@gmail.com>
      Cc: Mark Brown <broonie@kernel.org>
      Cc: Dan Carpenter <dan.carpenter@oracle.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Greg KH <greg@kroah.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      e581e151
    • Shuming Fan's avatar
      ASoC: rt5682: Fix PLL source register definitions · ee7ea2a9
      Shuming Fan authored
      Fix typo which causes headphone no sound while using BCLK
      as PLL source.
      Signed-off-by: default avatarShuming Fan <shumingf@realtek.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      ee7ea2a9
    • Matthias Reichl's avatar
      ASoC: core: Don't defer probe on optional, NULL components · 2833548e
      Matthias Reichl authored
      cpu and platform are optional components in DAI links. For example
      codec-codec links usually have no platform set.
      
      Call snd_soc_find_component only if the name or of_node of
      a cpu or platform is set. Otherwise it will return NULL and
      soc_init_dai_link bails out immediately with -EPROBE_DEFER,
      meaning registering a card with NULL cpu or platform in DAI links
      can never succeed.
      
      Fixes: 8780cf11 ("ASoC: soc-core: defer card probe until all component is added to list")
      Signed-off-by: default avatarMatthias Reichl <hias@horus.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      2833548e
    • Mark Brown's avatar
      ASoC: core: Make snd_soc_find_component() more robust · 5a7b2aab
      Mark Brown authored
      There are some use cases where you're checking for a lot of things on a
      card and it makes sense that you might end up trying to call
      snd_soc_find_component() without either a name or an of_node.  Currently
      in that case we try to dereference the name and crash but it's more
      useful to allow the caller to just treat that as a case where we don't
      find anything, that error handling will already exist.
      
      Inspired by a patch from Ajit Pandey fixing some callers.
      
      Fixes: 8780cf11 ("ASoC: soc-core: defer card probe until all component is added to list")
      Reported-by: default avatarPierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      5a7b2aab
  2. 14 Jan, 2019 1 commit
    • Curtis Malainey's avatar
      ASoC: soc-core: fix init platform memory handling · 09ac6a81
      Curtis Malainey authored
      snd_soc_init_platform initializes pointers to snd_soc_dai_link which is
      statically allocated and it does this by devm_kzalloc. In the event of
      an EPROBE_DEFER the memory will be freed and the pointers are left
      dangling. snd_soc_init_platform sees the dangling pointers and assumes
      they are pointing to initialized memory and does not reallocate them on
      the second probe attempt which results in a use after free bug since
      devm has freed the memory from the first probe attempt.
      
      Since the intention for snd_soc_dai_link->platform is that it can be set
      statically by the machine driver we need to respect the pointer in the
      event we did not set it but still catch dangling pointers. The solution
      is to add a flag to track whether the pointer was dynamically allocated
      or not.
      Signed-off-by: default avatarCurtis Malainey <cujomalainey@chromium.org>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      09ac6a81
  3. 10 Jan, 2019 1 commit
  4. 09 Jan, 2019 2 commits
  5. 07 Jan, 2019 2 commits
  6. 04 Jan, 2019 2 commits
  7. 03 Jan, 2019 12 commits
  8. 18 Dec, 2018 11 commits
  9. 16 Dec, 2018 1 commit
  10. 14 Dec, 2018 2 commits
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · 6531e115
      Linus Torvalds authored
      Merge misc fixes from Andrew Morton:
       "11 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        scripts/spdxcheck.py: always open files in binary mode
        checkstack.pl: fix for aarch64
        userfaultfd: check VM_MAYWRITE was set after verifying the uffd is registered
        fs/iomap.c: get/put the page in iomap_page_create/release()
        hugetlbfs: call VM_BUG_ON_PAGE earlier in free_huge_page()
        memblock: annotate memblock_is_reserved() with __init_memblock
        psi: fix reference to kernel commandline enable
        arch/sh/include/asm/io.h: provide prototypes for PCI I/O mapping in asm/io.h
        mm/sparse: add common helper to mark all memblocks present
        mm: introduce common STRUCT_PAGE_MAX_SHIFT define
        alpha: fix hang caused by the bootmem removal
      6531e115
    • Thierry Reding's avatar
      scripts/spdxcheck.py: always open files in binary mode · 3a6ab5c7
      Thierry Reding authored
      The spdxcheck script currently falls over when confronted with a binary
      file (such as Documentation/logo.gif).  To avoid that, always open files
      in binary mode and decode line-by-line, ignoring encoding errors.
      
      One tricky case is when piping data into the script and reading it from
      standard input.  By default, standard input will be opened in text mode,
      so we need to reopen it in binary mode.
      
      The breakage only happens with python3 and results in a
      UnicodeDecodeError (according to Uwe).
      
      Link: http://lkml.kernel.org/r/20181212131210.28024-1-thierry.reding@gmail.com
      Fixes: 6f4d29df ("scripts/spdxcheck.py: make python3 compliant")
      Signed-off-by: default avatarThierry Reding <treding@nvidia.com>
      Reviewed-by: default avatarJeremy Cline <jcline@redhat.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Jonathan Corbet <corbet@lwn.net>
      Cc: Joe Perches <joe@perches.com>
      Cc: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3a6ab5c7