1. 09 Feb, 2016 2 commits
  2. 07 Feb, 2016 1 commit
  3. 05 Feb, 2016 6 commits
  4. 04 Feb, 2016 1 commit
    • Takashi Iwai's avatar
      ALSA: timer: Fix leftover link at closing · 094fd3be
      Takashi Iwai authored
      In ALSA timer core, the active timer instance is managed in
      active_list linked list.  Each element is added / removed dynamically
      at timer start, stop and in timer interrupt.  The problem is that
      snd_timer_interrupt() has a thinko and leaves the element in
      active_list when it's the last opened element.  This eventually leads
      to list corruption or use-after-free error.
      
      This hasn't been revealed because we used to delete the list forcibly
      in snd_timer_stop() in the past.  However, the recent fix avoids the
      double-stop behavior (in commit [f784beb7: ALSA: timer: Fix link
      corruption due to double start or stop]), and this leak hits reality.
      
      This patch fixes the link management in snd_timer_interrupt().  Now it
      simply unlinks no matter which stream is.
      
      BugLink: http://lkml.kernel.org/r/CACT4Y+Yy2aukHP-EDp8-ziNqNNmb-NTf=jDWXMP7jB8HDa2vng@mail.gmail.comReported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      094fd3be
  5. 03 Feb, 2016 8 commits
    • Takashi Iwai's avatar
      2e5dc73f
    • Takashi Iwai's avatar
      ALSA: seq: Fix lockdep warnings due to double mutex locks · 7f0973e9
      Takashi Iwai authored
      The port subscription code uses double mutex locks for source and
      destination ports, and this may become racy once when wrongly set up.
      It leads to lockdep warning splat, typically triggered by fuzzer like
      syzkaller, although the actual deadlock hasn't been seen, so far.
      
      This patch simplifies the handling by reducing to two single locks, so
      that no lockdep warning will be trigger any longer.
      
      By splitting to two actions, a still-in-progress element shall be
      added in one list while handling another.  For ignoring this element,
      a new check is added in deliver_to_subscribers().
      
      Along with it, the code to add/remove the subscribers list element was
      cleaned up and refactored.
      
      BugLink: http://lkml.kernel.org/r/CACT4Y+aKQXV7xkBW9hpQbzaDO7LrUvohxWh-UwMxXjDy-yBD=A@mail.gmail.comReported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      7f0973e9
    • Takashi Iwai's avatar
      ALSA: rawmidi: Fix race at copying & updating the position · 81f57754
      Takashi Iwai authored
      The rawmidi read and write functions manage runtime stream status
      such as runtime->appl_ptr and runtime->avail.  These point where to
      copy the new data and how many bytes have been copied (or to be
      read).  The problem is that rawmidi read/write call copy_from_user()
      or copy_to_user(), and the runtime spinlock is temporarily unlocked
      and relocked while copying user-space.  Since the current code
      advances and updates the runtime status after the spin unlock/relock,
      the copy and the update may be asynchronous, and eventually
      runtime->avail might go to a negative value when many concurrent
      accesses are done.  This may lead to memory corruption in the end.
      
      For fixing this race, in this patch, the status update code is
      performed in the same lock before the temporary unlock.  Also, the
      spinlock is now taken more widely in snd_rawmidi_kernel_read1() for
      protecting more properly during the whole operation.
      
      BugLink: http://lkml.kernel.org/r/CACT4Y+b-dCmNf1GpgPKfDO0ih+uZCL2JV4__j-r1kdhPLSgQCQ@mail.gmail.comReported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      81f57754
    • Takashi Iwai's avatar
      ALSA: rawmidi: Make snd_rawmidi_transmit() race-free · 06ab3003
      Takashi Iwai authored
      A kernel WARNING in snd_rawmidi_transmit_ack() is triggered by
      syzkaller fuzzer:
        WARNING: CPU: 1 PID: 20739 at sound/core/rawmidi.c:1136
      Call Trace:
       [<     inline     >] __dump_stack lib/dump_stack.c:15
       [<ffffffff82999e2d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
       [<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
       [<ffffffff813522b9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
       [<ffffffff84f80bd5>] snd_rawmidi_transmit_ack+0x275/0x400 sound/core/rawmidi.c:1136
       [<ffffffff84fdb3c1>] snd_virmidi_output_trigger+0x4b1/0x5a0 sound/core/seq/seq_virmidi.c:163
       [<     inline     >] snd_rawmidi_output_trigger sound/core/rawmidi.c:150
       [<ffffffff84f87ed9>] snd_rawmidi_kernel_write1+0x549/0x780 sound/core/rawmidi.c:1223
       [<ffffffff84f89fd3>] snd_rawmidi_write+0x543/0xb30 sound/core/rawmidi.c:1273
       [<ffffffff817b0323>] __vfs_write+0x113/0x480 fs/read_write.c:528
       [<ffffffff817b1db7>] vfs_write+0x167/0x4a0 fs/read_write.c:577
       [<     inline     >] SYSC_write fs/read_write.c:624
       [<ffffffff817b50a1>] SyS_write+0x111/0x220 fs/read_write.c:616
       [<ffffffff86336c36>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185
      
      Also a similar warning is found but in another path:
      Call Trace:
       [<     inline     >] __dump_stack lib/dump_stack.c:15
       [<ffffffff82be2c0d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
       [<ffffffff81355139>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
       [<ffffffff81355369>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
       [<ffffffff8527e69a>] rawmidi_transmit_ack+0x24a/0x3b0 sound/core/rawmidi.c:1133
       [<ffffffff8527e851>] snd_rawmidi_transmit_ack+0x51/0x80 sound/core/rawmidi.c:1163
       [<ffffffff852d9046>] snd_virmidi_output_trigger+0x2b6/0x570 sound/core/seq/seq_virmidi.c:185
       [<     inline     >] snd_rawmidi_output_trigger sound/core/rawmidi.c:150
       [<ffffffff85285a0b>] snd_rawmidi_kernel_write1+0x4bb/0x760 sound/core/rawmidi.c:1252
       [<ffffffff85287b73>] snd_rawmidi_write+0x543/0xb30 sound/core/rawmidi.c:1302
       [<ffffffff817ba5f3>] __vfs_write+0x113/0x480 fs/read_write.c:528
       [<ffffffff817bc087>] vfs_write+0x167/0x4a0 fs/read_write.c:577
       [<     inline     >] SYSC_write fs/read_write.c:624
       [<ffffffff817bf371>] SyS_write+0x111/0x220 fs/read_write.c:616
       [<ffffffff86660276>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185
      
      In the former case, the reason is that virmidi has an open code
      calling snd_rawmidi_transmit_ack() with the value calculated outside
      the spinlock.   We may use snd_rawmidi_transmit() in a loop just for
      consuming the input data, but even there, there is a race between
      snd_rawmidi_transmit_peek() and snd_rawmidi_tranmit_ack().
      
      Similarly in the latter case, it calls snd_rawmidi_transmit_peek() and
      snd_rawmidi_tranmit_ack() separately without protection, so they are
      racy as well.
      
      The patch tries to address these issues by the following ways:
      - Introduce the unlocked versions of snd_rawmidi_transmit_peek() and
        snd_rawmidi_transmit_ack() to be called inside the explicit lock.
      - Rewrite snd_rawmidi_transmit() to be race-free (the former case).
      - Make the split calls (the latter case) protected in the rawmidi spin
        lock.
      
      BugLink: http://lkml.kernel.org/r/CACT4Y+YPq1+cYLkadwjWa5XjzF1_Vki1eHnVn-Lm0hzhSpu5PA@mail.gmail.com
      BugLink: http://lkml.kernel.org/r/CACT4Y+acG4iyphdOZx47Nyq_VHGbpJQK-6xNpiqUjaZYqsXOGw@mail.gmail.comReported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      06ab3003
    • Takashi Iwai's avatar
      ALSA: hda - Add fixup for Mac Mini 7,1 model · 2154cc0e
      Takashi Iwai authored
      Mac Mini 7,1 model with CS4208 codec reports the headphone jack
      detection wrongly in an inverted way.  Moreover, the advertised pins
      for the audio input and SPDIF output have actually no jack detection.
      
      This patch addresses these issues.  The inv_jack_detect flag is set
      for fixing the headphone jack detection, and the pin configs for audio
      input and SPDIF output are marked as non-detectable.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=105161
      Report-and-tested-by: moosotc@gmail.com
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      2154cc0e
    • Kailang Yang's avatar
      ALSA: hda/realtek - Support headset mode for ALC225 · 4cc9b9d6
      Kailang Yang authored
      Support headset mode for ALC225 platforms.
      Signed-off-by: default avatarKailang Yang <kailang@realtek.com>
      Cc: <stable@vger.kernel.org> # v4.4+
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      4cc9b9d6
    • Kailang Yang's avatar
      ALSA: hda/realtek - Support Dell headset mode for ALC225 · cfc5a845
      Kailang Yang authored
      Dell create new platform with ALC298 codec.
      This patch will enable headset mode for ALC225/ALC3253 platform.
      Signed-off-by: default avatarKailang Yang <kailang@realtek.com>
      Cc: <stable@vger.kernel.org> # v4.4+
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      cfc5a845
    • Kailang Yang's avatar
      ALSA: hda/realtek - New codec support of ALC225 · 4231430d
      Kailang Yang authored
      Add new support for ALC225, yet another variant of ALC298 codec.
      Signed-off-by: default avatarKailang Yang <kailang@realtek.com>
      Cc: <stable@vger.kernel.org> # 4.4+
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      4231430d
  6. 02 Feb, 2016 1 commit
    • Takashi Iwai's avatar
      ALSA: timer: Sync timer deletion at closing the system timer · f146357f
      Takashi Iwai authored
      ALSA timer core framework has no sync point at stopping because it's
      called inside the spinlock.  Thus we need a sync point at close for
      avoiding the stray timer task.  This is simply done by implementing
      the close callback just calling del_timer_sync().  (It's harmless to
      call it unconditionally, as the core timer itself cares of the already
      deleted timer instance.)
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      f146357f
  7. 01 Feb, 2016 5 commits
  8. 29 Jan, 2016 6 commits
  9. 28 Jan, 2016 2 commits
  10. 27 Jan, 2016 1 commit
  11. 26 Jan, 2016 2 commits
  12. 25 Jan, 2016 3 commits
  13. 24 Jan, 2016 2 commits
    • Linus Torvalds's avatar
      Linux 4.5-rc1 · 92e963f5
      Linus Torvalds authored
      92e963f5
    • Linus Torvalds's avatar
      Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus · e2464688
      Linus Torvalds authored
      Pull MIPS updates from Ralf Baechle:
       "This is the main pull request for MIPS for 4.5 plus some 4.4 fixes.
      
        The executive summary:
      
         - ATH79 platform improvments, use DT bindings for the ATH79 USB PHY.
         - Avoid useless rebuilds for zboot.
         - jz4780: Add NEMC, BCH and NAND device tree nodes
         - Initial support for the MicroChip's DT platform.  As all the device
           drivers are missing this is still of limited use.
         - Some Loongson3 cleanups.
         - The unavoidable whitespace polishing.
         - Reduce clock skew when synchronizing the CPU cycle counters on CPU
           startup.
         - Add MIPS R6 fixes.
         - Lots of cleanups across arch/mips as fallout from KVM.
         - Lots of minor fixes and changes for IEEE 754-2008 support to the
           FPU emulator / fp-assist software.
         - Minor Ralink, BCM47xx and bcm963xx platform support improvments.
         - Support SMP on BCM63168"
      
      * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus: (84 commits)
        MIPS: zboot: Add support for serial debug using the PROM
        MIPS: zboot: Avoid useless rebuilds
        MIPS: BMIPS: Enable ARCH_WANT_OPTIONAL_GPIOLIB
        MIPS: bcm63xx: nvram: Remove unused bcm63xx_nvram_get_psi_size() function
        MIPS: bcm963xx: Update bcm_tag field image_sequence
        MIPS: bcm963xx: Move extended flash address to bcm_tag header file
        MIPS: bcm963xx: Move Broadcom BCM963xx image tag data structure
        MIPS: bcm63xx: nvram: Use nvram structure definition from header file
        MIPS: bcm963xx: Add Broadcom BCM963xx board nvram data structure
        MAINTAINERS: Add KVM for MIPS entry
        MIPS: KVM: Add missing newline to kvm_err()
        MIPS: Move KVM specific opcodes into asm/inst.h
        MIPS: KVM: Use cacheops.h definitions
        MIPS: Break down cacheops.h definitions
        MIPS: Use EXCCODE_ constants with set_except_vector()
        MIPS: Update trap codes
        MIPS: Move Cause.ExcCode trap codes to mipsregs.h
        MIPS: KVM: Make kvm_mips_{init,exit}() static
        MIPS: KVM: Refactor added offsetof()s
        MIPS: KVM: Convert EXPORT_SYMBOL to _GPL
        ...
      e2464688