- 06 May, 2019 2 commits
-
-
Dan Carpenter authored
This function is called from load_guspatch() and the rate is specified by the user. If they accidentally selected zero then it would crash the kernel. I've just changed the zero to a one. Signed-off-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
Takashi Iwai <tiwai@suse.de>
-
Takashi Iwai authored
Signed-off-by:
-
- 03 May, 2019 1 commit
-
-
Ross Zwisler authored
Several sound related entries in MAINTAINERS refer to the old git tree at "git://git.alsa-project.org/alsa-kernel.git". This is no longer used for development, and Takashi Iwai's kernel.org tree is used instead. Signed-off-by:
Ross Zwisler <zwisler@google.com> Reviewed-by:
Takashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by:
-
- 30 Apr, 2019 2 commits
-
-
Takashi Iwai authored
Some ASUS models like Q325UAR with ALC295 codec requires the same fixup that has been applied to ALC294 codec. Just copy the entry with the pin matching to cover ALC295 too. BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1784485 Cc: <stable@vger.kernel.org> Signed-off-by:
-
Takashi Iwai authored
Currently the IRQ handler in HD-audio controller driver is registered before the chip initialization. That is, we have some window opened between the azx_acquire_irq() call and the CORB/RIRB setup. If an interrupt is triggered in this small window, the IRQ handler may access to the uninitialized RIRB buffer, which leads to a NULL dereference Oops. This is usually no big problem since most of Intel chips do register the IRQ via MSI, and we've already fixed the order of the IRQ enablement and the CORB/RIRB setup in the former commit b61749a8 ("sound: enable interrupt after dma buffer initialization"), hence the IRQ won't be triggered in that room. However, some platforms use a shared IRQ, and this may allow the IRQ trigger by another source. Another possibility is the kdump environment: a stale interrupt might be present in there, the IRQ handler can be falsely triggered as well. For covering this small race, let's move the azx_acquire_irq() call after hda_intel_init_chip() call. Although this is a bit radical change, it can cover more widely than checking the CORB/RIRB setup locally in the callee side. Reported-by:
Liwei Song <liwei.song@windriver.com> Signed-off-by:
-
- 29 Apr, 2019 3 commits
-
-
Wenwen Wang authored
In usX2Y_In04_init(), a new urb is firstly created through usb_alloc_urb() and saved to 'usX2Y->In04urb'. Then, a buffer is allocated through kmalloc() and saved to 'usX2Y->In04Buf'. If the allocation of the buffer fails, the error code ENOMEM is returned after usb_free_urb(), which frees the created urb. However, the urb is actually freed at card->private_free callback, i.e., snd_usX2Y_card_private_free(). So the free operation here leads to a double free bug. To fix the above issue, simply remove usb_free_urb(). Signed-off-by:
Wenwen Wang <wang6495@umn.edu> Signed-off-by:
-
Bard liao authored
In ASoC driver, snd_hdac_device_register() will be called by snd_hdac_ext_bus_device_init() and snd_hdac_device_unregister() will called by snd_hdac_ext_bus_device_remove(). However when ASoC codec driver call snd_hda_codec_device_new() to create a new hda codec, it will assign snd_hda_codec_dev_free() to the dev_free ops and snd_hda_codec_dev_free() will call snd_hdac_device_unregister(). As a result, snd_hdac_device_unregister() will be called twice in ASoC driver. To prevent it, we use hdev type to determine if the hda codec is registered by legacy HDA driver or ASoC driver and unregister device in snd_hda_codec_dev_free() only if it is a legacy HDA device. This patch will overwrite the hdev type so that we can know it is a ASoC device. Signed-off-by:
Bard liao <yung-chuan.liao@linux.intel.com> Signed-off-by:
-
Bard liao authored
snd_hda_codec_device_new() is used by both legacy HDA and ASoC driver. However, we will call snd_hdac_device_unregister() in snd_hdac_ext_bus_device_remove() for ASoC device. This patch uses the type flag in hdac_device struct to determine is it a ASoC device or legacy HDA device and call snd_hdac_device_unregister() in snd_hda_codec_dev_free() only if it is a legacy HDA device. Signed-off-by:
-
- 28 Apr, 2019 5 commits
-
-
Greg Kroah-Hartman authored
The line6 driver uses a lot of USB buffers off of the stack, which is not allowed on many systems, causing the driver to crash on some of them. Fix this up by dynamically allocating the buffers with kmalloc() which allows for proper DMA-able memory. Reported-by:
Christo Gouws <gouws.christo@gmail.com> Reported-by:
Alan Stern <stern@rowland.harvard.edu> Tested-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by:
-
Wenwen Wang authored
In parse_audio_selector_unit(), the string array 'namelist' is allocated through kmalloc_array(), and each string pointer in this array, i.e., 'namelist[]', is allocated through kmalloc() in the following for loop. Then, a control instance 'kctl' is created by invoking snd_ctl_new1(). If an error occurs during the creation process, the string array 'namelist', including all string pointers in the array 'namelist[]', should be freed, before the error code ENOMEM is returned. However, the current code does not free 'namelist[]', resulting in memory leaks. To fix the above issue, free all string pointers 'namelist[]' in a loop. Signed-off-by:
-
Fuqian Huang authored
Pointers should be printed with %p or %px rather than cast to long type and printed with %lx. Drop the address printing. Signed-off-by:
Fuqian Huang <huangfq.daxian@gmail.com> Signed-off-by:
-
Kailang Yang authored
Let EAPD turn on after set pin output. [ NOTE: This change is supposed to reduce the possible click noises at (runtime) PM resume. The functionality should be same (i.e. the verbs are executed correctly) no matter which order is, so this should be safe to apply for all codecs -- tiwai ] Signed-off-by:
Kailang Yang <kailang@realtek.com> Cc: <stable@vger.kernel.org> Signed-off-by:
-
Kailang Yang authored
Fixed Dell AIO speaker noise. spec->gen.auto_mute_via_amp = 1, this option was solved speaker white noise at boot. codec->power_save_node = 0, this option was solved speaker noise at resume back. Fixes: 92266651 ("ALSA: hda/realtek - Fix Dell AIO LineOut issue") Signed-off-by:
-
- 24 Apr, 2019 2 commits
-
-
Takashi Iwai authored
The error from snd_usb_mixer_apply_create_quirk() is ignored in the current usb-audio driver code, which will continue the probing even after the error. Let's take it more serious. Fixes: 7b1eda22 ("ALSA: usb-mixer: factor out quirks") Signed-off-by:
-
Kailang Yang authored
Add two Dell platform for headset mode. [ Note: this is a further correction / addition of the previous pin-based quirks for Dell machines; another entry for ALC236 with the d-mic pin 0x12 and an entry for ALC295 -- tiwai ] Fixes: b26e36b7 ("ALSA: hda/realtek - add two more pin configuration sets to quirk table") Signed-off-by:
-
- 17 Apr, 2019 4 commits
-
-
YueHaibing authored
Fixes gcc '-Wunused-but-set-variable' warnings: sound/ppc/snd_ps3.c: In function 'snd_ps3_program_dma': sound/ppc/snd_ps3.c:236:8: warning: variable 'start_vaddr' set but not used [-Wunused-but-set-variable] sound/ppc/snd_ps3.c: In function 'snd_ps3_pcm_open': sound/ppc/snd_ps3.c:529:6: warning: variable 'pcm_index' set but not used [-Wunused-but-set-variable] They are never used and can be removed. Reported-by:
Hulk Robot <hulkci@huawei.com> Signed-off-by:
YueHaibing <yuehaibing@huawei.com> Acked-by:
Geoff Levand <geoff@infradead.org> Signed-off-by:
-
Hui Wang authored
We have two Dell laptops which have the codec 10ec0236 and 10ec0256 respectively, the headset mic on them can't work, need to apply the quirk of ALC255_FIXUP_DELL1_MIC_NO_PRESENCE. So adding their pin configurations in the pin quirk table. Cc: <stable@vger.kernel.org> Signed-off-by:
Hui Wang <hui.wang@canonical.com> Signed-off-by:
-
Takashi Iwai authored
The snd_cards[] array holds the card pointers that have been currently registered, and it's exported for the external modules that may need to refer a card object. But accessing to this array can be racy against the driver probe or removal, as the card registration or free may happen concurrently. This patch gets rid of the direct access to snd_cards[] array and provides a helper function to give the card object from the index number with a refcount management. Then the caller can access to the given card object safely, and releases it via snd_card_unref(). While we're at it, add a proper comment to snd_card_unref() and make it an inlined function for type-safety, too. Signed-off-by: -
Takashi Iwai authored
The emu10k1 driver tries to create a unique id string by itself when it's copied from the card list, but it's rather superfluous, as the same thing will be done in ALSA core side at the card registration. Let's drop the code. This allows us removing snd_cards export. Signed-off-by:
-
- 16 Apr, 2019 2 commits
-
-
Takashi Iwai authored
There is a small race window in the card disconnection code that allows the registration of another card with the very same card id. This leads to a warning in procfs creation as caught by syzkaller. The problem is that we delete snd_cards and snd_cards_lock entries at the very beginning of the disconnection procedure. This makes the slot available to be assigned for another card object while the disconnection procedure is being processed. Then it becomes possible to issue a procfs registration with the existing file name although we check the conflict beforehand. The fix is simply to move the snd_cards and snd_cards_lock clearances at the end of the disconnection procedure. The references to these entries are merely either from the global proc files like /proc/asound/cards or from the card registration / disconnection, so it should be fine to shift at the very end. Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> Signed-off-by: -
Takashi Iwai authored
The ALSA proc helper manages the child nodes in a linked list, but its addition and deletion is done without any lock. This leads to a corruption if they are operated concurrently. Usually this isn't a problem because the proc entries are added sequentially in the driver probe procedure itself. But the card registrations are done often asynchronously, and the crash could be actually reproduced with syzkaller. This patch papers over it by protecting the link addition and deletion with the parent's mutex. There is "access" mutex that is used for the file access, and this can be reused for this purpose as well. Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> Signed-off-by:
-
- 15 Apr, 2019 2 commits
-
-
Takashi Iwai authored
The doubly unlock sequence at snd_seq_client_ioctl_unlock() is tricky. I took a direct unref call since I thought it would avoid misunderstanding, but rather this seems more confusing. Let's use snd_seq_client_unlock() consistently even if they look strange to be called twice, and add more comments for avoiding reader's confusion. Fixes: 6b580f52 ("ALSA: seq: Protect racy pool manipulation from OSS sequencer") Reviewed-by:
Kai Vehmanen <kai.vehmanen@linux.intel.com> Signed-off-by:
-
Roope Salmi authored
The device reports Synch: Synchronous on the playback interface. This causes regular audible napping on sample rates that are not multiples of 1 kHz. Fix to Synch: Asynchronous. Specifically observed on Focusrite Scarlett Solo 2nd generation. I assume the first generation model has a different device ID. A first generation Scarlett 2i2 I was able to test advertised Synch: Asynchronous by default. For example, with a sample rate of 44100 Hz, a silent sample is played every 40.96 seconds (likely 44.0 samples instead of 44.1 transmitted per USB frame on average, 4096 being the size of some internal buffer). There may be some other bug at play here since this doesn't happen on other platforms. However, a feedback endpoint is listed and using it fixes the issue. That is the only change in the quirk, but I didn't find a way to declare only it. Tested on two units and on two different computers. Signed-off-by:
Roope Salmi <rpsalmi@gmail.com> Signed-off-by:
-
- 13 Apr, 2019 3 commits
-
-
Takashi Iwai authored
Some fields in snd_hdac_bus are ext-bus specific, but they still should be initialized in snd_hdac_bus_init() for consistency, at least, for the ones that do need the explicit initialization like the list head. Also move the lock field to the more appropriate place and correct the comment to reflect the recent change where it serves for both the display power and the link management. Signed-off-by: -
Takashi Iwai authored
Back-merge the 5.1 devel branch for the further HD-audio development. Signed-off-by: -
Takashi Iwai authored
The recent commit 98081ca6 ("ALSA: hda - Record the current power state before suspend/resume calls") made the HD-audio driver to store the PM state in power_state field. This forgot, however, the initialization at power up. Although the codec drivers usually don't need to refer to this field in the normal operation, let's initialize it properly for consistency. Fixes: 98081ca6 ("ALSA: hda - Record the current power state before suspend/resume calls") Signed-off-by:
-
- 12 Apr, 2019 3 commits
-
-
Takashi Iwai authored
OSS sequencer emulation still allows to queue and issue the events that manipulate the client pool concurrently in a racy way. This patch serializes the access like the normal sequencer write / ioctl via taking the client ioctl_mutex. Since the access to the sequencer client is done indirectly via a client id number, a new helper to take/release the mutex is introduced. Signed-off-by: -
Takashi Iwai authored
We have two helpers for queuing a sequencer event from the kernel client, and both are used only from OSS sequencer layer without any hop and atomic set. Let's simplify and unify two helpers into one. No functional change, just a call pattern change. Signed-off-by: -
Takashi Iwai authored
The call of unsubscribe_port() which manages the group count and module refcount from delete_and_unsubscribe_port() looks racy; it's not covered by the group list lock, and it's likely a cause of the reported unbalance at port deletion. Let's move the call inside the group list_mutex to plug the hole. Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com Signed-off-by:
-
- 11 Apr, 2019 2 commits
-
-
Takashi Iwai authored
This reverts commit feb68902. The fix attempt was incorrect, leading to the mutex deadlock through the close of OSS sequencer client. The proper fix needs more consideration, so let's revert it now. Fixes: feb68902 ("ALSA: seq: Protect in-kernel ioctl calls with mutex") Reported-by: syzbot+47ded6c0f23016cde310@syzkaller.appspotmail.com Signed-off-by:
-
Takashi Iwai authored
Merge tag 'asoc-fix-v5.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Fixes for v5.1 A few core fixes along with the driver specific ones, mainly fixing small issues that only affect x86 platforms for various reasons (their unusual machine enumeration mechanisms mainly, plus a fix for error handling in topology). There's some of the driver fixes that look larger than they are, like the hdmi-codec changes which resulted in an indentation change, and most of the other large changes are for new drivers like the STM32 changes.
-
- 10 Apr, 2019 7 commits
-
-
Marc Gonzalez authored
wcd9335.c: undefined reference to 'devm_regmap_add_irq_chip' Signed-off-by:
Marc Gonzalez <marc.w.gonzalez@free.fr> Signed-off-by:
Mark Brown <broonie@kernel.org>
-
Takashi Iwai authored
snd_hdac_display_power() doesn't handle the concurrent calls carefully enough, and it may lead to the doubly get_power or put_power calls, when a runtime PM and an async work get called in racy way. This patch addresses it by reusing the bus->lock mutex that has been used for protecting the link state change in ext bus code, so that it can protect against racy display state changes. The initialization of bus->lock was moved from snd_hdac_ext_bus_init() to snd_hdac_bus_init() as well accordingly. Testcase: igt/i915_pm_rpm/module-reload #glk-dsi Reported-by:
Chris Wilson <chris@chris-wilson.co.uk> Reviewed-by:
-
Ranjani Sridharan authored
Handle error before returning when try_module_get() fails to prevent inconsistent mutex lock/unlock. Fixes: 52034add (ASoC: pcm: update module refcount if module_get_upon_open is set) Signed-off-by:
Ranjani Sridharan <ranjani.sridharan@linux.intel.com> Signed-off-by:
-
Olivier Moysan authored
When master clock is used, master clock rate is set exclusively. Parent clocks of master clock cannot be changed after a call to clk_set_rate_exclusive(). So the parent clock of SAI kernel clock must be set before. Ensure also that exclusive rate operations are balanced in STM32 SAI driver. Signed-off-by:
Olivier Moysan <olivier.moysan@st.com> Signed-off-by:
-
Tzung-Bi Shih authored
Fix wrong setting on number of channels. The context wants to set constraint to 2 channels instead of 4. Signed-off-by:
Tzung-Bi Shih <tzungbi@google.com> Acked-by:
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com> Signed-off-by:
-
Takashi Iwai authored
Avoid old school C style but do plain and clear way. Signed-off-by: -
Takashi Iwai authored
Just a minor refactoring to use the standard goto for error paths in snd_timer_open() instead of open code. The first mutex_lock() is moved to the beginning of the function to make the code clearer. Signed-off-by:
-
- 09 Apr, 2019 2 commits
-
-
Takashi Iwai authored
The snd_seq_ioctl_get_subscription() retrieves the port subscriber information as a pointer, while the object isn't protected, hence it may be deleted before the actual reference. This race was spotted by syzkaller and may lead to a UAF. The fix is simply copying the data in the lookup function that performs in the rwsem to protect against the deletion. Reported-by: syzbot+9437020c82413d00222d@syzkaller.appspotmail.com Signed-off-by: -
Takashi Iwai authored
ALSA OSS sequencer calls the ioctl function indirectly via snd_seq_kernel_client_ctl(). While we already applied the protection against races between the normal ioctls and writes via the client's ioctl_mutex, this code path was left untouched. And this seems to be the cause of still remaining some rare UAF as spontaneously triggered by syzkaller. For the sake of robustness, wrap the ioctl_mutex also for the call via snd_seq_kernel_client_ctl(), too. Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com Signed-off-by:
-
