- 29 Apr, 2019 3 commits
-
-
Wenwen Wang authored
In usX2Y_In04_init(), a new urb is firstly created through usb_alloc_urb() and saved to 'usX2Y->In04urb'. Then, a buffer is allocated through kmalloc() and saved to 'usX2Y->In04Buf'. If the allocation of the buffer fails, the error code ENOMEM is returned after usb_free_urb(), which frees the created urb. However, the urb is actually freed at card->private_free callback, i.e., snd_usX2Y_card_private_free(). So the free operation here leads to a double free bug. To fix the above issue, simply remove usb_free_urb(). Signed-off-by:
Wenwen Wang <wang6495@umn.edu> Signed-off-by:
Takashi Iwai <tiwai@suse.de>
-
Bard liao authored
In ASoC driver, snd_hdac_device_register() will be called by snd_hdac_ext_bus_device_init() and snd_hdac_device_unregister() will called by snd_hdac_ext_bus_device_remove(). However when ASoC codec driver call snd_hda_codec_device_new() to create a new hda codec, it will assign snd_hda_codec_dev_free() to the dev_free ops and snd_hda_codec_dev_free() will call snd_hdac_device_unregister(). As a result, snd_hdac_device_unregister() will be called twice in ASoC driver. To prevent it, we use hdev type to determine if the hda codec is registered by legacy HDA driver or ASoC driver and unregister device in snd_hda_codec_dev_free() only if it is a legacy HDA device. This patch will overwrite the hdev type so that we can know it is a ASoC device. Signed-off-by:
Bard liao <yung-chuan.liao@linux.intel.com> Signed-off-by:
-
Bard liao authored
snd_hda_codec_device_new() is used by both legacy HDA and ASoC driver. However, we will call snd_hdac_device_unregister() in snd_hdac_ext_bus_device_remove() for ASoC device. This patch uses the type flag in hdac_device struct to determine is it a ASoC device or legacy HDA device and call snd_hdac_device_unregister() in snd_hda_codec_dev_free() only if it is a legacy HDA device. Signed-off-by:
-
- 28 Apr, 2019 3 commits
-
-
Wenwen Wang authored
In parse_audio_selector_unit(), the string array 'namelist' is allocated through kmalloc_array(), and each string pointer in this array, i.e., 'namelist[]', is allocated through kmalloc() in the following for loop. Then, a control instance 'kctl' is created by invoking snd_ctl_new1(). If an error occurs during the creation process, the string array 'namelist', including all string pointers in the array 'namelist[]', should be freed, before the error code ENOMEM is returned. However, the current code does not free 'namelist[]', resulting in memory leaks. To fix the above issue, free all string pointers 'namelist[]' in a loop. Signed-off-by:
-
Fuqian Huang authored
Pointers should be printed with %p or %px rather than cast to long type and printed with %lx. Drop the address printing. Signed-off-by:
Fuqian Huang <huangfq.daxian@gmail.com> Signed-off-by:
-
Kailang Yang authored
Let EAPD turn on after set pin output. [ NOTE: This change is supposed to reduce the possible click noises at (runtime) PM resume. The functionality should be same (i.e. the verbs are executed correctly) no matter which order is, so this should be safe to apply for all codecs -- tiwai ] Signed-off-by:
Kailang Yang <kailang@realtek.com> Cc: <stable@vger.kernel.org> Signed-off-by:
-
- 24 Apr, 2019 1 commit
-
-
Takashi Iwai authored
The error from snd_usb_mixer_apply_create_quirk() is ignored in the current usb-audio driver code, which will continue the probing even after the error. Let's take it more serious. Fixes: 7b1eda22 ("ALSA: usb-mixer: factor out quirks") Signed-off-by:
-
- 17 Apr, 2019 3 commits
-
-
YueHaibing authored
Fixes gcc '-Wunused-but-set-variable' warnings: sound/ppc/snd_ps3.c: In function 'snd_ps3_program_dma': sound/ppc/snd_ps3.c:236:8: warning: variable 'start_vaddr' set but not used [-Wunused-but-set-variable] sound/ppc/snd_ps3.c: In function 'snd_ps3_pcm_open': sound/ppc/snd_ps3.c:529:6: warning: variable 'pcm_index' set but not used [-Wunused-but-set-variable] They are never used and can be removed. Reported-by:
Hulk Robot <hulkci@huawei.com> Signed-off-by:
YueHaibing <yuehaibing@huawei.com> Acked-by:
Geoff Levand <geoff@infradead.org> Signed-off-by:
-
Takashi Iwai authored
The snd_cards[] array holds the card pointers that have been currently registered, and it's exported for the external modules that may need to refer a card object. But accessing to this array can be racy against the driver probe or removal, as the card registration or free may happen concurrently. This patch gets rid of the direct access to snd_cards[] array and provides a helper function to give the card object from the index number with a refcount management. Then the caller can access to the given card object safely, and releases it via snd_card_unref(). While we're at it, add a proper comment to snd_card_unref() and make it an inlined function for type-safety, too. Signed-off-by: -
Takashi Iwai authored
The emu10k1 driver tries to create a unique id string by itself when it's copied from the card list, but it's rather superfluous, as the same thing will be done in ALSA core side at the card registration. Let's drop the code. This allows us removing snd_cards export. Signed-off-by:
-
- 15 Apr, 2019 2 commits
-
-
Takashi Iwai authored
The doubly unlock sequence at snd_seq_client_ioctl_unlock() is tricky. I took a direct unref call since I thought it would avoid misunderstanding, but rather this seems more confusing. Let's use snd_seq_client_unlock() consistently even if they look strange to be called twice, and add more comments for avoiding reader's confusion. Fixes: 6b580f52 ("ALSA: seq: Protect racy pool manipulation from OSS sequencer") Reviewed-by:
Kai Vehmanen <kai.vehmanen@linux.intel.com> Signed-off-by:
-
Roope Salmi authored
The device reports Synch: Synchronous on the playback interface. This causes regular audible napping on sample rates that are not multiples of 1 kHz. Fix to Synch: Asynchronous. Specifically observed on Focusrite Scarlett Solo 2nd generation. I assume the first generation model has a different device ID. A first generation Scarlett 2i2 I was able to test advertised Synch: Asynchronous by default. For example, with a sample rate of 44100 Hz, a silent sample is played every 40.96 seconds (likely 44.0 samples instead of 44.1 transmitted per USB frame on average, 4096 being the size of some internal buffer). There may be some other bug at play here since this doesn't happen on other platforms. However, a feedback endpoint is listed and using it fixes the issue. That is the only change in the quirk, but I didn't find a way to declare only it. Tested on two units and on two different computers. Signed-off-by:
Roope Salmi <rpsalmi@gmail.com> Signed-off-by:
-
- 13 Apr, 2019 3 commits
-
-
Takashi Iwai authored
Some fields in snd_hdac_bus are ext-bus specific, but they still should be initialized in snd_hdac_bus_init() for consistency, at least, for the ones that do need the explicit initialization like the list head. Also move the lock field to the more appropriate place and correct the comment to reflect the recent change where it serves for both the display power and the link management. Signed-off-by: -
Takashi Iwai authored
Back-merge the 5.1 devel branch for the further HD-audio development. Signed-off-by: -
Takashi Iwai authored
The recent commit 98081ca6 ("ALSA: hda - Record the current power state before suspend/resume calls") made the HD-audio driver to store the PM state in power_state field. This forgot, however, the initialization at power up. Although the codec drivers usually don't need to refer to this field in the normal operation, let's initialize it properly for consistency. Fixes: 98081ca6 ("ALSA: hda - Record the current power state before suspend/resume calls") Signed-off-by:
-
- 12 Apr, 2019 3 commits
-
-
Takashi Iwai authored
OSS sequencer emulation still allows to queue and issue the events that manipulate the client pool concurrently in a racy way. This patch serializes the access like the normal sequencer write / ioctl via taking the client ioctl_mutex. Since the access to the sequencer client is done indirectly via a client id number, a new helper to take/release the mutex is introduced. Signed-off-by: -
Takashi Iwai authored
We have two helpers for queuing a sequencer event from the kernel client, and both are used only from OSS sequencer layer without any hop and atomic set. Let's simplify and unify two helpers into one. No functional change, just a call pattern change. Signed-off-by: -
Takashi Iwai authored
The call of unsubscribe_port() which manages the group count and module refcount from delete_and_unsubscribe_port() looks racy; it's not covered by the group list lock, and it's likely a cause of the reported unbalance at port deletion. Let's move the call inside the group list_mutex to plug the hole. Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com Signed-off-by:
-
- 11 Apr, 2019 2 commits
-
-
Takashi Iwai authored
This reverts commit feb68902. The fix attempt was incorrect, leading to the mutex deadlock through the close of OSS sequencer client. The proper fix needs more consideration, so let's revert it now. Fixes: feb68902 ("ALSA: seq: Protect in-kernel ioctl calls with mutex") Reported-by: syzbot+47ded6c0f23016cde310@syzkaller.appspotmail.com Signed-off-by:
-
Takashi Iwai authored
Merge tag 'asoc-fix-v5.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Fixes for v5.1 A few core fixes along with the driver specific ones, mainly fixing small issues that only affect x86 platforms for various reasons (their unusual machine enumeration mechanisms mainly, plus a fix for error handling in topology). There's some of the driver fixes that look larger than they are, like the hdmi-codec changes which resulted in an indentation change, and most of the other large changes are for new drivers like the STM32 changes.
-
- 10 Apr, 2019 7 commits
-
-
Marc Gonzalez authored
wcd9335.c: undefined reference to 'devm_regmap_add_irq_chip' Signed-off-by:
Marc Gonzalez <marc.w.gonzalez@free.fr> Signed-off-by:
Mark Brown <broonie@kernel.org>
-
Takashi Iwai authored
snd_hdac_display_power() doesn't handle the concurrent calls carefully enough, and it may lead to the doubly get_power or put_power calls, when a runtime PM and an async work get called in racy way. This patch addresses it by reusing the bus->lock mutex that has been used for protecting the link state change in ext bus code, so that it can protect against racy display state changes. The initialization of bus->lock was moved from snd_hdac_ext_bus_init() to snd_hdac_bus_init() as well accordingly. Testcase: igt/i915_pm_rpm/module-reload #glk-dsi Reported-by:
Chris Wilson <chris@chris-wilson.co.uk> Reviewed-by:
-
Ranjani Sridharan authored
Handle error before returning when try_module_get() fails to prevent inconsistent mutex lock/unlock. Fixes: 52034add (ASoC: pcm: update module refcount if module_get_upon_open is set) Signed-off-by:
Ranjani Sridharan <ranjani.sridharan@linux.intel.com> Signed-off-by:
-
Olivier Moysan authored
When master clock is used, master clock rate is set exclusively. Parent clocks of master clock cannot be changed after a call to clk_set_rate_exclusive(). So the parent clock of SAI kernel clock must be set before. Ensure also that exclusive rate operations are balanced in STM32 SAI driver. Signed-off-by:
Olivier Moysan <olivier.moysan@st.com> Signed-off-by:
-
Tzung-Bi Shih authored
Fix wrong setting on number of channels. The context wants to set constraint to 2 channels instead of 4. Signed-off-by:
Tzung-Bi Shih <tzungbi@google.com> Acked-by:
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com> Signed-off-by:
-
Takashi Iwai authored
Avoid old school C style but do plain and clear way. Signed-off-by: -
Takashi Iwai authored
Just a minor refactoring to use the standard goto for error paths in snd_timer_open() instead of open code. The first mutex_lock() is moved to the beginning of the function to make the code clearer. Signed-off-by:
-
- 09 Apr, 2019 6 commits
-
-
Takashi Iwai authored
The snd_seq_ioctl_get_subscription() retrieves the port subscriber information as a pointer, while the object isn't protected, hence it may be deleted before the actual reference. This race was spotted by syzkaller and may lead to a UAF. The fix is simply copying the data in the lookup function that performs in the rwsem to protect against the deletion. Reported-by: syzbot+9437020c82413d00222d@syzkaller.appspotmail.com Signed-off-by: -
Takashi Iwai authored
ALSA OSS sequencer calls the ioctl function indirectly via snd_seq_kernel_client_ctl(). While we already applied the protection against races between the normal ioctls and writes via the client's ioctl_mutex, this code path was left untouched. And this seems to be the cause of still remaining some rare UAF as spontaneously triggered by syzkaller. For the sake of robustness, wrap the ioctl_mutex also for the call via snd_seq_kernel_client_ctl(), too. Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com Signed-off-by: -
Takashi Iwai authored
spin_lock_irqsave() is used unnecessarily in various places in sequencer core code although it's pretty obvious that the context is sleepable. Remove irqsave and use the plain spin_lock_irq() in such places for simplicity. Signed-off-by: -
Takashi Iwai authored
In a few places in sequencer core, we temporarily unlock / re-lock the pool spin lock while waiting for the allocation in the blocking mode. There spin_unlock_irq() / spin_lock_irq() pairs are called while initially spin_lock_irqsave() is used (and spin_lock_irqrestore() at the end of the function again). This is likely OK for now, but it's a bit confusing and error-prone. This patch replaces these temporary relocking lines with the irqsave variant to make the lock/unlock sequence more consistently. Signed-off-by: -
Takashi Iwai authored
Use kvmalloc() for allocating cell pools since the pool size can be relatively small that may be covered better by slab. Signed-off-by: -
Takashi Iwai authored
This is essentially a revert of the commit a7588c89 ("ALSA: timer: Check ack_list emptiness instead of bit flag"). The intended change by the commit turns out to be insufficient, as snd_timer_close*() always calls snd_timer_stop() that deletes the ack_list beforehand. In theory, we can change the behavior of snd_timer_stop() to sync the pending ack_list, but this will become a deadlock for the callback like sequencer that calls again snd_timer_stop() from itself. So, reverting the change is a more straightforward solution. Fixes: a7588c89 ("ALSA: timer: Check ack_list emptiness instead of bit flag") Reported-by: syzbot+58813d77154713f4de15@syzkaller.appspotmail.com Signed-off-by:
-
- 08 Apr, 2019 5 commits
-
-
Hui Wang authored
Recently we set CONFIG_SND_HDA_POWER_SAVE_DEFAULT to 1 when configuring the kernel, then two machines were reported to have noise after installing the new kernel. Put them in the blacklist, the noise disappears. https://bugs.launchpad.net/bugs/1821663 Cc: <stable@vger.kernel.org> Signed-off-by:
Hui Wang <hui.wang@canonical.com> Signed-off-by:
-
Ranjani Sridharan authored
Setting the module_get_upon_open field for component driver prevents the module refcount from being incremented during component probe(). This could lead to the module being allowed to be unloaded when a pcm stream is open. So, if this field is set, the module's refcount should be incremented during pcm open to prevent module removal when the component is in use. And, the refcount should be decremented upon pcm close. Signed-off-by:
-
Ranjani Sridharan authored
Recently, for Intel platforms the "ignore_module_refcount" field was introduced for the component driver. In order to avoid a deadlock preventing the PCI modules from being removed even when the card was idle, the refcounts were not incremented for the device driver module during component probe. However, this change introduced a nasty side effect: the device driver module can be unloaded while a pcm stream is open. This patch proposes to change the field to be renamed as "module_get_upon_open". When this field is set, the module refcount should be incremented on pcm open amd decremented upon pcm close. This will enable modules to be removed when no PCM playback/capture happens and prevent removal when the component is actually in use. Also, align with the skylake component driver with the new name. Fixes: b450b878('ASoC: core: don't increase component module refcount unconditionally' Signed-off-by:
-
Arnaud Pouliquen authored
This patch fixes the sai driver structure overwriting which results in a cpu dai name equal NULL. Fixes: 3e086edf ("ASoC: stm32: add SAI driver") Signed-off-by:
Arnaud Pouliquen <arnaud.pouliquen@st.com> Signed-off-by:
-
Ranjani Sridharan authored
The control values and texts of the enum kcontrol associated with a widget need to be freed when the widget is removed. However, both struct snd_soc_dapm_widget and struct soc_enum contain a dobj member, which resulted in a confusion. The existing code generates a null pointer dereference by attempting to free the values and texts from the dobj which belongs to the widget instead of the dobj belonging to the enum kcontrol. The suggested fix is to use the correct dobj member (se->dobj) of the enum kcontrol. Signed-off-by:
-
- 05 Apr, 2019 2 commits
-
-
Zubin Mithra authored
When ioctl calls are made with non-null-terminated userspace strings, strlcpy causes an OOB-read from within strlen. Fix by changing to use strscpy instead. Signed-off-by:
Zubin Mithra <zsm@chromium.org> Reviewed-by:
Guenter Roeck <groeck@chromium.org> Cc: <stable@vger.kernel.org> Signed-off-by:
-
Ranjani Sridharan authored
Topology is not unloaded in the core during unregister_component() anymore. So, add the remove() callback that will unload the topology. Signed-off-by:
-
