OSS sequencer emulation still allows to queue and issue the events
that manipulate the client pool concurrently in a racy way.  This
patch serializes the access like the normal sequencer write / ioctl
via taking the client ioctl_mutex.  Since the access to the sequencer
client is done indirectly via a client id number, a new helper to
take/release the mutex is introduced.
Signed-off-by: Takashi Iwai <tiwai@suse.de>

We have two helpers for queuing a sequencer event from the kernel
client, and both are used only from OSS sequencer layer without any
hop and atomic set.  Let's simplify and unify two helpers into one.

No functional change, just a call pattern change.
Signed-off-by: Takashi Iwai <tiwai@suse.de>

The call of unsubscribe_port() which manages the group count and
module refcount from delete_and_unsubscribe_port() looks racy; it's
not covered by the group list lock, and it's likely a cause of the
reported unbalance at port deletion.  Let's move the call inside the
group list_mutex to plug the hole.

Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>

This reverts commit feb68902.

The fix attempt was incorrect, leading to the mutex deadlock through
the close of OSS sequencer client.  The proper fix needs more
consideration, so let's revert it now.

Fixes: feb68902 ("ALSA: seq: Protect in-kernel ioctl calls with mutex")
Reported-by: syzbot+47ded6c0f23016cde310@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>

Avoid old school C style but do plain and clear way.
Signed-off-by: Takashi Iwai <tiwai@suse.de>

Just a minor refactoring to use the standard goto for error paths in
snd_timer_open() instead of open code.  The first mutex_lock() is
moved to the beginning of the function to make the code clearer.
Signed-off-by: Takashi Iwai <tiwai@suse.de>

The snd_seq_ioctl_get_subscription() retrieves the port subscriber
information as a pointer, while the object isn't protected, hence it
may be deleted before the actual reference.  This race was spotted by
syzkaller and may lead to a UAF.

The fix is simply copying the data in the lookup function that
performs in the rwsem to protect against the deletion.

Reported-by: syzbot+9437020c82413d00222d@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA OSS sequencer calls the ioctl function indirectly via
snd_seq_kernel_client_ctl().  While we already applied the protection
against races between the normal ioctls and writes via the client's
ioctl_mutex, this code path was left untouched.  And this seems to be
the cause of still remaining some rare UAF as spontaneously triggered
by syzkaller.

For the sake of robustness, wrap the ioctl_mutex also for the call via
snd_seq_kernel_client_ctl(), too.

Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>

spin_lock_irqsave() is used unnecessarily in various places in
sequencer core code although it's pretty obvious that the context is
sleepable.  Remove irqsave and use the plain spin_lock_irq() in such
places for simplicity.
Signed-off-by: Takashi Iwai <tiwai@suse.de>

In a few places in sequencer core, we temporarily unlock / re-lock the
pool spin lock while waiting for the allocation in the blocking mode.
There spin_unlock_irq() / spin_lock_irq() pairs are called while
initially spin_lock_irqsave() is used (and spin_lock_irqrestore() at
the end of the function again).  This is likely OK for now, but it's a
bit confusing and error-prone.

This patch replaces these temporary relocking lines with the irqsave
variant to make the lock/unlock sequence more consistently.
Signed-off-by: Takashi Iwai <tiwai@suse.de>

Use kvmalloc() for allocating cell pools since the pool size can be
relatively small that may be covered better by slab.
Signed-off-by: Takashi Iwai <tiwai@suse.de>

This is essentially a revert of the commit a7588c89 ("ALSA: timer:
Check ack_list emptiness instead of bit flag").  The intended change
by the commit turns out to be insufficient, as snd_timer_close*()
always calls snd_timer_stop() that deletes the ack_list beforehand.

In theory, we can change the behavior of snd_timer_stop() to sync the
pending ack_list, but this will become a deadlock for the callback
like sequencer that calls again snd_timer_stop() from itself.  So,
reverting the change is a more straightforward solution.

Fixes: a7588c89 ("ALSA: timer: Check ack_list emptiness instead of bit flag")
Reported-by: syzbot+58813d77154713f4de15@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>

chip->ioport is dereferenced in two places, but the struct is
defined as follows:

struct mychip {
	struct snd_card *card;
	struct pci_dev *pci;

	unsigned long port;
	int irq;
};
Signed-off-by: Christina Quast <cquast@hanoverdisplays.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

Pull yet another ALSA core timer fixes and cleanups.
Signed-off-by: Takashi Iwai <tiwai@suse.de>

alloc_pages_exact() is more suitable choice for allocating the sound
buffers, as it doesn't need to align with power-of-two.  Along with
the conversion, we can drop __GFP_COMP as well.

The patch also replace the error messages to be more explicit.
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

snd_malloc_pages() and snd_free_pages() are merely thin wrappers of
the standard page allocator / free functions.  Even the arguments are
compatible with some standard helpers, so there is little merit of
keeping these wrappers.

This patch replaces the all existing callers of snd_malloc_pages() and
snd_free_pages() with the direct calls of the standard helper
functions.  In this version, we use a recently introduced one,
alloc_pages_exact(), which suits better than the old
snd_malloc_pages() implementation for our purposes.  Then we can avoid
the waste of pages by alignment to power-of-two.

Since alloc_pages_exact() does split pages, we need no longer
__GFP_COMP flag; or better to say, we must not pass __GFP_COMP to
alloc_pages_exact().  So the former unconditional addition of
__GFP_COMP flag in snd_malloc_pages() is dropped, as well as in most
other places.
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

snd_timer_close() is supposed to close the timer instance and sync
with the deactivation of pending actions.  However, there are still
some overlooked cases:

- It calls snd_timer_stop() at the beginning, but some other might
  re-trigger the timer right after that.

- snd_timer_stop() calls del_timer_sync() only when all belonging
  instances are closed.  If multiple instances were assigned to a
  timer object and one is closed, the timer is still running.  Then
  the pending action assigned to this timer might be left.

Actually either of the above is the likely cause of the reported
syzkaller UAF.

This patch plug these holes by introducing SNDRV_TIMER_IFLG_DEAD
flag.  This is set at the beginning of snd_timer_close(), and the flag
is checked at snd_timer_start*() and else, so that no longer new
action is left after snd_timer_close().

Reported-by: syzbot+d5136d4d3240cbe45a2a@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>

For checking the pending timer instance that is still left on the
timer object that is being closed, we set/clear a bit flag
SNDRV_TIMER_IFLG_CALLBACK around the call of callbacks.  This can be
simplified by replace with the list_empty() call for ti->ack_list.
This covers the existence more comprehensively and safely.

A gratis bonus is that we can get rid of SNDRV_TIMER_IFLG_CALLBACK bit
flag definition as well.
Signed-off-by: Takashi Iwai <tiwai@suse.de>

When a card is under disconnection, we bail out immediately at each
timer interrupt or tasklet.  This might leave some items left in ack
list.  For a better integration of the upcoming change to check
ack_list emptiness, clear out the whole list upon the emergency exit
route.
Signed-off-by: Takashi Iwai <tiwai@suse.de>

The timer core has two almost identical code for processing callbacks:
once in snd_timer_interrupt() for fast callbacks and another in
snd_timer_tasklet() for delayed callbacks.  Let's unify them.

In the new version, the resolution is read from ti->resolution at each
call, and this must be fine; ti->resolution is set in the preparation
step in snd_timer_interrupt().
Signed-off-by: Takashi Iwai <tiwai@suse.de>

It's a feature request for the ancient sutff, but it's still valid;
the loading of a GUS-patch isn't available via hwdep device although
it's supported over OSS sequencer.  The only missing piece is the call
of snd_soundfont_load_guspatch() in synth emux hwdep code.
Signed-off-by: Takashi Iwai <tiwai@suse.de>

Currently snd_aloop supports only S16 and S32 audio sample formats. With
this patch the S24 formats are also supported.
Signed-off-by: Timo Wischer <twischer@de.adit-jv.com>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

In kernel API of Linux FireWire subsystem, handlers of isochronous
receive (IR) context can get context headers as an argument of
callback. When 4 byte header is used, the context header includes
isochronous packet header for each packet. When 8 byte header is
used, it includes isochronous cycle as well.

ALSA IEC 61883-1/6 engine uses 4 byte header, and computes isochronous
cycle from the cycle of interrupt. The usage of 8 byte header can
obsolete the computation.

Furthermore, this change works well for a case that a series of
packet in one interrupt includes skipped isochronous cycle,

This commit uses 8 byte header to handle isochronous cycle.
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

This commit adds support for MOTU 8pre FireWire, which was shipped 2007
and nowadays already discontinued. Userspace applications can transmit
and receive PCM frames and MIDI messages for this model via ALSA PCM
interface and RawMidi/Sequencer interfaces.

Like the other models of MOTU FireWire series, this model has many
quirks in its CIP.

At first, data channels for two pairs of optical interfaces. At lower
sampling transmission frequency, i.e. 44.1 and 48.0 kHz, one pair is
available for ADAT data, thus 8 data chunks are transferred by CIP.
At middle sampling transmission frequency, i.e.  88.2 and 96.0 kHz,
two pairs are available to keep 8 chunks for ADAT data, thus CIP
still includes 8 data chunks.

Apart from data chunks for optical interface, CIP includes fixed number
of data chunks. In tx stream, two chunks for status message, eight
chunks for samples from analog 1-8 input, two chunks for mix-return.
In rx stream, two chunks for control message, two chunks for main 1-2
output, two chunks for phone 1-2 output, two chunks for dummy 1-2.

CIP header in tx stream includes quirks for its dbs and dbc fields.
The value of dbs field is fixed to 0x13, against its actual size.
The value of dbc field is firstly updated to 0x07 from zero, then
it's incremented continuously according to actual number of data h
blocks.

Finally, the model has own bits to disable frame fetch.

This commit uses several options to absorb the above quirks.

$ python2 crpp < /sys/bus/firewire/devices/fw1/config_rom
               ROM header and bus information block
               -----------------------------------------------------------------
400  0410b57d  bus_info_length 4, crc_length 16, crc 46461
404  31333934  bus_name "1394"
408  20001000  irmc 0, cmc 0, isc 1, bmc 0, cyc_clk_acc 0, max_rec 1 (4)
40c  0001f200  company_id 0001f2     |
410  00083dfb  device_id 0000083dfb  | EUI-64 0001f20000083dfb

               root directory
               -----------------------------------------------------------------
414  0004c65c  directory_length 4, crc 50780
418  030001f2  vendor
41c  0c0083c0  node capabilities per IEEE 1394
420  8d000006  --> eui-64 leaf at 438
424  d1000001  --> unit directory at 428

               unit directory at 428
               -----------------------------------------------------------------
428  0003991c  directory_length 3, crc 39196
42c  120001f2  specifier id
430  1300000f  version
434  17103800  model

               eui-64 leaf at 438
               -----------------------------------------------------------------
438  00022681  leaf_length 2, crc 9857
43c  0001f200  company_id 0001f2     |
440  00083dfb  device_id 0000083dfb  | EUI-64 0001f20000083dfb
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

Back-merge the current devel branch for further development.
Signed-off-by: Takashi Iwai <tiwai@suse.de>

The function snd_opl3_drum_switch declaration in the header file
has the order of the two arguments on_off and vel swapped when
compared to the definition arguments of vel and on_off.  Fix this
by swapping them around to match the definition.

This error predates the git history, so no idea when this error
was introduced.
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

Another machine which does not like the power saving (noise):
  https://bugzilla.redhat.com/show_bug.cgi?id=1689623

Also, reorder the Lenovo C50 entry to keep the table sorted.

Reported-by: hs.guimaraes@outlook.com
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

Pull more Kbuild updates from Masahiro Yamada:

 - add more Build-Depends to Debian source package

 - prefix header search paths with $(srctree)/

 - make modpost show verbose section mismatch warnings

 - avoid hard-coded CROSS_COMPILE for h8300

 - fix regression for Debian make-kpkg command

 - add semantic patch to detect missing put_device()

 - fix some warnings of 'make deb-pkg'

 - optimize NOSTDINC_FLAGS evaluation

 - add warnings about redundant generic-y

 - clean up Makefiles and scripts

* tag 'kbuild-v5.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
  kconfig: remove stale lxdialog/.gitignore
  kbuild: force all architectures except um to include mandatory-y
  kbuild: warn redundant generic-y
  Revert "modsign: Abort modules_install when signing fails"
  kbuild: Make NOSTDINC_FLAGS a simply expanded variable
  kbuild: deb-pkg: avoid implicit effects
  coccinelle: semantic code search for missing put_device()
  kbuild: pkg: grep include/config/auto.conf instead of $KCONFIG_CONFIG
  kbuild: deb-pkg: introduce is_enabled and if_enabled_echo to builddeb
  kbuild: deb-pkg: add CONFIG_ prefix to kernel config options
  kbuild: add workaround for Debian make-kpkg
  kbuild: source include/config/auto.conf instead of ${KCONFIG_CONFIG}
  unicore32: simplify linker script generation for decompressor
  h8300: use cc-cross-prefix instead of hardcoding h8300-unknown-linux-
  kbuild: move archive command to scripts/Makefile.lib
  modpost: always show verbose warning for section mismatch
  ia64: prefix header search path with $(srctree)/
  libfdt: prefix header search paths with $(srctree)/
  deb-pkg: generate correct build dependencies

Pull x86 asm updates from Thomas Gleixner:
 "Two cleanup patches removing dead conditionals and unused code"

* 'x86-asm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/asm: Remove unused __constant_c_x_memset() macro and inlines
  x86/asm: Remove dead __GNUC__ conditionals

Pull perf fixes from Thomas Gleixner:
 "Three fixes for the fallout from the TSX errata workaround:

   - Prevent memory corruption caused by a unchecked out of bound array
     index.

   - Two trivial fixes to address compiler warnings"

* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  perf/x86/intel: Make dev_attr_allow_tsx_force_abort static
  perf/x86: Fixup typo in stub functions
  perf/x86/intel: Fix memory corruption

Pull xen fix from Juergen Gross:
 "A fix for a Xen bug introduced by David's series for excluding
  ballooned pages in vmcores"

* tag 'for-linus-5.1b-rc1b-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
  xen/balloon: Fix mapping PG_offline pages to user space

Pull 9p updates from Dominique Martinet:
 "Here is a 9p update for 5.1; there honestly hasn't been much.

  Two fixes (leak on invalid mount argument and possible deadlock on
  i_size update on 32bit smp) and a fall-through warning cleanup"

* tag '9p-for-5.1' of git://github.com/martinetd/linux:
  9p/net: fix memory leak in p9_client_create
  9p: use inode->i_lock to protect i_size_write() under 32-bit
  9p: mark expected switch fall-through

Fixes: 400816f6 ("perf/x86/intel: Implement support for TSX Force Abort")
Signed-off-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: "Peter Zijlstra (Intel)" <peterz@infradead.org>
Cc: kbuild-all@01.org
Cc: Borislav Petkov <bp@alien8.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20190313184243.GA10820@lkp-sb-ep06

Current ALSA firewire-motu driver uses the value of 'model' field
of unit directory in configuration ROM for modalias for MOTU
FireWire models. However, as long as I checked, Pre8 and
828mk3(Hybrid) have the same value for the field (=0x100800).

unit            | version   | model
--------------- | --------- | ----------
828mkII         | 0x000003  | 0x101800
Traveler        | 0x000009  | 0x107800
Pre8            | 0x00000f  | 0x100800 <-
828mk3(FW)      | 0x000015  | 0x106800
AudioExpress    | 0x000033  | 0x104800
828mk3(Hybrid)  | 0x000035  | 0x100800 <-

When updating firmware for MOTU 8pre FireWire from v1.0.0 to v1.0.3,
I got change of the value from 0x100800 to 0x103800. On the other
hand, the value of 'version' field is fixed to 0x00000f. As a quick
glance, the higher 12 bits of the value of 'version' field represent
firmware version, while the lower 12 bits is unknown.

By induction, the value of 'version' field represents actual model.

This commit changes modalias to match the value of 'version' field,
instead of 'model' field. For degug, long name of added sound card
includes hexadecimal value of 'model' field.

Fixes: 6c5e1ac0 ("ALSA: firewire-motu: add support for Motu Traveler")
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Cc: <stable@vger.kernel.org> # v4.19+
Signed-off-by: Takashi Iwai <tiwai@suse.de>

When this .gitignore was added, lxdialog was an independent hostprogs-y.

Now that all objects in lxdialog/ are directly linked to mconf, the
lxdialog is no longer generated.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

Currently, every arch/*/include/uapi/asm/Kbuild explicitly includes
the common Kbuild.asm file. Factor out the duplicated include directives
to scripts/Makefile.asm-generic so that no architecture would opt out
of the mandatory-y mechanism.

um is not forced to include mandatory-y since it is a very exceptional
case which does not support UAPI.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

The generic-y is redundant under the following condition:

 - arch has its own implementation

 - the same header is added to generated-y

 - the same header is added to mandatory-y

If a redundant generic-y is found, the warning like follows is displayed:

  scripts/Makefile.asm-generic:20: redundant generic-y found in arch/arm/include/asm/Kbuild: timex.h

I fixed up arch Kbuild files found by this.
Suggested-by: Sam Ravnborg <sam@ravnborg.org>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

This reverts commit caf6fe91.

The commit was fine but is no longer needed as of commit 3a2429e1
("kbuild: change if_changed_rule for multi-line recipe").  Let's go
back to using ";" to be consistent.

For some discussion, see:

https://lkml.kernel.org/r/CAK7LNASde0Q9S5GKeQiWhArfER4S4wL1=R_FW8q0++_X3T5=hQ@mail.gmail.comSigned-off-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

During a simple no-op (nothing changed) build I saw 39 invocations of
the C compiler with the argument "-print-file-name=include".  We don't
need to call the C compiler 39 times for this--one time will suffice.

Let's change NOSTDINC_FLAGS to a simply expanded variable to avoid
this since there doesn't appear to be any reason it should be
recursively expanded.

On my build this shaved ~400 ms off my "no-op" build.

Note that the recursive expansion seems to date back to the (really
old) commit e8f5bdb0 ("[PATCH] Makefile include path ordering").
It's a little unclear to me if the point of that patch was to switch
the variable to be recursively expanded (which it did) or to avoid
directly assigning to NOSTDINC_FLAGS (AKA to switch to +=) because
someone else (out of tree?) was setting it.  I presume later since if
the only goal was to switch to recursive expansion the patch would
have just removed the ":".
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>