1. 19 Sep, 2017 1 commit
    • Meng Xu's avatar
      ALSA: asihpi: fix a potential double-fetch bug when copying puhm · e1af344d
      Meng Xu authored
      The hm->h.size is intended to hold the actual size of the hm struct
      that is copied from userspace and should always be <= sizeof(*hm).
      
      However, after copy_from_user(hm, puhm, hm->h.size), since userspace
      process has full control over the memory region pointed by puhm, it is
      possible that the value of hm->h.size is different from what is fetched-in
      previously (get_user(hm->h.size, (u16 __user *)puhm)). In other words,
      hm->h.size is overriden and the relation between hm->h.size and the hm
      struct is broken.
      
      This patch proposes to use a seperate variable, msg_size, to hold
      the value of the first fetch and override hm->h.size to msg_size
      after the second fetch to maintain the relation.
      Signed-off-by: default avatarMeng Xu <mengxu.gatech@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      e1af344d
  2. 18 Sep, 2017 1 commit
  3. 12 Sep, 2017 2 commits
    • Takashi Iwai's avatar
      ALSA: seq: Cancel pending autoload work at unbinding device · fc27fe7e
      Takashi Iwai authored
      ALSA sequencer core has a mechanism to load the enumerated devices
      automatically, and it's performed in an off-load work.  This seems
      causing some race when a sequencer is removed while the pending
      autoload work is running.  As syzkaller spotted, it may lead to some
      use-after-free:
        BUG: KASAN: use-after-free in snd_rawmidi_dev_seq_free+0x69/0x70
        sound/core/rawmidi.c:1617
        Write of size 8 at addr ffff88006c611d90 by task kworker/2:1/567
      
        CPU: 2 PID: 567 Comm: kworker/2:1 Not tainted 4.13.0+ #29
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        Workqueue: events autoload_drivers
        Call Trace:
         __dump_stack lib/dump_stack.c:16 [inline]
         dump_stack+0x192/0x22c lib/dump_stack.c:52
         print_address_description+0x78/0x280 mm/kasan/report.c:252
         kasan_report_error mm/kasan/report.c:351 [inline]
         kasan_report+0x230/0x340 mm/kasan/report.c:409
         __asan_report_store8_noabort+0x1c/0x20 mm/kasan/report.c:435
         snd_rawmidi_dev_seq_free+0x69/0x70 sound/core/rawmidi.c:1617
         snd_seq_dev_release+0x4f/0x70 sound/core/seq_device.c:192
         device_release+0x13f/0x210 drivers/base/core.c:814
         kobject_cleanup lib/kobject.c:648 [inline]
         kobject_release lib/kobject.c:677 [inline]
         kref_put include/linux/kref.h:70 [inline]
         kobject_put+0x145/0x240 lib/kobject.c:694
         put_device+0x25/0x30 drivers/base/core.c:1799
         klist_devices_put+0x36/0x40 drivers/base/bus.c:827
         klist_next+0x264/0x4a0 lib/klist.c:403
         next_device drivers/base/bus.c:270 [inline]
         bus_for_each_dev+0x17e/0x210 drivers/base/bus.c:312
         autoload_drivers+0x3b/0x50 sound/core/seq_device.c:117
         process_one_work+0x9fb/0x1570 kernel/workqueue.c:2097
         worker_thread+0x1e4/0x1350 kernel/workqueue.c:2231
         kthread+0x324/0x3f0 kernel/kthread.c:231
         ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:425
      
      The fix is simply to assure canceling the autoload work at removing
      the device.
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      fc27fe7e
    • Markus Elfring's avatar
      ALSA: firewire: Use common error handling code in snd_motu_stream_start_duplex() · f16e666b
      Markus Elfring authored
      Add a jump target so that a bit of exception handling can be better reused
      at the end of this function.
      
      This issue was detected by using the Coccinelle software.
      Signed-off-by: default avatarMarkus Elfring <elfring@users.sourceforge.net>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      f16e666b
  4. 07 Sep, 2017 10 commits
  5. 04 Sep, 2017 11 commits
  6. 03 Sep, 2017 1 commit
    • Wang YanQing's avatar
      ALSA: hda: Fix regression of hdmi eld control created based on invalid pcm · 1f7f51a6
      Wang YanQing authored
      Commit fb087eaa ("ALSA: hda - hdmi eld control created based on pcm")
      forget to filter out invalid pcm numbers, if there is only one invalid pcm
      number, then this issue causes we create eld control for invalid pcm silently,
      but when there are more than one invalid pcm numbers, then this issue bring
      probe error looks like below dmesg:
      "
      kernel: [    1.647283] snd_hda_intel 0000:00:03.0: bound 0000:00:02.0 (ops 0xc2967540)
      kernel: [    1.651192] snd_hda_intel 0000:00:03.0: Too many HDMI devices
      kernel: [    1.651195] snd_hda_intel 0000:00:03.0: Consider building the kernel with CONFIG_SND_DYNAMIC_MINORS=y
      kernel: [    1.651197] snd_hda_intel 0000:00:03.0: Too many HDMI devices
      kernel: [    1.651199] snd_hda_intel 0000:00:03.0: Consider building the kernel with CONFIG_SND_DYNAMIC_MINORS=y
      kernel: [    1.651201] snd_hda_intel 0000:00:03.0: Too many HDMI devices
      kernel: [    1.651203] snd_hda_intel 0000:00:03.0: Consider building the kernel with CONFIG_SND_DYNAMIC_MINORS=y
      kernel: [    1.651676] snd_hda_intel 0000:00:03.0: control 3:0:0:ELD:0 is already present
      kernel: [    1.651787] snd_hda_codec_hdmi: probe of hdaudioC0D0 failed with error -16
      "
      
      This patch add invalid pcm number filter before calling hdmi_create_eld_ctl.
      
      Fixes: fb087eaa ("ALSA: hda - hdmi eld control created based on pcm")
      Signed-off-by: default avatarWang YanQing <udknight@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      1f7f51a6
  7. 01 Sep, 2017 14 commits