Commit Graph

1935 Commits

Author SHA1 Message Date
Takashi Iwai 3c22baeab4 ASoC: Updates for v5.7
This is a very big update for the core since Morimoto-san has been
 rather busy continuing his refactorings to clean up a lot of the cruft
 that we have accumilated over the years.  We've also gained several new
 drivers, including initial (but still not complete) parts of the Intel
 SoundWire support.
 
  - Lots of refactorings to modernize the code from Morimoto-san.
  - Conversion of SND_SOC_ALL_CODECS to use imply from Geert Uytterhoeven.
  - Continued refactoring and fixing of the Intel support.
  - Soundwire and more advanced clocking support for Realtek RT5682.
  - Support for amlogic GX, Meson 8, Meson 8B and T9015 DAC, Broadcom
    DSL/PON, Ingenic JZ4760 and JZ4770, Realtek RL6231, and TI TAS2563 and
    TLV320ADCX140.
 -----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAl6B03sTHGJyb29uaWVA
 a2VybmVsLm9yZwAKCRAk1otyXVSH0Jm5B/4pb6Hz1ifM+ikR4qB7BOdm/UGzxWlD
 Mng+qN3kh6Tx+x8/xnQRmfOnhFoKnDSTnlxcDr6ujAtz3bH+CKXbo2jjfvmagQrW
 j87tYGdh6T38E6mf6543Eth3zJGphZYUY70REXt0HsaQ8bA912nrs5H8LTFiD2i+
 lBJd/MmlCYL3gb/ftN9dpTfYYdxLy9HH9j5tR5zpLN3AD3Hew9jHqqX+ioAk+6lA
 Nisbx5grP10pWFklYXyJlUFQOqMOYMtPMblLRA9bjqcEtL3quIXPXKkPNtTh+0Kf
 5t7Q39RtVXJAk0DcatjMJUGAGQyM9r5g1Nk8WLB1LLv+NfLcO6cUpLAc
 =+z/q
 -----END PGP SIGNATURE-----

Merge tag 'asoc-v5.7' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

ASoC: Updates for v5.7

This is a very big update for the core since Morimoto-san has been
rather busy continuing his refactorings to clean up a lot of the cruft
that we have accumilated over the years.  We've also gained several new
drivers, including initial (but still not complete) parts of the Intel
SoundWire support.

 - Lots of refactorings to modernize the code from Morimoto-san.
 - Conversion of SND_SOC_ALL_CODECS to use imply from Geert Uytterhoeven.
 - Continued refactoring and fixing of the Intel support.
 - Soundwire and more advanced clocking support for Realtek RT5682.
 - Support for amlogic GX, Meson 8, Meson 8B and T9015 DAC, Broadcom
   DSL/PON, Ingenic JZ4760 and JZ4770, Realtek RL6231, and TI TAS2563 and
   TLV320ADCX140.
2020-03-30 13:43:00 +02:00
Takashi Iwai aa21c3d4b9 Merge branch 'for-next' into for-linus 2020-03-30 09:46:51 +02:00
Mark Brown 1c521d7e62
Merge branch 'asoc-5.7' into asoc-next 2020-03-27 17:29:20 +00:00
Takashi Iwai c208a53350 ALSA: core: Add snd_device_get_state() helper
A new small helper to get the current state of the device registration
for the given object.  It'll be used for USB-audio driver to check the
delayed device registrations.

Link: https://lore.kernel.org/r/20200323170643.19181-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-03-23 18:09:19 +01:00
Takashi Iwai 6c3171ef76 ALSA: seq: oss: Fix running status after receiving sysex
This is a similar bug like the previous case for virmidi: the invalid
running status is kept after receiving a sysex message.

Again the fix is to clear the running status after handling the sysex.

Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/3b4a4e0f232b7afbaf0a843f63d0e538e3029bfd.camel@domdv.de
Link: https://lore.kernel.org/r/20200316090506.23966-3-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-03-16 10:06:40 +01:00
Takashi Iwai 4384f167ce ALSA: seq: virmidi: Fix running status after receiving sysex
The virmidi driver handles sysex event exceptionally in a short-cut
snd_seq_dump_var_event() call, but this missed the reset of the
running status.  As a result, it may lead to an incomplete command
right after the sysex when an event with the same running status was
queued.

Fix it by clearing the running status properly via alling
snd_midi_event_reset_decode() for that code path.

Reported-by: Andreas Steinmetz <ast@domdv.de>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/3b4a4e0f232b7afbaf0a843f63d0e538e3029bfd.camel@domdv.de
Link: https://lore.kernel.org/r/20200316090506.23966-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-03-16 10:06:22 +01:00
Takashi Iwai 296a37fd02 ALSA: pcm: Fix superfluous snprintf() usage
show_pcm_class() returns obviously a short string that can't overflow
PAGE_SIZE.  And even if it were to overflow, using snprintf() there is
just wrong, as it doesn't return the correct size.
So simplify with sprintf() instead.

Link: https://lore.kernel.org/r/20200313130223.8908-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-03-13 15:58:35 +01:00
Takashi Iwai 5461e0530c ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks
The return value checks in snd_pcm_plug_alloc() are covered with
snd_BUG_ON() macro that may trigger a kernel WARNING depending on the
kconfig.  But since the error condition can be triggered by a weird
user space parameter passed to OSS layer, we shouldn't give the kernel
stack trace just for that.  As it's a normal error condition, let's
remove snd_BUG_ON() macro usage there.

Reported-by: syzbot+2a59ee7a9831b264f45e@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200312155730.7520-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-03-12 16:58:03 +01:00
Mark Brown 4d90a4e677 Linux 5.6-rc5
-----BEGIN PGP SIGNATURE-----
 
 iQFSBAABCAA8FiEEq68RxlopcLEwq+PEeb4+QwBBGIYFAl5lkYceHHRvcnZhbGRz
 QGxpbnV4LWZvdW5kYXRpb24ub3JnAAoJEHm+PkMAQRiGpHQH/RJrzcaZHo4lw88m
 Jf7vBZ9DYUlRgqE0pxTHWmodNObKRqpwOUGflUcWbb/7GD2LQUfeqhSECVQyTID9
 N9y7FcPvx321Qhc3EkZ24DBYk0+DQ0K2FVUrSa/PxO0n7czxxXWaLRDmlSULEd3R
 D4pVs3zEWOBXJHUAvUQ5R+lKfkeWKNeeepeh+rezuhpdWFBRNz4Jjr5QUJ8od5xI
 sIwobYmESJqTRVBHqW8g2T2/yIsFJ78GCXs8DZLe1wxh40UbxdYDTA0NDDTHKzK6
 lxzBgcmKzuge+1OVmzxLouNWMnPcjFlVgXWVerpSy3/SIFFkzzUWeMbqm6hKuhOn
 wAlcIgI=
 =VQUc
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAl5pMckTHGJyb29uaWVA
 a2VybmVsLm9yZwAKCRAk1otyXVSH0JSaB/0dQ534mBfgkuR5JCOBU53pfcuSGoqM
 Ya+KepVKdGSIazXuuHRNaFeI3jJxiuiKJ7ar77lxxBSeerhMuLy5EAAH5Pm2f7TL
 XfevQ0VmptN8BKqZBRhIfdRAeXNDP04/R9bWK9wBk+J18A3mem1tMFkBwOYYS02f
 OgvsyUwDEsau6hTBBOiK3qyQgGPMOoCKHmX7ZQlNcaRYJzPwXqH+hQpnDbBRw+v/
 lW/+vVOa/NamWSXZogHQWuF1FqERY2AqWqDpDgoA0nLBwEis+Jte8gzCQxuNx6pd
 L0D5IJItvpWGM+bkDrg/dFHQRp4KlbX9G+cMU/ScGuBh0E4KBYT/17lk
 =CIkj
 -----END PGP SIGNATURE-----

Merge tag 'v5.6-rc5' into asoc-5.7

Linux 5.6-rc5
2020-03-11 18:45:26 +00:00
Takashi Iwai 3bbf9e2f86 ALSA: pcm: oss: Simplify plugin frame size calculations
Both snd_pcm_plug_client_size() and snd_pcm_plug_slave_size() do the
almost same calculations of calling src_frames() and dst_frames() in
the chain, but just to the different directions with each other.

This patch simplifies those functions.  Now they return -EINVAL for
the invalid direction, but practically seen, there is no functional
changes at all.

Link: https://lore.kernel.org/r/20200309185855.15693-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-03-09 20:02:42 +01:00
Takashi Iwai cf4afed90c Merge branch 'for-linus' into for-next
Back-merge of 5.6 devel branch for further changes in 5.7 cycle

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-03-09 19:50:18 +01:00
Takashi Iwai f2ecf903ef ALSA: pcm: oss: Avoid plugin buffer overflow
Each OSS PCM plugins allocate its internal buffer per pre-calculation
of the max buffer size through the chain of plugins (calling
src_frames and dst_frames callbacks).  This works for most plugins,
but the rate plugin might behave incorrectly.  The calculation in the
rate plugin involves with the fractional position, i.e. it may vary
depending on the input position.  Since the buffer size
pre-calculation is always done with the offset zero, it may return a
shorter size than it might be; this may result in the out-of-bound
access as spotted by fuzzer.

This patch addresses those possible buffer overflow accesses by simply
setting the upper limit per the given buffer size for each plugin
before src_frames() and after dst_frames() calls.

Reported-by: syzbot+e1fe9f44fb8ecf4fb5dd@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/000000000000b25ea005a02bcf21@google.com
Link: https://lore.kernel.org/r/20200309082148.19855-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-03-09 09:22:22 +01:00
Mark Brown 90309b74c3
Merge series "simple-audio-card codec2codec support" from Samuel Holland <samuel@sholland.org>:
We are currently using simple-audio-card on the Allwinner A64 SoC.
The digital audio codec there (sun8i-codec) has 3 AIFs, one each for the
CPU, the modem, and Bluetooth. Adding support for the secondary AIFs
requires adding codec2codec DAI links.

Since the modem and bt-sco codec DAI drivers only have one set of
possible PCM parameters (namely, 8kHz mono S16LE), there's no real
need for a machine driver to specify the DAI link configuration. The
parameters for these "simple" DAI links can be chosen automatically.

This series adds codec2codec DAI link support to simple-audio-card.
Codec to codec links are automatically detected when all DAIs in the
link belong to codec components.

I tried to reuse as much code as possible, so the first two patches
refactor a couple of helper functions to be more generic.

The last patch adds the new feature and its documentation.

Changes in v4:
  - Rebased on top of asoc/for-next, several changes to patch 2
  - Removed unused variable from patch 3
Changes in v3:
  - Update use of for_each_rtd_components for v5.6
Changes in v2:
  - Drop patch 1 as it was merged
  - Automatically detect codec2codec links instead of using a DT property

Samuel Holland (3):
  ALSA: pcm: Add a standalone version of snd_pcm_limit_hw_rates
  ASoC: pcm: Export parameter intersection logic
  ASoC: simple-card: Add support for codec2codec DAI links

 Documentation/sound/soc/codec-to-codec.rst |  9 +++-
 include/sound/pcm.h                        |  9 +++-
 include/sound/soc.h                        |  3 ++
 sound/core/pcm_misc.c                      | 18 +++----
 sound/soc/generic/simple-card-utils.c      | 48 ++++++++++++++++++
 sound/soc/soc-pcm.c                        | 59 ++++++++++++++--------
 6 files changed, 114 insertions(+), 32 deletions(-)

--
2.24.1
2020-03-06 15:02:53 +00:00
Peter Ujfalusi f9c23615c6
ALSA: dmaengine_pcm: No need to take runtime reference twice in pcm_pointer
The runtime pointer has been taken in functional level so there is no need
to take it again under the if () case.

Fixes: 9d789dc047 ("ALSA: dmaengine_pcm: Consider DMA cache caused delay in pointer callback")
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Link: https://lore.kernel.org/r/20200227093544.27723-1-peter.ujfalusi@ti.com
Signed-off-by: Mark Brown <broonie@kernel.org>
2020-03-06 15:02:51 +00:00
Samuel Holland 4769bfb9da
ALSA: pcm: Add a standalone version of snd_pcm_limit_hw_rates
It can be useful to derive min/max rates of a snd_pcm_hardware without
having a snd_pcm_runtime, such as before constructing an ASoC DAI link.

Create a new helper that takes a pointer to a snd_pcm_hardware directly,
and refactor the original function as a wrapper around it, to avoid
needing to update any call sites.

Signed-off-by: Samuel Holland <samuel@sholland.org>
Reviewed-by: Takashi Iwai <tiwai@suse.de>
Link: https://lore.kernel.org/r/20200305051143.60691-2-samuel@sholland.org
Signed-off-by: Mark Brown <broonie@kernel.org>
2020-03-06 14:24:09 +00:00
Cezary Rojewski b9759ef2fd
ALSA: core: Implement compress page allocation and free routines
Add simple malloc and free methods for memory management for compress
streams. Based on snd_pcm_lib_malloc_pages and snd_pcm_lib_free_pages
implementation.

Signed-off-by: Divya Prakash <divya1.prakash@intel.com>
Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
Reviewed-by: Takashi Iwai <tiwai@suse.de>
Acked-by: Vinod Koul <vkoul@kernel.org>
Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Link: https://lore.kernel.org/r/20200218143924.10565-3-cezary.rojewski@intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
2020-02-18 21:52:05 +00:00
Takashi Iwai 2948f4a4e5 Merge branch 'topic/usb-uac2-effect-unit' into for-next
Merging the UAC2 effect unit parser improvement.  As it's based on the
previous usb-audio driver fix, it was deviated from for-next branch.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-02-17 15:30:32 +01:00
Takashi Iwai 146f66975b ALSA: pcm: oss: Unlock mutex temporarily for sleeping at read/write
ALSA PCM OSS layer calls the generic __snd_pcm_lib_xfer() helper for
the actual transfer of the audio data.  The xfer helper may sleep long
for waiting for the enough space becoming empty for read/write, and
it does unlock/relock for the substream lock.  This works fine, so
far, but a slight problem specific to OSS layer is that OSS layer
wraps yet more mutex (runtime->oss.params_lock) over
__snd_pcm_lib_xfer() call; so this mutex is still locked during a
possible long sleep, and it prevents the whole ioctl and other actions
applied to the given stream.

This patch adds the temporarily unlock and relock of the mutex around
__snd_pcm_lib_xfer() call in the OSS layer to be more friendly to the
concurrent accesses.  The long mutex protection itself shouldn't be a
real issue for the normal systems, and its influence appears only on
strange things like fuzzers.

Link: https://lore.kernel.org/r/20200214171643.26212-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-02-14 18:17:13 +01:00
Takashi Iwai dc7497795e ALSA: seq: Fix concurrent access to queue current tick/time
snd_seq_check_queue() passes the current tick and time of the given
queue as a pointer to snd_seq_prioq_cell_out(), but those might be
updated concurrently by the seq timer update.

Fix it by retrieving the current tick and time via the proper helper
functions at first, and pass those values to snd_seq_prioq_cell_out()
later in the loops.

snd_seq_timer_get_cur_time() takes a new argument and adjusts with the
current system time only when it's requested so; this update isn't
needed for snd_seq_check_queue(), as it's called either from the
interrupt handler or right after queuing.

Also, snd_seq_timer_get_cur_tick() is changed to read the value in the
spinlock for the concurrency, too.

Reported-by: syzbot+fd5e0eaa1a32999173b2@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/20200214111316.26939-3-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-02-14 15:53:09 +01:00
Takashi Iwai bb51e669fa ALSA: seq: Avoid concurrent access to queue flags
The queue flags are represented in bit fields and the concurrent
access may result in unexpected results.  Although the current code
should be mostly OK as it's only reading a field while writing other
fields as KCSAN reported, it's safer to cover both with a proper
spinlock protection.

This patch fixes the possible concurrent read by protecting with
q->owner_lock.  Also the queue owner field is protected as well since
it's the field to be protected by the lock itself.

Reported-by: syzbot+65c6c92d04304d0a8efc@syzkaller.appspotmail.com
Reported-by: syzbot+e60ddfa48717579799dd@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/20200214111316.26939-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-02-14 15:52:59 +01:00
Rafael J. Wysocki 5371a79be9 sound: Call cpu_latency_qos_*() instead of pm_qos_*()
Call cpu_latency_qos_add/update/remove_request() and
cpu_latency_qos_request_active() instead of
pm_qos_add/update/remove_request() and pm_qos_request_active(),
respectively, because the latter are going to be dropped.

No intentional functional impact.

Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Acked-by: Mark Brown <broonie@kernel.org>
Acked-by: Takashi Iwai <tiwai@suse.de>
Reviewed-by: Amit Kucheria <amit.kucheria@linaro.org>
Tested-by: Amit Kucheria <amit.kucheria@linaro.org>
2020-02-14 10:37:25 +01:00
Takashi Iwai 0fbb027b44 ALSA: pcm: Fix double hw_free calls
The commit 66f2d19f81 ("ALSA: pcm: Fix memory leak at closing a
stream without hw_free") tried to fix the regression wrt the missing
hw_free call at closing without SNDRV_PCM_IOCTL_HW_FREE ioctl.
However, the code change dropped mistakenly the state check, resulting
in calling hw_free twice when SNDRV_PCM_IOCTL_HW_FRE got called
beforehand.  For most drivers, this is almost harmless, but the
drivers like SOF show another regression now.

This patch adds the state condition check before calling do_hw_free()
at releasing the stream for avoiding the double hw_free calls.

Fixes: 66f2d19f81 ("ALSA: pcm: Fix memory leak at closing a stream without hw_free")
Reported-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Reported-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Tested-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/s5hd0ajyprg.wl-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-02-13 16:30:22 +01:00
Gustavo A. R. Silva 9478bd43a2 ALSA: core: Replace zero-length array with flexible-array member
The current codebase makes use of the zero-length array language
extension to the C90 standard, but the preferred mechanism to declare
variable-length types such as these ones is a flexible array member[1][2],
introduced in C99:

struct foo {
        int stuff;
        struct boo array[];
};

By making use of the mechanism above, we will get a compiler warning
in case the flexible array does not occur last in the structure, which
will help us prevent some kind of undefined behavior bugs from being
inadvertenly introduced[3] to the codebase from now on.

This issue was found with the help of Coccinelle.

[1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html
[2] https://github.com/KSPP/linux/issues/21
[3] commit 7649773293 ("cxgb3/l2t: Fix undefined behaviour")

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Link: https://lore.kernel.org/r/20200211193910.GA4596@embeddedor
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-02-12 08:14:43 +01:00
Peter Ujfalusi 9d789dc047
ALSA: dmaengine_pcm: Consider DMA cache caused delay in pointer callback
Some DMA engines can have big FIFOs which adds to the latency.
The DMAengine framework can report the FIFO utilization in bytes. Use this
information for the delay reporting.

Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Reviewed-by: Takashi Iwai <tiwai@suse.de>
Link: https://lore.kernel.org/r/20200210153336.10218-1-peter.ujfalusi@ti.com
Signed-off-by: Mark Brown <broonie@kernel.org>
2020-02-11 15:42:31 +00:00
Peter Ujfalusi fa1f875c12
ALSA: dmaengine_pcm: Consider DMA cache caused delay in pointer callback
Some DMA engines can have big FIFOs which adds to the latency.
The DMAengine framework can report the FIFO utilization in bytes. Use this
information for the delay reporting.

Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Reviewed-by: Takashi Iwai <tiwai@suse.de>
Link: https://lore.kernel.org/r/20200210151402.29634-1-peter.ujfalusi@ti.com
Signed-off-by: Mark Brown <broonie@kernel.org>
2020-02-11 11:52:34 +00:00
Colin Ian King 0e023687ca ALSA: info: remove redundant assignment to variable c
Variable c is being assigned with the value -1 that is never read,
it is assigned a new value in a following while-loop. The assignment
is redundant and can be removed.

Addresses-Coverity: ("Unused value")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Link: https://lore.kernel.org/r/20200208224206.38540-1-colin.king@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-02-10 08:30:02 +01:00
Takashi Iwai 49d9e43f36 ALSA: pcm: Minor refactoring
Make a common helper for validating the format type.
This reduces the number of cast in the code that are needed for
suppressing sparse warnings.

No functional changes, just minor refactoring.

Link: https://lore.kernel.org/r/20200206163945.6797-9-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-02-10 08:28:12 +01:00
Takashi Iwai 89e0b9a060 ALSA: pcm_dmaengine: Use pcm_for_each_format() macro for PCM format iteration
The new macro can fix the sparse warnings gracefully:
  sound/core/pcm_dmaengine.c:429:50: warning: restricted snd_pcm_format_t degrades to integer
  sound/core/pcm_dmaengine.c:429:55: warning: restricted snd_pcm_format_t degrades to integer
  sound/core/pcm_dmaengine.c:429:79: warning: restricted snd_pcm_format_t degrades to integer

No functional changes, just sparse warning fixes.

Link: https://lore.kernel.org/r/20200206163945.6797-8-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-02-10 08:28:02 +01:00
Takashi Iwai f9b0c053a2 ALSA: pcm: Use a macro for parameter masks to reduce the needed cast
The parameter bit mask needs often explicit cast with __force,
e.g. for the PCM subformat type.  Instead of adding __force at each
place, which is error prone, this patch introduces a new macro and
replaces the all bit shift with it.  This fixes the sparse warnings
like the following:
  sound/core/pcm_native.c:2508:30: warning: restricted snd_pcm_access_t degrades to integer

No functional changes, just sparse warning fixes.

Link: https://lore.kernel.org/r/20200206163945.6797-7-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-02-10 08:27:51 +01:00
Takashi Iwai ba71d227f4 ALSA: pcm: Use standard macros for fixing PCM format cast
Simplify the code with the new macros for PCM format type iterations.
This fixes the sparse warnings nicely:
  sound/core/pcm_native.c:2302:26: warning: restricted snd_pcm_format_t degrades to integer
  sound/core/pcm_native.c:2306:54: warning: incorrect type in argument 1 (different base types)
  sound/core/pcm_native.c:2306:54:    expected restricted snd_pcm_format_t [usertype] format
  sound/core/pcm_native.c:2306:54:    got unsigned int [assigned] k
  ....

No functional changes, just sparse warning fixes.

Link: https://lore.kernel.org/r/20200206163945.6797-6-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-02-10 08:27:41 +01:00
Linus Torvalds 750ce8ccd8 sound fixes for 5.6-rc1
A collection of pending small fixes since the previous PR.
 
 ALSA core:
 - PCM memory leak fix
 
 ASoC:
 - Lots of SOF and Intel driver fixes
 - Addition of COMMON_CLK for wcd934x
 - Regression fixes for AMD and Tegra platforms
 
 HD-audio:
 - DP-MST HDMI regression fix, Tegra workarounds, HP quirk fix
 
 Others:
 - A few fixes relevant with the recent uapi-updates
 - Sparse warnings and endianness fixes
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAl47+oEOHHRpd2FpQHN1
 c2UuZGUACgkQLtJE4w1nLE+GYg//dNu8r2M6y60btHjaWxblmdhHF3XQ5EwSxvSX
 QT1gm3pg8PMefJNOSD5IhD7Spll6SYz89YpKpPr3NneV5bcDSozdAt50vbtZvqry
 notOqSpL4DubIcYIrhLWI6mq9cIOXIgGnY1cs2KIkoDdNUSDD44nCG1FoUu163tI
 mBPDgjZqAAMseCu4jwRInfE2iUJHGNrkQBDc3+1yZFPog/APoLocRKF7paF1N73f
 A8kGDCoWUmk8mGb93lUxiDg09gK0aCHNmcjIR4Q4MPD16Yg+o1RgGwY81xdyKjs1
 neNCfSCyhYgkON8rvJIsE46qGbqax6/JT7QxCqbyy/Vj4s5MfUivqnWRFwnUisB+
 OoQa37Vd893gjxz1+JvmjrqKTWPmSbHMiuqFj5e1X+HqEVxdKDJMMPwzqlVjRq4K
 Ma18ACK1EQmb4Hsh2U488EjZp/n/FoOmqFSjE6qaHpfdq7YT0bv2lV+f8QFNmliF
 aeJ+ktp6GU2FFV2U4/iZmRUeTZgJpz6m2mLix++Jn11RbSewxj4uyZPKbBYPj7JZ
 NK2l/OgMUxj4qM3ZkgQUOnihIWSqdx0lySgXPWe7fLokMTPNsVr5X2ztD9m1uyX8
 lbJuZsXNGMUS6v3aAy8zoCp2sc1G8heM5Z/WUiZQtUtjpUJ3DATK7sEdv3hLJpFB
 sYw41vs=
 =Mcey
 -----END PGP SIGNATURE-----

Merge tag 'sound-fix-5.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "A collection of pending small fixes:

  ALSA core:
   - PCM memory leak fix

  ASoC:
   - Lots of SOF and Intel driver fixes
   - Addition of COMMON_CLK for wcd934x
   - Regression fixes for AMD and Tegra platforms

  HD-audio:
   - DP-MST HDMI regression fix, Tegra workarounds, HP quirk fix

  Others:
   - A few fixes relevant with the recent uapi-updates
   - Sparse warnings and endianness fixes"

* tag 'sound-fix-5.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (35 commits)
  ALSA: hda: Clear RIRB status before reading WP
  ALSA: hda/realtek - Fixed one of HP ALC671 platform Headset Mic supported
  ASoC: wcd934x: Add missing COMMON_CLK dependency to SND_SOC_ALL_CODECS
  ALSA: hda - Fix DP-MST support for NVIDIA codecs
  ASoC: wcd934x: Add missing COMMON_CLK dependency
  MAINTAINERS: Remove the Bard Liao from the MAINTAINERS of Realtek CODECs
  ASoC: tegra: Revert 24 and 32 bit support
  ASoC: SOF: Intel: add PCI ID for JasperLake
  ALSA: hdsp: Make the firmware loading ioctl a bit more readable
  ALSA: emu10k1: Fix annotation and cast for the recent uapi header change
  ALSA: dummy: Fix PCM format loop in proc output
  ALSA: usb-audio: Annotate endianess in Scarlett gen2 quirk
  ALSA: usb-audio: Fix endianess in descriptor validation
  ALSA: hda: Add JasperLake PCI ID and codec vid
  ALSA: pcm: Fix sparse warnings wrt snd_pcm_state_t
  ALSA: pcm: Fix memory leak at closing a stream without hw_free
  ALSA: uapi: Fix sparse warning
  ASoC: rt715: Add __maybe_unused to PM callbacks
  ASoC: rt711: Add __maybe_unused to PM callbacks
  ASoC: rt700: Add __maybe_unused to PM callbacks
  ...
2020-02-06 14:15:01 +00:00
Alexey Dobriyan 97a32539b9 proc: convert everything to "struct proc_ops"
The most notable change is DEFINE_SHOW_ATTRIBUTE macro split in
seq_file.h.

Conversion rule is:

	llseek		=> proc_lseek
	unlocked_ioctl	=> proc_ioctl

	xxx		=> proc_xxx

	delete ".owner = THIS_MODULE" line

[akpm@linux-foundation.org: fix drivers/isdn/capi/kcapi_proc.c]
[sfr@canb.auug.org.au: fix kernel/sched/psi.c]
  Link: http://lkml.kernel.org/r/20200122180545.36222f50@canb.auug.org.au
Link: http://lkml.kernel.org/r/20191225172546.GB13378@avx2
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-02-04 03:05:26 +00:00
Takashi Iwai cb639a420e ALSA: pcm: Fix sparse warnings wrt snd_pcm_state_t
Since we have a bitwise definition of snd_pcm_state_t and use it for
certain struct fields, a few new (and years old) sparse warnings came
up.  This patch is an attempt to cover them.

- The state fields in snd_pcm_mmap_status* and co are all defined as
  snd_pcm_state_t type now

- The PCM action callbacks take snd_pcm_state_t argument as well;
  some actions taking special values got the explicit cast and
  comments

- For the PCM action that doesn't need an extra argument receives
  ACTION_ARG_IGNORE instead of ambiguous 0

While we're at it, the boolean argument is also properly changed to
bool and true/false, as well as a slight refactoring of PCM pause
helper function to make easier to read.

No functional changes, just shutting up chatty sparse.

Fixes: 46b770f720 ("ALSA: uapi: Fix sparse warning")
Reported-by: kbuild test robot <lkp@intel.com>
Link: https://lore.kernel.org/r/20200131152214.11698-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-01-31 16:23:13 +01:00
Takashi Iwai 66f2d19f81 ALSA: pcm: Fix memory leak at closing a stream without hw_free
ALSA PCM core recently introduced a new managed PCM buffer allocation
mode that does allocate / free automatically at hw_params and
hw_free.  However, it overlooked the code path directly calling
hw_free PCM ops at releasing the PCM substream, and it may result in a
memory leak as spotted by syzkaller when no buffer preallocation is
used (e.g. vmalloc buffer).

This patch papers over it with a slight refactoring.  The hw_free ops
call and relevant tasks are unified in a new helper function, and call
it from both places.

Fixes: 0dba808eae ("ALSA: pcm: Introduce managed buffer allocation mode")
Reported-by: syzbot+30edd0f34bfcdc548ac4@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200129195907.12197-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-01-29 21:01:19 +01:00
Takashi Iwai d4cfb30fce ALSA: pcm: Set per-card upper limit of PCM buffer allocations
Currently, the available buffer allocation size for a PCM stream
depends on the preallocated size; when a buffer has been preallocated,
the max buffer size is set to that size, so that application won't
re-allocate too much memory.  OTOH, when no preallocation is done,
each substream may allocate arbitrary size of buffers as long as
snd_pcm_hardware.buffer_bytes_max allows -- which can be quite high,
HD-audio sets 1GB there.

It means that the system may consume a high amount of pages for PCM
buffers, and they are pinned and never swapped out.  This can lead to
OOM easily.

For avoiding such a situation, this patch adds the upper limit per
card.  Each snd_pcm_lib_malloc_pages() and _free_pages() calls are
tracked and it will return an error if the total amount of buffers
goes over the defined upper limit.  The default value is set to 32MB,
which should be really large enough for usual operations.

If larger buffers are needed for any specific usage, it can be
adjusted (also dynamically) via snd_pcm.max_alloc_per_card option.
Setting zero there means no chceck is performed, and again, unlimited
amount of buffers are allowed.

Link: https://lore.kernel.org/r/20200120124423.11862-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-01-21 07:11:55 +01:00
Takashi Iwai 9d0af44c2e Merge branch 'for-linus' into for-next
Resolved the merge conflict in HD-audio Tegra driver.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-01-20 11:44:51 +01:00
Takashi Iwai d662117c7a ALSA: pcm: Make snd_pcm_hw_constraints_init() and _complete() static
Both snd_pcm_hw_constraints_init() and _complete() functions are
called only from pcm_native.c, hence they can be static for further
optimization.

Link: https://lore.kernel.org/r/20200116162825.24792-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-01-16 17:29:33 +01:00
Takashi Iwai 60adcfde92 ALSA: seq: Fix racy access for queue timer in proc read
snd_seq_info_timer_read() reads the information of the timer assigned
for each queue, but it's done in a racy way which may lead to UAF as
spotted by syzkaller.

This patch applies the missing q->timer_mutex lock while accessing the
timer object as well as a slight code change to adapt the standard
coding style.

Reported-by: syzbot+2b2ef983f973e5c40943@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200115203733.26530-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-01-15 21:38:18 +01:00
Pierre-Louis Bossart f999348021 ALSA: timer: fix nsec/sec initialization confusion
GCC reports a warning with W=1:

sound/core/timer.c: In function ‘snd_timer_user_read’:
sound/core/timer.c:2219:19: warning: initialized field overwritten
[-Woverride-init]
 2219 |     .tstamp_sec = tread->tstamp_nsec,
      |                   ^~~~~
sound/core/timer.c:2219:19: note: (near initialization for
‘(anonymous).tstamp_sec’)

Assigning nsec values to sec fields is problematic in general, even
more so when the initial goal was to survive the 2030 timer
armageddon.

Fix by using the proper field in the initialization

Cc: Baolin Wang <baolin.wang@linaro.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Fixes: 07094ae6f9 ("ALSA: Avoid using timespec for struct snd_timer_tread")
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20200111203325.20498-1-pierre-louis.bossart@linux.intel.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-01-12 09:08:22 +01:00
Dan Carpenter 3b2549a374 ALSA: control: potential uninitialized return value
Smatch complains that "ret" might be uninitialized.

Fixes: fbd3eb7f66 ("ALSA: control: Add verification for kctl accesses")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20200108053706.h3hcnvmnf62wkjac@kili.mountain
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-01-08 07:20:28 +01:00
Takashi Iwai edb87ed5f9 ALSA: rawmidi: More constification
Apply const prefix to the static flag info table.

Just for minor optimization and no functional changes.

Link: https://lore.kernel.org/r/20200105144823.29547-42-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-01-05 16:14:58 +01:00
Takashi Iwai b40fe4bbc7 ALSA: oss: More constifications
Apply const prefix to the static tables for strings and formats.

Just for minor optimization and no functional changes.

Link: https://lore.kernel.org/r/20200105144823.29547-41-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-01-05 16:14:58 +01:00
Takashi Iwai f98903fce9 ALSA: jack: More constification
Apply const prefix to the static jack switch table.

Just for minor optimization and no functional changes.

Link: https://lore.kernel.org/r/20200105144823.29547-40-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-01-05 16:14:57 +01:00
Takashi Iwai 51d7847a2d ALSA: info: More constifications
Apply const prefix to the string array and its callers.

Just for minor optimization and no functional changes.

Link: https://lore.kernel.org/r/20200105144823.29547-39-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-01-05 16:14:57 +01:00
Takashi Iwai 731922a593 ALSA: seq: More constifications
Apply const prefix to the remaining sequencer code: the static tables
for MIDI macros, RPN/NRPN, and some strings.

Just for minor optimization and no functional changes.

Link: https://lore.kernel.org/r/20200105144823.29547-7-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-01-05 16:14:29 +01:00
Takashi Iwai d03af9b8ea ALSA: pcm: More constifications
Apply const prefix to more possible places: the string tables for PCM
format and co, the table for the PCM type helpers, etc.

Just for minor optimization and no functional changes.

Link: https://lore.kernel.org/r/20200105144823.29547-6-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-01-05 16:14:29 +01:00
Takashi Iwai fbd3eb7f66 ALSA: control: Add verification for kctl accesses
The current implementation of ALSA control API fully relies on the
callbacks of each driver, and there is no verification of the values
passed via API.  This patch is an attempt to improve the situation
slightly by adding the validation code for the values stored via info
and get callbacks.

The patch adds a new kconfig, CONFIG_SND_CTL_VALIDATION.  It depends
on CONFIG_SND_DEBUG and off as default since the validation would
require a slight overhead including the additional call of info
callback at each get callback invocation.

When this config is enabled, the values stored by each info callback
invocation are verified, namely:
- Whether the info type is valid
- Whether the number of enum items is non-zero
- Whether the given info count is within the allowed boundary

Similarly, the values stored at each get callback are verified as
well:
- Whether the values are within the given range
- Whether the values are aligned with the given step
- Whether any further changes are seen in the data array over the
  given info count

The last point helps identifying a possibly invalid data type access,
typically a case where the info callback declares the type being
SNDRV_CTL_ELEM_TYPE_ENUMERATED while the get/put callbacks store
the values in value.integer.value[] array.

When a validation fails, the ALSA core logs an error message including
the device and the control ID, and the API call also returns an
error.  So, with the new validation turned on, the driver behavior
difference may be visible on user-space, too -- it's intentional,
though, so that we can catch an error more clearly.

The patch also introduces a new ctl access type,
SNDRV_CTL_ELEM_ACCESS_SKIP_CHECK.  A driver may pass this flag with
other access bits to indicate that the ctl element won't be verified.
It's useful when a driver code is specially written to access the data
greater than info->count size by some reason.  For example, this flag
is actually set now in HD-audio HDMI codec driver which needs to clear
the data array in the case of the disconnected monitor.

Also, the PCM channel-map helper code is slightly modified to avoid
the false-positive hit by this validation code, too.

Link: https://lore.kernel.org/r/20200104083556.27789-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-01-04 09:37:59 +01:00
Takashi Iwai 454f5ec1d2 ALSA: mixer: oss: Constify snd_mixer_oss_assign_table definition
The snd_mixer_oss_assign_table is read-only, and can it be declared as
const.

There should be no functional changes by this patch.

Link: https://lore.kernel.org/r/20200103081714.9560-32-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-01-03 09:24:22 +01:00
Takashi Iwai aad7ebb544 ALSA: seq: Constify struct snd_midi_op
Change the argument of snd_midi_process_event() to receive a const
snd_midi_op pointer and its callers respectively.  This allows further
optimizations.

There should be no functional changes by this patch.

Link: https://lore.kernel.org/r/20200103081714.9560-30-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-01-03 09:24:19 +01:00
Takashi Iwai df76996a2c ALSA: timer: Constify snd_timer_hardware definitions
Most of snd_timer_hardware definitions do simply copying to another
struct as-is.  Mark them as const for further optimization.

There should be no functional changes by this patch.

Link: https://lore.kernel.org/r/20200103081714.9560-21-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-01-03 09:24:07 +01:00
Takashi Iwai f15ee210cd ALSA: core: Constify snd_device_ops definitions
Now we may declare const for snd_device_ops definitions, so let's do
it for optimization.

There should be no functional changes by this patch.

Link: https://lore.kernel.org/r/20200103081714.9560-5-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-01-03 09:23:51 +01:00
Takashi Iwai 8b57582430 ALSA: core: Treat snd_device_ops as const
This is a preliminary patch to allow const for snd_device_ops
definitions in each driver's code.  The ops reference is read-only,
hence it can be declared as const for further optimization.

There should be no functional changes by this patch.

Link: https://lore.kernel.org/r/20200103081714.9560-4-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-01-03 09:23:50 +01:00
Takashi Sakamoto d61fe22c2a ALSA: ctl: allow TLV read operation for callback type of element in locked case
A design of ALSA control core allows applications to execute three
operations for TLV feature; read, write and command. Furthermore, it
allows driver developers to process the operations by two ways; allocated
array or callback function. In the former, read operation is just allowed,
thus developers uses the latter when device driver supports variety of
models or the target model is expected to dynamically change information
stored in TLV container.

The core also allows applications to lock any element so that the other
applications can't perform write operation to the element for element
value and TLV information. When the element is locked, write and command
operation for TLV information are prohibited as well as element value.
Any read operation should be allowed in the case.

At present, when an element has callback function for TLV information,
TLV read operation returns EPERM if the element is locked. On the
other hand, the read operation is success when an element has allocated
array for TLV information. In both cases, read operation is success for
element value expectedly.

This commit fixes the bug. This change can be backported to v4.14
kernel or later.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20191223093347.15279-1-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-12-24 15:29:12 +01:00
Takashi Sakamoto ff16351e3f ALSA: ctl: remove dimen member from elem_info structure
The 'dimen' member of 'struct snd_ctl_elem_info' is designed to deliver
information to use an array of value as multi-dimensional values. This
feature is used just by echoaudio PCI driver, and fortunately it's not
used by the other applications than 'echomixer' in alsa-tools.

In a previous commit, usage of 'dimen' member is removed from echoaudio
PCI driver. Nowadays no driver/application use the feature.

This commit removes the member from structure.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Link: https://lore.kernel.org/r/20191223023921.8151-4-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-12-23 15:57:35 +01:00
Takashi Iwai a032ff0e80 Merge branch 'for-linus' into for-next
Taking the 5.5 devel branch back into the main devel branch.
A USB-audio fix needs to be adjusted to adapt the changes that have
been formerly applied for stop_sync.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-12-18 20:07:43 +01:00
Takashi Iwai df1d6ea05a ALSA: Fix year 2038 issue for sound subsystem
This is a series I worked on with Baolin in 2017 and 2018, but we
 never quite managed to finish up the last pieces. During the
 ALSA developer meetup at ELC-E 2018 in Edinburgh, a decision was
 made to go with this approach for keeping best compatibility
 with existing source code, and then I failed to follow up by
 resending the patches.
 
 Now I have patches for all remaining time_t uses in the kernel,
 so it's absolutely time to revisit them. I have done more
 review of the patches myself and found a couple of minor issues
 that I have fixed up, otherwise the series is still the same as
 before.
 
 Conceptually, the idea of these patches is:
 
 - 64-bit applications should see no changes at all, neither
   compile-time nor run-time.
 
 - 32-bit code compiled with a 64-bit time_t currently
   does not work with ALSA, and requires kernel changes and/or
   sound/asound.h changes
 
 - Most 32-bit code using these interfaces will work correctly
   on a modified kernel, with or without the uapi header changes.
 
 - 32-bit code using SNDRV_TIMER_IOCTL_TREAD requires the
   updated header file for 64-bit time_t support
 
 - 32-bit i386 user space with 64-bit time_t is broken for
   SNDRV_PCM_IOCTL_STATUS, SNDRV_RAWMIDI_IOCTL_STATUS and
   SNDRV_PCM_IOCTL_SYNC_PTR because of i386 alignment. This is also
   addressed by the updated uapi header.
 
 - PCM mmap is currently supported on native x86 kernels
   (both 32-bit and 64-bit) but not for compat mode. This series breaks
   the 32-bit native mmap support for 32-bit time_t, but instead allows
   it for 64-bit time_t on both native and compat kernels. This seems to
   be the best trade-off, as mmap support is optional already, and most
   32-bit code runs in compat mode anyway.
 
 - I've tried to avoid breaking compilation of 32-bit code
   as much as possible. Anything that does break however is likely code
   that is already broken on 64-bit time_t and needs source changes to
   fix them.
 
 [1] https://git.kernel.org/pub/scm/linux/kernel/git/arnd/playground.git y2038-alsa-v8
 [2] https://lore.kernel.org/lkml/CAK8P3a2Os66+iwQYf97qh05W2JP8rmWao8zmKoHiXqVHvyYAJA@mail.gmail.com/T/#m6519cb07cfda08adf1dedea6596bb98892b4d5dc
 
 Signed-off-by: Arnd Bergmann <arnd@arndb.de>
 
 Changes since v7: (Arnd):
  - Fix a typo found by Ben Hutchings
 
 Changes since v6: (Arnd):
  - Add a patch to update the API versions
  - Hide a timespec reference in #ifndef __KERNEL__ to remove the
    last reference to time_t
  - Use a more readable way to do padding and describe it in the
    changelog
  - Rebase to linux-5.5-rc1, changing include/sound/soc-component.h
    and sound/drivers/aloop.c as needed.
 
 Changes since v5 (Arnd):
  - Rebased to linux-5.4-rc4
  - Updated to completely remove timespec and time_t references from alsa
  - found and fixed a few bugs
 
 Changes since v4 (Baolin):
  - Add patch 5 to change trigger_tstamp member of struct snd_pcm_runtime.
  - Add patch 8 to change internal timespec.
  - Add more explanation in commit message.
  - Use ktime_get_real_ts64() in patch 6.
  - Split common code out into a separate function in patch 6.
  - Fix tu->tread bug in patch 6 and remove #if __BITS_PER_LONG == 64 macro.
 
 Changes since v3:
  - Move struct snd_pcm_status32 to pcm.h file.
  - Modify comments and commit message.
  - Add new patch2 ~ patch6.
 
 Changes since v2:
  - Renamed all structures to make clear.
  - Remove CONFIG_X86_X32 macro and introduced new compat_snd_pcm_status64_x86_32.
 
 Changes since v1:
  - Add one macro for struct snd_pcm_status_32 which only active in 32bits kernel.
  - Convert pcm_compat.c to use struct snd_pcm_status_64.
  - Convert pcm_native.c to use struct snd_pcm_status_64.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJd+URTAAoJEGCrR//JCVIn4FwQAJlo8vLvc/bZc58cw5KBdsal
 /lgYiCoT2Q7IMC3FHr28jVd+R3vAzfSMJFmwawCtV0iNXOsAHv2yyE9+whqH0ljg
 oz1o7X+oDBBa9Fed1WIxrAjFWzI7u+4lz29qvkenP6x2h9tvvMq0cdxRMz4qSVPk
 u7c7Yui/yEtBHmcWoQFNhIpeTFg8QCPZnR9SkyZ4O/q1GS9n+Ep5kLioFl3PQGGi
 KndZ+gMBgIj4l7sRV0l2KFzP/N2dXowUlP+AW9V80LgSI4VyQ7jgMG+QalgzAXwH
 ey1apJ38m51EglAi4TTglcTpe/TyTKLHs9JBAI+7QNa90EwJTrmjmXwXtfnBVlAS
 d0uK7ISFNyK/PujYsUD7FQrDeubgSeAYHyKtAh3YGVKFUEOBsGywSVyuCIoRJsmR
 2mJFHrsZnvKyooGJY9gwMmttoanwcXnGXloTjFQF7qEzFoi2BdoBsjWrDiN+3olc
 WVbW3rWSjVeKzD9cEylchTxkxFP1j2NDQEPD4epq+ncm0feq9mC7rrt5G9gXKMmu
 qf2pMEUKFE7Tn3LllT4iUY7z4FybgEuKADH5/5zQjsVvBZ5BCvi1BDUJaYRQozxh
 hC6ovFG7uTRL6wOw/7GGx9/lgX2GQ91z6IJeuqZSLj+tdlzVKoScfRgnrbZS8ZOy
 W4RfCyuo5PedyqfTeTEX
 =58V0
 -----END PGP SIGNATURE-----

Merge tag 'y2038-alsa-v8-signed' of git://git.kernel.org:/pub/scm/linux/kernel/git/arnd/playground into for-next

ALSA: Fix year 2038 issue for sound subsystem

This is a series I worked on with Baolin in 2017 and 2018, but we
never quite managed to finish up the last pieces. During the
ALSA developer meetup at ELC-E 2018 in Edinburgh, a decision was
made to go with this approach for keeping best compatibility
with existing source code, and then I failed to follow up by
resending the patches.

Now I have patches for all remaining time_t uses in the kernel,
so it's absolutely time to revisit them. I have done more
review of the patches myself and found a couple of minor issues
that I have fixed up, otherwise the series is still the same as
before.

Conceptually, the idea of these patches is:

- 64-bit applications should see no changes at all, neither
  compile-time nor run-time.

- 32-bit code compiled with a 64-bit time_t currently
  does not work with ALSA, and requires kernel changes and/or
  sound/asound.h changes

- Most 32-bit code using these interfaces will work correctly
  on a modified kernel, with or without the uapi header changes.

- 32-bit code using SNDRV_TIMER_IOCTL_TREAD requires the
  updated header file for 64-bit time_t support

- 32-bit i386 user space with 64-bit time_t is broken for
  SNDRV_PCM_IOCTL_STATUS, SNDRV_RAWMIDI_IOCTL_STATUS and
  SNDRV_PCM_IOCTL_SYNC_PTR because of i386 alignment. This is also
  addressed by the updated uapi header.

- PCM mmap is currently supported on native x86 kernels
  (both 32-bit and 64-bit) but not for compat mode. This series breaks
  the 32-bit native mmap support for 32-bit time_t, but instead allows
  it for 64-bit time_t on both native and compat kernels. This seems to
  be the best trade-off, as mmap support is optional already, and most
  32-bit code runs in compat mode anyway.

- I've tried to avoid breaking compilation of 32-bit code
  as much as possible. Anything that does break however is likely code
  that is already broken on 64-bit time_t and needs source changes to
  fix them.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/arnd/playground.git y2038-alsa-v8
[2] https://lore.kernel.org/lkml/CAK8P3a2Os66+iwQYf97qh05W2JP8rmWao8zmKoHiXqVHvyYAJA@mail.gmail.com/T/#m6519cb07cfda08adf1dedea6596bb98892b4d5dc

Signed-off-by: Arnd Bergmann <arnd@arndb.de>

Changes since v7: (Arnd):
 - Fix a typo found by Ben Hutchings

Changes since v6: (Arnd):
 - Add a patch to update the API versions
 - Hide a timespec reference in #ifndef __KERNEL__ to remove the
   last reference to time_t
 - Use a more readable way to do padding and describe it in the
   changelog
 - Rebase to linux-5.5-rc1, changing include/sound/soc-component.h
   and sound/drivers/aloop.c as needed.

Changes since v5 (Arnd):
 - Rebased to linux-5.4-rc4
 - Updated to completely remove timespec and time_t references from alsa
 - found and fixed a few bugs

Changes since v4 (Baolin):
 - Add patch 5 to change trigger_tstamp member of struct snd_pcm_runtime.
 - Add patch 8 to change internal timespec.
 - Add more explanation in commit message.
 - Use ktime_get_real_ts64() in patch 6.
 - Split common code out into a separate function in patch 6.
 - Fix tu->tread bug in patch 6 and remove #if __BITS_PER_LONG == 64 macro.

Changes since v3:
 - Move struct snd_pcm_status32 to pcm.h file.
 - Modify comments and commit message.
 - Add new patch2 ~ patch6.

Changes since v2:
 - Renamed all structures to make clear.
 - Remove CONFIG_X86_X32 macro and introduced new compat_snd_pcm_status64_x86_32.

Changes since v1:
 - Add one macro for struct snd_pcm_status_32 which only active in 32bits kernel.
 - Convert pcm_compat.c to use struct snd_pcm_status_64.
 - Convert pcm_native.c to use struct snd_pcm_status_64.
2019-12-17 23:12:39 +01:00
Takashi Iwai add9d56d7b ALSA: pcm: Avoid possible info leaks from PCM stream buffers
The current PCM code doesn't initialize explicitly the buffers
allocated for PCM streams, hence it might leak some uninitialized
kernel data or previous stream contents by mmapping or reading the
buffer before actually starting the stream.

Since this is a common problem, this patch simply adds the clearance
of the buffer data at hw_params callback.  Although this does only
zero-clear no matter which format is used, which doesn't mean the
silence for some formats, but it should be OK because the intention is
just to clear the previous data on the buffer.

Reported-by: Lionel Koenig <lionel.koenig@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191211155742.3213-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-12-14 18:53:31 +01:00
Takashi Sakamoto 1faa9d3a3e ALSA: control: remove useless assignment in .info callback of PCM chmap element
Control elements for PCM chmap return information to userspace abount
the maximum number of available PCM channels as the number of values
in the element.

In current implementation the number is once initialized to zero, then
assigned to. This is useless and this commit fixes it.

Fixes: 2d3391ec0e ("ALSA: PCM: channel mapping API implementation")
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Link: https://lore.kernel.org/r/20191214131351.28950-1-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-12-14 16:39:05 +01:00
Arnd Bergmann 80fe7430c7 ALSA: add new 32-bit layout for snd_pcm_mmap_status/control
The snd_pcm_mmap_status and snd_pcm_mmap_control interfaces are one of the
trickiest areas to get right when moving to 64-bit time_t in user space.

The snd_pcm_mmap_status structure layout is incompatible with user space
that uses a 64-bit time_t, so we need a new layout for it. Since the
SNDRV_PCM_IOCTL_SYNC_PTR ioctl combines it with snd_pcm_mmap_control
into snd_pcm_sync_ptr, we need to change those two as well.

Both structures are also exported via an mmap() operation on certain
architectures, and this suffers from incompatibility between 32-bit
and 64-bit user space. As we have to change both structures anyway,
this is a good opportunity to fix the mmap() problem as well, so let's
standardize on the existing 64-bit layout of the structure where possible.

The downside is that we lose mmap() support for existing 32-bit x86 and
powerpc applications, adding that would introduce very noticeable runtime
overhead and complexity. My assumption here is that not too many people
will miss the removed feature, given that:

- Almost all x86 and powerpc users these days are on 64-bit kernels,
the majority of today's 32-bit users are on architectures that never
supported mmap (ARM, MIPS, ...).
- It never worked in compat mode (it was intentionally disabled there)
- The application already needs to work with a fallback to
SNDRV_PCM_IOCTL_SYNC_PTR, which will keep working with both the old
and new structure layout.

Both the ioctl() and mmap() based interfaces are changed at the same
time, as they are based on the same structures. Unlike other interfaces,
we change the uapi header to export both the traditional structure and
a version that is portable between 32-bit and 64-bit user space code
and that corresponds to the existing 64-bit layout. We further check the
__USE_TIME_BITS64 macro that will be defined by future C library versions
whenever we use the new time_t definition, so any existing user space
source code will not see any changes until it gets rebuilt against a new
C library. However, the new structures are all visible in addition to the
old ones, allowing applications to explicitly request the new structures.

In order to detect the difference between the old snd_pcm_mmap_status and
the new __snd_pcm_mmap_status64 structure from the ioctl command number,
we rely on one quirk in the structure definition: snd_pcm_mmap_status
must be aligned to alignof(time_t), which leads the compiler to insert
four bytes of padding in struct snd_pcm_sync_ptr after 'flags' and a
corresponding change in the size of snd_pcm_sync_ptr itself. On x86-32
(and only there), the compiler doesn't use 64-bit alignment in structure,
so I'm adding an explicit pad in the structure that has no effect on the
existing 64-bit architectures but ensures that the layout matches for x86.

The snd_pcm_uframes_t type compatibility requires another hack: we can't
easily make that 64 bit wide, so I leave the type as 'unsigned long',
but add padding before and after it, to ensure that the data is properly
aligned to the respective 64-bit field in the in-kernel structure.

For the SNDRV_PCM_MMAP_OFFSET_STATUS/CONTROL constants that are used
as the virtual file offset in the mmap() function, we also have to
introduce new constants that depend on hte __USE_TIME_BITS64 macro:
The existing macros are renamed to SNDRV_PCM_MMAP_OFFSET_STATUS_OLD
and SNDRV_PCM_MMAP_OFFSET_CONTROL_OLD, they continue to work fine on
64-bit architectures, but stop working on native 32-bit user space.
The replacement _NEW constants are now used by default for user space
built with __USE_TIME_BITS64, those now work on all new kernels for x86,
ppc and alpha (32 and 64 bit, native and compat). It might be a good idea
for a future alsa-lib to support both the _OLD and _NEW macros and use
the corresponding structures directly. Unmodified alsa-lib source code
will retain the current behavior, so it will no longer be able to use
mmap() for the status/control structures on 32-bit systems, until either
the C library gets updated to 64-bit time_t or alsa-lib gets updated to
support both mmap() layouts.

Co-developed-with: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2019-12-13 11:25:58 +01:00
Arnd Bergmann 09d94175db ALSA: move snd_pcm_ioctl_sync_ptr_compat into pcm_native.c
This is a preparation patch, moving the compat handler for
snd_pcm_ioctl_sync_ptr_compat from pcm_compat.c to pcm_native.c.
No other changes are indented.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2019-12-13 11:25:58 +01:00
Baolin Wang 07094ae6f9 ALSA: Avoid using timespec for struct snd_timer_tread
The struct snd_timer_tread will use 'timespec' type variables to record
timestamp, which is not year 2038 safe on 32bits system.

Since the struct snd_timer_tread is passed through read() rather than
ioctl(), and the read syscall has no command number that lets us pick
between the 32-bit or 64-bit version of this structure.

Thus we introduced one new command SNDRV_TIMER_IOCTL_TREAD64 and new
struct snd_timer_tread64 replacing timespec with s64 type to handle
64bit time_t. That means we will set tu->tread = TREAD_FORMAT_64BIT
when user space has a 64bit time_t, then we will copy to user with
struct snd_timer_tread64. Otherwise we will use 32bit time_t variables
when copying to user.

Moreover this patch replaces timespec type with timespec64 type and
related y2038 safe APIs.

Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2019-12-13 11:25:57 +01:00
Baolin Wang d9e5582c4b ALSA: Avoid using timespec for struct snd_rawmidi_status
The struct snd_rawmidi_status will use 'timespec' type variables to record
timestamp, which is not year 2038 safe on 32bits system.

Thus we introduced 'struct snd_rawmidi_status32' and 'struct snd_rawmidi_status64'
to handle 32bit time_t and 64bit time_t in native mode, which replace
timespec with s64 type.

In compat mode, we renamed or introduced new structures to handle 32bit/64bit
time_t in compatible mode. The 'struct snd_rawmidi_status32' and
snd_rawmidi_ioctl_status32() are used to handle 32bit time_t in compat mode.
'struct compat_snd_rawmidi_status64' is used to handle 64bit time_t.

When glibc changes time_t to 64-bit, any recompiled program will issue ioctl
commands that the kernel does not understand without this patch.

Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2019-12-11 22:06:16 +01:00
Baolin Wang 3ddee7f88a ALSA: Avoid using timespec for struct snd_pcm_status
The struct snd_pcm_status will use 'timespec' type variables to record
timestamp, which is not year 2038 safe on 32bits system.

Userspace will use SNDRV_PCM_IOCTL_STATUS and SNDRV_PCM_IOCTL_STATUS_EXT
as commands to issue ioctl() to fill the 'snd_pcm_status' structure in
userspace. The command number is always defined through _IOR/_IOW/IORW,
so when userspace changes the definition of 'struct timespec' to use
64-bit types, the command number also changes.

Thus in the kernel, we now need to define two versions of each such ioctl
and corresponding ioctl commands to handle 32bit time_t and 64bit time_t
in native mode:
struct snd_pcm_status32 {
	......

	s32 trigger_tstamp_sec;
	s32 trigger_tstamp_nsec;

	......

	s32 audio_tstamp_sec;
	s32 audio_tstamp_nsec;

	......
};

struct snd_pcm_status64 {
	......

	s32 trigger_tstamp_sec;
	s32 trigger_tstamp_nsec;

	......

	s32 audio_tstamp_sec;
	s32 audio_tstamp_nsec;

	......
};

Moreover in compat file, we renamed or introduced new structures to handle
32bit/64bit time_t in compatible mode. The 'struct snd_pcm_status32' and
snd_pcm_status_user32() are used to handle 32bit time_t in compat mode.
'struct compat_snd_pcm_status64' and snd_pcm_status_user_compat64() are used
to handle 64bit time_t.

The implicit padding before timespec is made explicit to avoid incompatible
structure layout between 32-bit and 64-bit x86 due to the different
alignment requirements, and the snd_pcm_status structure is now hidden
from the kernel to avoid relying on the timespec definitio definitionn

Finally we can replace SNDRV_PCM_IOCTL_STATUS and SNDRV_PCM_IOCTL_STATUS_EXT
with new commands and introduce new functions to fill new 'struct snd_pcm_status64'
instead of using unsafe 'struct snd_pcm_status'. Then in future, the new
commands can be matched when userspace changes 'timespec' to 64bit type
to make a size change of 'struct snd_pcm_status'. When glibc changes time_t
to 64-bit, any recompiled program will issue ioctl commands that the kernel
does not understand without this patch.

Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2019-12-11 22:06:15 +01:00
Baolin Wang a07804cc74 ALSA: Avoid using timespec for struct snd_timer_status
struct snd_timer_status uses 'timespec' type variables to record
timestamp, which will be changed to an incompatible layout with
updated user space using 64-bit time_t.

To handle both the old and the new layout on 32-bit architectures,
this patch introduces 'struct snd_timer_status32' and 'struct snd_timer_status64'
to handle 32bit time_t and 64bit time_t in native mode and compat mode,
which replaces timespec with s64 type.

When glibc changes time_t to 64-bit, any recompiled program will issue
ioctl commands that the kernel does not understand without this patch.

In the public uapi header, snd_timer_status is now guarded by
an #ifndef __KERNEL__ to avoid referencing 'struct timespec'.
The timespec definition will be removed from the kernel to prevent
new y2038 bugs and to avoid the conflict with an incompatible libc
type of the same name.

Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2019-12-11 22:06:15 +01:00
Baolin Wang fcae40c99f ALSA: Replace timespec with timespec64
Since timespec is not year 2038 safe on 32bit system, and we need to
convert all timespec variables to timespec64 type for sound subsystem.

This patch is used to do preparation for following patches, that will
convert all structures defined in uapi/sound/asound.h to use 64-bit
time_t.

Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2019-12-11 22:06:14 +01:00
Linus Torvalds 3cf2890f29 sound updates #2 for 5.5-rc1
A few last-minute updates, most of them are the regression fixes:
 - AMD HD-audio HDMI runtime PM improvements
 - Fixes for HD-audio HDMI regressions wrt DP-MST
 - A regression fix for the previous aloop enhancement
 - A fix for a long-time problem in PCM OSS layer that was spotted by
   fuzzer now
 - A few HD-audio quirks
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAl3qVZwOHHRpd2FpQHN1
 c2UuZGUACgkQLtJE4w1nLE9jNRAA1Z/OAAwuoOHPDRVCKvlsZ/cm2FG7jaaTxSpi
 p8jcs59gKhIzeDD9w2WMNr8sw7mx+S7t4r0OPLqGyOlmfwxOIPiZ9P4WJAr+EXJV
 IWjG/lfyqWswcLQIo543OKEDv/4enKnKGL5UxBQyHUDmBsnK0dRLmVchQvGfZrwJ
 wV6Z7qfpBg/DqCA5cEZj6M2j+CyWn6PzBwK7mJTEO9r/JPwONRK9kSu85kbKSGyp
 GpKosgMv9jJ3aoC9sPgEEh03i++y5q/Sn9LrMkuv7oCF7to46DmpXobKQAod9sQT
 nnFYhXNz9y2kStNPlWuQbNTUxdBN5Ad06AzlAFYRv+IVB3rTbSfotRvMJBg6nBnH
 rICv6gEn1+E6voDszPH40+9DbvEUaXdE1F3qZNv2eQd3hFCUjQg4KFY+g8YpsFI6
 AqEt68vRt6zZrfYNrL8loADvckyy+lLc3PQmfsLvF8Wr0T04cBAUC3fIJc+sYd3V
 kZQhAZBiL0qihmF/PZKjdycmT8+3GpRkZwhlZdOBe1t39ZeXy7ztxnROYqZcxEZK
 BZUoBq7sh0qSui1sfxF8uuUp/H1wprbJYwTrjmPLTo3eYRTYpwfbi7bZQ0hLkKUF
 C3Haf4e4IWWZabl+6HcdZhXfcXXSH+1pnV2ITjh83nbnd2+wEVnzS705s9qaD7ge
 SGgWfcY=
 =eLUD
 -----END PGP SIGNATURE-----

Merge tag 'sound-fix-5.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull more sound updates from Takashi Iwai:
 "A few last-minute updates, most of them are the regression fixes:

   - AMD HD-audio HDMI runtime PM improvements

   - Fixes for HD-audio HDMI regressions wrt DP-MST

   - A regression fix for the previous aloop enhancement

   - A fix for a long-time problem in PCM OSS layer that was spotted by
     fuzzer now

   - A few HD-audio quirks"

* tag 'sound-fix-5.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: pcm: oss: Avoid potential buffer overflows
  ALSA: hda: hdmi - Keep old slot assignment behavior for Intel platforms
  ALSA: hda: Modify stream stripe mask only when needed
  ALSA: hda - fixup for the bass speaker on Lenovo Carbon X1 7th gen
  ALSA: hda: hdmi - preserve non-MST PCM routing for Intel platforms
  ALSA: hda: hdmi - fix kernel oops caused by invalid PCM idx
  ALSA: hda/realtek - Fix inverted bass GPIO pin on Acer 8951G
  ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236
  ALSA: hda: hdmi - fix regression in connect list handling
  ALSA: aloop: Avoid pointer dereference before null-check
  ALSA: hda/hdmi - enable automatic runtime pm for AMD HDMI codecs by default
  ALSA: hda/hdmi - enable runtime pm for newer AMD display audio
  ALSA: hda/hdmi - Add new pci ids for AMD GPU display audio
  ALSA: hda/hdmi - fix vgaswitcheroo detection for AMD
2019-12-06 13:06:14 -08:00
Takashi Iwai 4cc8d6505a ALSA: pcm: oss: Avoid potential buffer overflows
syzkaller reported an invalid access in PCM OSS read, and this seems
to be an overflow of the internal buffer allocated for a plugin.
Since the rate plugin adjusts its transfer size dynamically, the
calculation for the chained plugin might be bigger than the given
buffer size in some extreme cases, which lead to such an buffer
overflow as caught by KASAN.

Fix it by limiting the max transfer size properly by checking against
the destination size in each plugin transfer callback.

Reported-by: syzbot+f153bde47a62e0b05f83@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191204144824.17801-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-12-04 15:51:30 +01:00
Linus Torvalds 0da522107e compat_ioctl: remove most of fs/compat_ioctl.c
As part of the cleanup of some remaining y2038 issues, I came to
 fs/compat_ioctl.c, which still has a couple of commands that need support
 for time64_t.
 
 In completely unrelated work, I spent time on cleaning up parts of this
 file in the past, moving things out into drivers instead.
 
 After Al Viro reviewed an earlier version of this series and did a lot
 more of that cleanup, I decided to try to completely eliminate the rest
 of it and move it all into drivers.
 
 This series incorporates some of Al's work and many patches of my own,
 but in the end stops short of actually removing the last part, which is
 the scsi ioctl handlers. I have patches for those as well, but they need
 more testing or possibly a rewrite.
 
 Signed-off-by: Arnd Bergmann <arnd@arndb.de>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJdsHCdAAoJEJpsee/mABjZtYkP/1JGl3jFv3Iq/5BCdPkaePP1
 RtMJRNfURgK3GeuHUui330PvVjI/pLWXU/VXMK2MPTASpJLzYz3uCaZrpVWEMpDZ
 +ImzGmgJkITlW1uWU3zOcQhOxTyb1hCZ0Ci+2xn9QAmyOL7prXoXCXDWv3h6iyiF
 lwG+nW+HNtyx41YG+9bRfKNoG0ZJ+nkJ70BV6u0acQHXWn7Xuupa9YUmBL87hxAL
 6dlJfLTJg6q8QSv/Q6LxslfWk2Ti8OOJZOwtFM5R8Bgl0iUcvshiRCKfv/3t9jXD
 dJNvF1uq8z+gracWK49Qsfq5dnZ2ZxHFUo9u0NjbCrxNvWH/sdvhbaUBuJI75seH
 VIznCkdxFhrqitJJ8KmxANxG08u+9zSKjSlxG2SmlA4qFx/AoStoHwQXcogJscNb
 YIXYKmWBvwPzYu09QFAXdHFPmZvp/3HhMWU6o92lvDhsDwzkSGt3XKhCJea4DCaT
 m+oCcoACqSWhMwdbJOEFofSub4bY43s5iaYuKes+c8O261/Dwg6v/pgIVez9mxXm
 TBnvCsotq5m8wbwzv99eFqGeJH8zpDHrXxEtRR5KQqMqjLq/OQVaEzmpHZTEuK7n
 e/V/PAKo2/V63g4k6GApQXDxnjwT+m0aWToWoeEzPYXS6KmtWC91r4bWtslu3rdl
 bN65armTm7bFFR32Avnu
 =lgCl
 -----END PGP SIGNATURE-----

Merge tag 'compat-ioctl-5.5' of git://git.kernel.org:/pub/scm/linux/kernel/git/arnd/playground

Pull removal of most of fs/compat_ioctl.c from Arnd Bergmann:
 "As part of the cleanup of some remaining y2038 issues, I came to
  fs/compat_ioctl.c, which still has a couple of commands that need
  support for time64_t.

  In completely unrelated work, I spent time on cleaning up parts of
  this file in the past, moving things out into drivers instead.

  After Al Viro reviewed an earlier version of this series and did a lot
  more of that cleanup, I decided to try to completely eliminate the
  rest of it and move it all into drivers.

  This series incorporates some of Al's work and many patches of my own,
  but in the end stops short of actually removing the last part, which
  is the scsi ioctl handlers. I have patches for those as well, but they
  need more testing or possibly a rewrite"

* tag 'compat-ioctl-5.5' of git://git.kernel.org:/pub/scm/linux/kernel/git/arnd/playground: (42 commits)
  scsi: sd: enable compat ioctls for sed-opal
  pktcdvd: add compat_ioctl handler
  compat_ioctl: move SG_GET_REQUEST_TABLE handling
  compat_ioctl: ppp: move simple commands into ppp_generic.c
  compat_ioctl: handle PPPIOCGIDLE for 64-bit time_t
  compat_ioctl: move PPPIOCSCOMPRESS to ppp_generic
  compat_ioctl: unify copy-in of ppp filters
  tty: handle compat PPP ioctls
  compat_ioctl: move SIOCOUTQ out of compat_ioctl.c
  compat_ioctl: handle SIOCOUTQNSD
  af_unix: add compat_ioctl support
  compat_ioctl: reimplement SG_IO handling
  compat_ioctl: move WDIOC handling into wdt drivers
  fs: compat_ioctl: move FITRIM emulation into file systems
  gfs2: add compat_ioctl support
  compat_ioctl: remove unused convert_in_user macro
  compat_ioctl: remove last RAID handling code
  compat_ioctl: remove /dev/raw ioctl translation
  compat_ioctl: remove PCI ioctl translation
  compat_ioctl: remove joystick ioctl translation
  ...
2019-12-01 13:46:15 -08:00
Takashi Iwai fabb26dcd1 ALSA: pcm: Add card sync_irq field
Many PCI and other drivers performs snd_pcm_period_elapsed() simply in
its interrupt handler, so the sync_stop operation is just to call
synchronize_irq().  Instead of putting this call multiple times,
introduce the common card->sync_irq field.  When this field is set,
PCM core performs synchronize_irq() for sync-stop operation.  Each
driver just needs to copy its local IRQ number to card->sync_irq, and
that's all we need.

Link: https://lore.kernel.org/r/20191117085308.23915-8-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-11-20 19:39:54 +01:00
Takashi Iwai 1e850beea2 ALSA: pcm: Add the support for sync-stop operation
The standard programming model of a PCM sound driver is to process
snd_pcm_period_elapsed() from an interrupt handler.  When a running
stream is stopped, PCM core calls the trigger-STOP PCM ops, sets the
stream state to SETUP, and moves on to the next step.  This is
performed in an atomic manner -- this could be called from the interrupt
context, after all.

The problem is that, if the stream goes further and reaches to the
CLOSE state immediately, the stream might be still being processed in
snd_pcm_period_elapsed() in the interrupt context, and hits a NULL
dereference.  Such a crash happens because of the atomic operation,
and we can't wait until the stream-stop finishes.

For addressing such a problem, this commit adds a new PCM ops,
sync_stop.  This gets called at the appropriate places that need a
sync with the stream-stop, i.e. at hw_params, prepare and hw_free.

Some drivers already have a similar mechanism implemented locally, and
we'll refactor the code later.

Link: https://lore.kernel.org/r/20191117085308.23915-7-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-11-20 19:39:54 +01:00
Takashi Iwai 0821fd77a1 ALSA: pcm: Move PCM_RUNTIME_CHECK() macro into local header
It should be used only in the PCM core code locally.

Link: https://lore.kernel.org/r/20191117085308.23915-6-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-11-20 19:39:54 +01:00
Takashi Iwai fc033cbf6f ALSA: pcm: Allow NULL ioctl ops
Currently PCM ioctl ops is a mandatory field but almost all drivers
simply pass snd_pcm_lib_ioctl.  For simplicity, allow to set NULL in
the field and call snd_pcm_lib_ioctl() as default.

Link: https://lore.kernel.org/r/20191117085308.23915-4-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-11-20 19:39:54 +01:00
Takashi Iwai 0dba808eae ALSA: pcm: Introduce managed buffer allocation mode
This patch adds the support for the feature to automatically allocate
and free PCM buffers, so called "managed buffer allocation" mode.
It's set up via new PCM helpers, snd_pcm_set_managed_buffer() and
snd_pcm_set_managed_buffer_all(), both of which correspond to the
existing preallocator helpers, snd_pcm_lib_preallocate_pages() and
snd_pcm_lib_preallocate_pages_for_all().  When the new helper is used,
it not only performs the pre-allocation of buffers, but also it
manages to call snd_pcm_lib_malloc_pages() before the PCM hw_params
ops and snd_lib_pcm_free() after the PCM hw_free ops inside PCM core,
respectively.  This allows drivers to drop the explicit calls of the
memory allocation / release functions, and it will be a good amount of
code reduction in the end of this patch series.

When the PCM substream is set to the managed buffer allocation mode,
the managed_buffer_alloc flag is set in the substream object.  Since
some drivers want to know when a buffer is newly allocated or
re-allocated at hw_params callback (e.g. want to set up the additional
stuff for the given buffer only at allocation time), now PCM core
turns on buffer_changed flag when the buffer has changed.

The standard conversions to use the new API will be straightforward:
- Replace snd_pcm_lib_preallocate*() calls with the corresponding
  snd_pcm_set_managed_buffer*(); the arguments should be unchanged
- Drop superfluous snd_pcm_lib_malloc() and snd_pcm_lib_free() calls;
  the check of snd_pcm_lib_malloc() returns should be replaced with
  the check of runtime->buffer_changed flag.
- If hw_params or hw_free becomes empty, drop them from PCM ops

Link: https://lore.kernel.org/r/20191117085308.23915-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-11-20 19:39:54 +01:00
Takashi Iwai b12b2259bc Merge branch 'for-linus' into for-next
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-11-14 18:02:00 +01:00
paulhsia f5cdc9d400 ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed()
If the nullity check for `substream->runtime` is outside of the lock
region, it is possible to have a null runtime in the critical section
if snd_pcm_detach_substream is called right before the lock.

Signed-off-by: paulhsia <paulhsia@chromium.org>
Link: https://lore.kernel.org/r/20191112171715.128727-2-paulhsia@chromium.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-11-13 10:51:36 +01:00
Takashi Iwai 0c4f09ceec ALSA: timer: Fix the breakage of slave link open
A silly mistake was made while applying the fix for potential races in
commit 6a34367e52 ("ALSA: timer: Fix possible race at assigning a
timer instance"): when a slave PCM is opened and succeeds, it doesn't
return but proceeds to the master timer open code instead.  Plug the
hole and beautify a bit.

Fixes: 6a34367e52 ("ALSA: timer: Fix possible race at assigning a timer instance")
Reported-by: syzbot+4476917c053f60112c99@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/20191111173642.6093-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-11-11 18:37:06 +01:00
Takashi Iwai fc7af6bc27 ALSA: pcm: Unexport snd_pcm_sgbuf_ops_page
The helper is no longer referred after the recent code refactoring.
Drop the export for saving some bits and future misuse.

Acked-by: Mark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/r/20191108094641.20086-9-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-11-09 18:02:53 +01:00
Takashi Iwai 2406ff9b86 ALSA: pcm: Yet another missing check of non-cached buffer type
For non-x86 architectures, SNDRV_DMA_TYPE_DEV_UC should be treated
equivalent with SNDRV_DMA_TYPE_DEV, where the default mmap handler
still checks only about SNDRV_DMA_TYPE_DEV.  Make the check more
proper.

Note that all existing users of *_UC buffer types are x86-only, so
this doesn't fix any bug, but just for consistency.

Fixes: 42e748a0b3 ("ALSA: memalloc: Add non-cached buffer type")
Link: https://lore.kernel.org/r/20191108165626.5947-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-11-09 18:02:11 +01:00
Takashi Iwai 6a34367e52 ALSA: timer: Fix possible race at assigning a timer instance
When a new timer instance is created and assigned to the active link
in snd_timer_open(), the caller still doesn't (can't) set its callback
and callback data.  In both the user-timer and the sequencer-timer
code, they do manually set up the callbacks after calling
snd_timer_open().  This has a potential risk of race when the timer
instance is added to the already running timer target, as the callback
might get triggered during setting up the callback itself.

This patch tries to address it by changing the API usage slightly:

- An empty timer instance is created at first via the new function
  snd_timer_instance_new().  This object isn't linked to the timer
  list yet.
- The caller sets up the callbacks and others stuff for the new timer
  instance.
- The caller invokes snd_timer_open() with this instance, so that it's
  linked to the target timer.

For closing, do similarly:

- Call snd_timer_close().  This unlinks the timer instance from the
  timer list.
- Free the timer instance via snd_timer_instance_free() after that.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://lore.kernel.org/r/20191107192008.32331-4-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-11-08 14:52:44 +01:00
Takashi Iwai 33bbb8a0ec ALSA: timer: Make snd_timer_close() returning void
The function doesn't return any useful value, so let's make it void to
be clearer.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://lore.kernel.org/r/20191107192008.32331-3-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-11-08 14:52:43 +01:00
Takashi Iwai ebfc6de29a ALSA: timer: Unify master/slave linking code
The code in both snd_timer_check_master() and snd_timer_check_slave()
are almost identical, both check whether the master/slave link and
does linkage.  Factor out the common code and call it from both
functions for readability.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://lore.kernel.org/r/20191107192008.32331-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-11-08 14:52:42 +01:00
Takashi Iwai 66a8966aac Merge branch 'for-linus' into for-next
Merge 5.4-devel branch for applying the further ALSA timer fixes.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-11-07 16:27:55 +01:00
Takashi Iwai 9ff7759731 ASoC: Updates for v5.5
Some big changes in the core but more about cleanps and refactorings
 than new features, plus a collection of new drivers and lots of small
 fixes and improvements to existing ones.
 
  - Lots more cleanups from Morimoto-san.  Now that everything is a
    component this is mostly about refactorings to clarify and simplify
    the core, a combination of things that are no longer required due to
    refactorings and spotting similarities.
  - Many fixes to the Sound Open Firmware code.
  - Wake on voice support for Chromebooks.
  - SPI support for RT5677.
  - New drivers for Analog Devices ADAU7118, Intel Cannonlake systems
    with RT1011 and RT5682, Texas Instruments TAS2562 and TAS2770.
 -----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAl3EFLYTHGJyb29uaWVA
 a2VybmVsLm9yZwAKCRAk1otyXVSH0JCuB/40P/KPRGlEFBSJAwTfCkjQxzvQUGBy
 Y3w9QeMq3ONhCJt5BusmeuFqdkanzYqnl+NveGYKdKNTAwh6vEMGiMbGSB8dgrR5
 R7PLNBDRJi7ZUDdOZle7VrdUiZWyieaZk/ecWxfTPKfqzoBjnM3XYSa30i55hvbQ
 A2MTimFsO7nf0caLNBLqEqBjy68IHQ3tuHH27kA0MIpVNsYVrjaWfM400ot3odbg
 0vMpNTM+PDcQGkWcq3sKJBOVVjmGg2Xs1yM5hv6Mu+q1zXLCtCKj+Pv+ZXC3BT6e
 Yyxv/arpgvtjIU79Tv9RamVRC4jN6ZJRkThP9UW6JrX7tPCjvD+ygzPn
 =4FMp
 -----END PGP SIGNATURE-----

Merge tag 'asoc-v5.5' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-next

ASoC: Updates for v5.5

Some big changes in the core but more about cleanps and refactorings
than new features, plus a collection of new drivers and lots of small
fixes and improvements to existing ones.

 - Lots more cleanups from Morimoto-san.  Now that everything is a
   component this is mostly about refactorings to clarify and simplify
   the core, a combination of things that are no longer required due to
   refactorings and spotting similarities.
 - Many fixes to the Sound Open Firmware code.
 - Wake on voice support for Chromebooks.
 - SPI support for RT5677.
 - New drivers for Analog Devices ADAU7118, Intel Cannonlake systems
   with RT1011 and RT5682, Texas Instruments TAS2562 and TAS2770.
2019-11-07 14:12:30 +01:00
Takashi Iwai df37d941c4 ASoC: Fixes for v5.4
These are a collection of fixes since v5.4-rc4 that have accumilated,
 they're all driver specific and there's nothing major in here so it's
 probably not essential to actually send them but I'll leave that call to
 you.
 -----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAl3EETsTHGJyb29uaWVA
 a2VybmVsLm9yZwAKCRAk1otyXVSH0BJCB/968YQYuvmvJbBify4l+l56rz3O0Qge
 /dkifAsiBLYctwjYKVaqPhrcLts6gaKSZnKwNjF1d5ucjwb9y2cTuJoh65xJw4Z6
 wgOBJiVC0wTdLzLMStVAX6QKFP6oVgWkKuaWRfhWiCbdWMVQesQlZePmu/PYU2IH
 /B60aTN4noSMycFqmdHfyVGXnTX7cONCFr9cfE/EX+uQLCFe+QD7UItCEGl/1uwp
 84mfNdLFkhX72yEEb5SZvGac5k9fyRvy1TPqkO5r+BQeYnePUMCpuA2mZaO9yBUh
 r+6AMDcF300lXt860UtBidugpC5YM9vNUAu/dXMDowP8A+vBg2aquYe+
 =GWKb
 -----END PGP SIGNATURE-----

Merge tag 'asoc-fix-v5.4-rc6' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

ASoC: Fixes for v5.4

These are a collection of fixes since v5.4-rc4 that have accumilated,
they're all driver specific and there's nothing major in here so it's
probably not essential to actually send them but I'll leave that call to
you.
2019-11-07 13:52:17 +01:00
Takashi Iwai e7af6307a8 ALSA: timer: Fix incorrectly assigned timer instance
The clean up commit 41672c0c24 ("ALSA: timer: Simplify error path in
snd_timer_open()") unified the error handling code paths with the
standard goto, but it introduced a subtle bug: the timer instance is
stored in snd_timer_open() incorrectly even if it returns an error.
This may eventually lead to UAF, as spotted by fuzzer.

The culprit is the snd_timer_open() code checks the
SNDRV_TIMER_IFLG_EXCLUSIVE flag with the common variable timeri.
This variable is supposed to be the newly created instance, but we
(ab-)used it for a temporary check before the actual creation of a
timer instance.  After that point, there is another check for the max
number of instances, and it bails out if over the threshold.  Before
the refactoring above, it worked fine because the code returned
directly from that point.  After the refactoring, however, it jumps to
the unified error path that stores the timeri variable in return --
even if it returns an error.  Unfortunately this stored value is kept
in the caller side (snd_timer_user_tselect()) in tu->timeri.  This
causes inconsistency later, as if the timer was successfully
assigned.

In this patch, we fix it by not re-using timeri variable but a
temporary variable for testing the exclusive connection, so timeri
remains NULL at that point.

Fixes: 41672c0c24 ("ALSA: timer: Simplify error path in snd_timer_open()")
Reported-and-tested-by: Tristan Madani <tristmd@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191106165547.23518-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-11-06 17:58:28 +01:00
Takashi Iwai fdea53fe5d ALSA: timer: Limit max amount of slave instances
The fuzzer tries to open the timer instances as much as possible, and
this may cause a system hiccup easily.  We've already introduced the
cap for the max number of available instances for the h/w timers, and
we should put such a limit also to the slave timers, too.

This patch introduces the limit to the multiple opened slave timers.
The upper limit is hard-coded to 1000 for now, which should suffice
for any practical usages up to now.

Link: https://lore.kernel.org/r/20191106154257.5853-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-11-06 17:57:52 +01:00
Mark Brown 992fd39a34
Merge branch 'for-5.4' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into asoc-5.5 2019-11-06 16:29:34 +00:00
Takashi Iwai d39789912f ALSA: pcm: Create proc files only for non-empty preallocations
It makes little sense to create prealloc proc files for streams that
have the zero max size, which is a typical case for vmalloc buffers.
Skip the proc file creations to save resources in such a case.

Link: https://lore.kernel.org/r/20191105191007.18150-3-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-11-06 15:43:34 +01:00
Takashi Iwai a55eaf177a ALSA: pcm: Warn if doubly preallocated
Warn if snd_pcm_lib_preallocate_pages*() is applied to the stream that
has already the preallocated buffers and skip the allocation.  It's a
clearly a driver bug.

Link: https://lore.kernel.org/r/20191105191007.18150-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-11-06 15:43:34 +01:00
Takashi Iwai 7e8edae39f ALSA: pcm: Handle special page mapping in the default mmap handler
When a driver needs to deal with a special buffer like a SG or a
vmalloc buffer, it has to set up the PCM page ops explicitly for the
corresponding helper function.  This is rather error-prone and many
people forgot or incorrectly used it.

For simplifying the call patterns and avoiding such a potential bug,
this patch enhances the PCM default mmap handler to check the
(pre-)allocated buffer type and handles the page gracefully depending
on the buffer type.  If the PCM page ops is given, the ops is still
used in a higher priority.  The new code path is only for the default
(NULL page ops) case.

Link: https://lore.kernel.org/r/20191105080138.1260-4-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-11-06 15:43:33 +01:00
Takashi Iwai 1fe7f397cf ALSA: memalloc: Add vmalloc buffer allocation support
This patch adds the vmalloc buffer support to ALSA memalloc core.  A
new type, SNDRV_DMA_TYPE_VMALLOC was added.

The vmalloc buffer has been already supported in the PCM via a few own
helper functions, but the user sometimes get confused and misuse
them.  With this patch, the whole buffer management is integrated into
the memalloc core, so they can be used in a sole common way.

Link: https://lore.kernel.org/r/20191105080138.1260-3-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-11-06 15:43:33 +01:00
Takashi Iwai 08422d2c55 ALSA: memalloc: Allow NULL device for SNDRV_DMA_TYPE_CONTINUOUS type
Currently we pass the artificial device pointer to the allocation
helper in the case of SNDRV_DMA_TYPE_CONTINUOUS for passing the GFP
flags.  But all common cases are the allocations with GFP_KERNEL, and
it's messy to put this in each place.

In this patch, the memalloc core helper is changed to accept the NULL
device pointer and it treats as the default mode, GFP_KERNEL, so that
all callers can omit the complex argument but just leave NULL.

Link: https://lore.kernel.org/r/20191105080138.1260-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-11-06 15:43:18 +01:00
Takashi Iwai 6111fd2370 ALSA: pcm: Fix missing check of the new non-cached buffer type
The check for the mmap support via hw_support_mmap() function misses
the case where the device is with SNDRV_DMA_TYPE_DEV_UC, which should
have been treated equally as SNDRV_DMA_TYPE_DEV.  Let's fix it.

Note that this bug doesn't hit any practical problem, because
SNDRV_DMA_TYPE_DEV_UC is used only for x86-specific drivers
(snd-hda-intel and snd-intel8x0) for the specific platforms that need
the non-cached buffers.  And, on such platforms, hw_support_mmap()
already returns true in anyway.  That's the reason I didn't put
Cc-to-stable mark here.  This is only for any theoretical future
extension.

Fixes: 425da15970 ("ALSA: pcm: use dma_can_mmap() to check if a device supports dma_mmap_*")
Fixes: 42e748a0b3 ("ALSA: memalloc: Add non-cached buffer type")
Link: https://lore.kernel.org/r/20191104101115.27311-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-11-04 11:12:34 +01:00
Takashi Iwai a393318673 ALSA: timer: Fix mutex deadlock at releasing card
When a card is disconnected while in use, the system waits until all
opened files are closed then releases the card.  This is done via
put_device() of the card device in each device release code.

The recently reported mutex deadlock bug happens in this code path;
snd_timer_close() for the timer device deals with the global
register_mutex and it calls put_device() there.  When this timer
device is the last one, the card gets freed and it eventually calls
snd_timer_free(), which has again the protection with the global
register_mutex -- boom.

Basically put_device() call itself is race-free, so a relative simple
workaround is to move this put_device() call out of the mutex.  For
achieving that, in this patch, snd_timer_close_locked() got a new
argument to store the card device pointer in return, and each caller
invokes put_device() with the returned object after the mutex unlock.

Reported-and-tested-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-10-30 22:54:56 +01:00
Arnd Bergmann 2022ca0a94 compat_ioctl: remove translation for sound ioctls
The SNDCTL_* and SOUND_* commands are the old OSS user interface.

I checked all the sound ioctl commands listed in fs/compat_ioctl.c
to see if we still need the translation handlers. Here is what I
found:

- sound/oss/ is (almost) gone from the kernel, this is what actually
  needed all the translations
- The ALSA emulation for OSS correctly handles all compat_ioctl
  commands already.
- sound/oss/dmasound/ is the last holdout of the original OSS code,
  this is only used on arch/m68k, which has no 64-bit mode and
  hence needs no compat handlers
- arch/um/drivers/hostaudio_kern.c may run in 64-bit mode with
  32-bit x86 user space underneath it. This rare corner case is
  the only one that still needs the compat handlers.

By adding a simple redirect of .compat_ioctl to .unlocked_ioctl in the
UML driver, we can remove all the COMPATIBLE_IOCTL() annotations without
a change in functionality. For completeness, I'm adding the same thing
to the dmasound file, knowing that it makes no difference.

The compat_ioctl list contains one comment about SNDCTL_DSP_MAPINBUF and
SNDCTL_DSP_MAPOUTBUF, which actually would need a translation handler
if implemented. However, the native implementation just returns -EINVAL,
so we don't care.

Reviewed-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2019-10-23 17:23:45 +02:00
Xiaojun Sang d3645b0553
ASoC: compress: fix unsigned integer overflow check
Parameter fragments and fragment_size are type of u32. U32_MAX is
the correct check.

Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Acked-by: Vinod Koul <vkoul@kernel.org>
Link: https://lore.kernel.org/r/20191021095432.5639-1-srinivas.kandagatla@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
2019-10-21 13:50:19 +01:00
Krzysztof Kozlowski 82e8d723e9 sound: Fix Kconfig indentation
Adjust indentation from spaces to tab (+optional two spaces) as in
coding style with command like:
    $ sed -e 's/^        /\t/' -i */Kconfig

Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Acked-by: Mark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/r/20191004144931.3851-1-krzk@kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-10-07 03:53:03 +02:00
Shengjiu Wang e957204e73
ASoC: pcm_dmaengine: Extract snd_dmaengine_pcm_refine_runtime_hwparams
When set the runtime hardware parameters, we may need to query
the capability of DMA to complete the parameters.

This patch is to Extract this operation from
dmaengine_pcm_set_runtime_hwparams function to a separate function
snd_dmaengine_pcm_refine_runtime_hwparams, that other components
which need this feature can call this function.

Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Reviewed-by: Nicolin Chen <nicoleotsuka@gmail.com>
Link: https://lore.kernel.org/r/d728f65194e9978cbec4132b522d4fed420d704a.1569493933.git.shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
2019-10-01 12:18:25 +01:00
Linus Torvalds 671df18953 dma-mapping updates for 5.4:
- add dma-mapping and block layer helpers to take care of IOMMU
    merging for mmc plus subsequent fixups (Yoshihiro Shimoda)
  - rework handling of the pgprot bits for remapping (me)
  - take care of the dma direct infrastructure for swiotlb-xen (me)
  - improve the dma noncoherent remapping infrastructure (me)
  - better defaults for ->mmap, ->get_sgtable and ->get_required_mask (me)
  - cleanup mmaping of coherent DMA allocations (me)
  - various misc cleanups (Andy Shevchenko, me)
 -----BEGIN PGP SIGNATURE-----
 
 iQI/BAABCgApFiEEgdbnc3r/njty3Iq9D55TZVIEUYMFAl2CSucLHGhjaEBsc3Qu
 ZGUACgkQD55TZVIEUYPfrhAAgXZA/EdFPvkkCoDrmgtf3XkudX9gajeCd9g4NZy6
 ZBQElTVvm4S0sQj7IXgALnMumDMbbTibW5SQLX5GwQDe+XXBpZ8ajpAnJAXc8a5T
 qaFQ4SInr4CgBZf9nZKDkbSBZ1Tu3AQm1c0QI8riRCkrVTuX4L06xpCef4Yh4mgO
 rwWEjIioYpQiKZMmu98riXh3ZNfFG3mVJRhKt8B6XJbBgnUnjDOPYGgaUwp6CU20
 tFBKL2GaaV0vdLJ5wYhIGXT4DJ8tp9T5n3IYGZv1Ux889RaZEHlCrMxzelYeDbCT
 KhZbhcSECGnddsh73t/UX7/KhytuqnfKa9n+Xo6AWuA47xO4c36quOOcTk9M0vE5
 TfGDmewgL6WIv4lzokpRn5EkfDhyL33j8eYJrJ8e0ldcOhSQIFk4ciXnf2stWi6O
 JrlzzzSid+zXxu48iTfoPdnMr7psTpiMvvRvKfEeMp2FX9Fg6EdMzJYLTEl+COHB
 0WwNacZmY3P01+b5EZXEgqKEZevIIdmPKbyM9rPtTjz8BjBwkABHTpN3fWbVBf7/
 Ax6OPYyW40xp1fnJuzn89m3pdOxn88FpDdOaeLz892Zd+Qpnro1ayulnFspVtqGM
 mGbzA9whILvXNRpWBSQrvr2IjqMRjbBxX3BVACl3MMpOChgkpp5iANNfSDjCftSF
 Zu8=
 =/wGv
 -----END PGP SIGNATURE-----

Merge tag 'dma-mapping-5.4' of git://git.infradead.org/users/hch/dma-mapping

Pull dma-mapping updates from Christoph Hellwig:

 - add dma-mapping and block layer helpers to take care of IOMMU merging
   for mmc plus subsequent fixups (Yoshihiro Shimoda)

 - rework handling of the pgprot bits for remapping (me)

 - take care of the dma direct infrastructure for swiotlb-xen (me)

 - improve the dma noncoherent remapping infrastructure (me)

 - better defaults for ->mmap, ->get_sgtable and ->get_required_mask
   (me)

 - cleanup mmaping of coherent DMA allocations (me)

 - various misc cleanups (Andy Shevchenko, me)

* tag 'dma-mapping-5.4' of git://git.infradead.org/users/hch/dma-mapping: (41 commits)
  mmc: renesas_sdhi_internal_dmac: Add MMC_CAP2_MERGE_CAPABLE
  mmc: queue: Fix bigger segments usage
  arm64: use asm-generic/dma-mapping.h
  swiotlb-xen: merge xen_unmap_single into xen_swiotlb_unmap_page
  swiotlb-xen: simplify cache maintainance
  swiotlb-xen: use the same foreign page check everywhere
  swiotlb-xen: remove xen_swiotlb_dma_mmap and xen_swiotlb_dma_get_sgtable
  xen: remove the exports for xen_{create,destroy}_contiguous_region
  xen/arm: remove xen_dma_ops
  xen/arm: simplify dma_cache_maint
  xen/arm: use dev_is_dma_coherent
  xen/arm: consolidate page-coherent.h
  xen/arm: use dma-noncoherent.h calls for xen-swiotlb cache maintainance
  arm: remove wrappers for the generic dma remap helpers
  dma-mapping: introduce a dma_common_find_pages helper
  dma-mapping: always use VM_DMA_COHERENT for generic DMA remap
  vmalloc: lift the arm flag for coherent mappings to common code
  dma-mapping: provide a better default ->get_required_mask
  dma-mapping: remove the dma_declare_coherent_memory export
  remoteproc: don't allow modular build
  ...
2019-09-19 13:27:23 -07:00
Mark Brown bb83178611
Merge branch 'asoc-5.4' into asoc-next 2019-09-09 14:55:20 +01:00
Christoph Hellwig 425da15970 ALSA: pcm: use dma_can_mmap() to check if a device supports dma_mmap_*
Replace the local hack with the dma_can_mmap helper to check if
a given device supports mapping DMA allocations to userspace.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Takashi Iwai <tiwai@suse.de>
2019-09-04 11:13:18 +02:00
Vidyakumar Athota 4cc4531c31
ALSA: pcm: add support for 352.8KHz and 384KHz sample rate
Most of the modern codecs supports 352.8KHz and 384KHz sample rates.
Currenlty HW params fails to set 352.8Kz and 384KHz sample rate
as these are not in known rates list.
Add these new rates to known list to allow them.

This patch also adds defines in pcm.h so that drivers can use it.

Signed-off-by: Vidyakumar Athota <vathota@codeaurora.org>
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20190822095653.7200-2-srinivas.kandagatla@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
2019-08-28 11:53:49 +01:00
Takashi Iwai 75545304eb ALSA: seq: Fix potential concurrent access to the deleted pool
The input pool of a client might be deleted via the resize ioctl, the
the access to it should be covered by the proper locks.  Currently the
only missing place is the call in snd_seq_ioctl_get_client_pool(), and
this patch papers over it.

Reported-by: syzbot+4a75454b9ca2777f35c7@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-08-25 09:31:10 +02:00
Yuki Tsunashima 37151a41df ALSA: pcm: fix lost wakeup event scenarios in snd_pcm_drain
lost wakeup can occur after enabling irq, therefore put task
into interruptible before enabling interrupts,

without this change, task can be put to sleep and snd_pcm_drain
will delay

Fixes: f2b3614cef ("ALSA: PCM - Don't check DMA time-out too shortly")
Signed-off-by: Yuki Tsunashima <ytsunashima@jp.adit-jv.com>
Signed-off-by: Suresh Udipi <sudipi@jp.adit-jv.com>
[ported from 4.9]
Signed-off-by: Adam Miartus <amiartus@de.adit-jv.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-07-29 19:05:42 +02:00
Charles Keepax 3b8179944c ALSA: compress: Be more restrictive about when a drain is allowed
Draining makes little sense in the situation of hardware overrun, as the
hardware will have consumed all its available samples. Additionally,
draining whilst the stream is paused would presumably get stuck as no
data is being consumed on the DSP side.

Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Acked-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-07-23 12:07:48 +02:00
Charles Keepax a70ab8a864 ALSA: compress: Don't allow paritial drain operations on capture streams
Partial drain and next track are intended for gapless playback and
don't really have an obvious interpretation for a capture stream, so
makes sense to not allow those operations on capture streams.

Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Acked-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-07-23 12:07:42 +02:00
Charles Keepax 26c3f1542f ALSA: compress: Prevent bypasses of set_params
Currently, whilst in SNDRV_PCM_STATE_OPEN it is possible to call
snd_compr_stop, snd_compr_drain and snd_compr_partial_drain, which
allow a transition to SNDRV_PCM_STATE_SETUP. The stream should
only be able to move to the setup state once it has received a
SNDRV_COMPRESS_SET_PARAMS ioctl. Fix this issue by not allowing
those ioctls whilst in the open state.

Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Acked-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-07-23 12:07:36 +02:00
Charles Keepax 4475f8c4ab ALSA: compress: Fix regression on compressed capture streams
A previous fix to the stop handling on compressed capture streams causes
some knock on issues. The previous fix updated snd_compr_drain_notify to
set the state back to PREPARED for capture streams. This causes some
issues however as the handling for snd_compr_poll differs between the
two states and some user-space applications were relying on the poll
failing after the stream had been stopped.

To correct this regression whilst still fixing the original problem the
patch was addressing, update the capture handling to skip the PREPARED
state rather than skipping the SETUP state as it has done until now.

Fixes: 4f2ab5e1d1 ("ALSA: compress: Fix stop handling on compressed capture streams")
Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Acked-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-07-23 12:07:22 +02:00
Takashi Iwai 0e279dcea0 ALSA: pcm: Fix refcount_inc() on zero usage
The recent rewrite of PCM link lock management introduced the refcount
in snd_pcm_group object, managed by the kernel refcount_t API.  This
caused unexpected kernel warnings when the kernel is built with
CONFIG_REFCOUNT_FULL=y.  As the warning line indicates, the problem is
obviously that we start with refcount=0 and do refcount_inc() for
adding each PCM link, while refcount_t API doesn't like refcount_inc()
performed on zero.

For adapting the proper refcount_t usage, this patch changes the logic
slightly:
- The initial refcount is 1, assuming the single list entry
- The refcount is incremented / decremented at each PCM link addition
  and deletion
- ... which allows us concentrating only on the refcount as a release
  condition

Fixes: f57f3df03a ("ALSA: pcm: More fine-grained PCM link locking")
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=204221
Reported-and-tested-by: Duncan Overbruck <kernel@duncano.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-07-19 15:47:00 +02:00
Takashi Iwai ede34f397d ALSA: seq: Break too long mutex context in the write loop
The fix for the racy writes and ioctls to sequencer widened the
application of client->ioctl_mutex to the whole write loop.  Although
it does unlock/relock for the lengthy operation like the event dup,
the loop keeps the ioctl_mutex for the whole time in other
situations.  This may take quite long time if the user-space would
give a huge buffer, and this is a likely cause of some weird behavior
spotted by syzcaller fuzzer.

This patch puts a simple workaround, just adding a mutex break in the
loop when a large number of events have been processed.  This
shouldn't hit any performance drop because the threshold is set high
enough for usual operations.

Fixes: 7bd8009156 ("ALSA: seq: More protection for concurrent write and ioctl races")
Reported-by: syzbot+97aae04ce27e39cbfca9@syzkaller.appspotmail.com
Reported-by: syzbot+4c595632b98bb8ffcc66@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-07-16 09:41:41 +02:00
Takashi Iwai 3c53c6255d ASoC: Updates for v5.3
This is a very big update, mainly thanks to Morimoto-san's refactoring
 work and some fairly large new drivers.
 
  - Lots more work on moving towards a component based framework from
    Morimoto-san.
  - Support for force disconnecting muxes from Jerome Brunet.
  - New drivers for Cirrus Logic CS47L35, CS47L85 and CS47L90, Conexant
    CX2072X, Realtek RT1011 and RT1308.
 -----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAl0jGwUTHGJyb29uaWVA
 a2VybmVsLm9yZwAKCRAk1otyXVSH0LD4B/9AkutfS+vznOrk0V0wFb2SUfjwE4Pr
 +z/kAehohAOl/7pg9Dun/lmZYBWMyOM2aYmK81ahEo2DfO+uzwkwjCaXFjGVGwEK
 j7XpWkrIjKnou/z1FeALgVvt+crzdy5iNWC04AbKaP2WHCcI7zvPQIsBta/V0OJt
 lg+j0J7pagnTMcgV1+qJdaASmofy/hpoZ79Gv0PIfGC8hpJ/3mBgcNPCLQrJtD4R
 v+tzvCZNrZVqCanwLf3vouEm1bpWYOpI+Wdmu4u6rY7MhmCj72EJ2zyfdm/qtaxF
 e7whgCyOQFkWe7NgDn0G08aAT6LsaxOtPNr7H8tL8S8sw8425fqeOouV
 =n/HQ
 -----END PGP SIGNATURE-----

Merge tag 'asoc-v5.3' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

ASoC: Updates for v5.3

This is a very big update, mainly thanks to Morimoto-san's refactoring
work and some fairly large new drivers.

 - Lots more work on moving towards a component based framework from
   Morimoto-san.
 - Support for force disconnecting muxes from Jerome Brunet.
 - New drivers for Cirrus Logic CS47L35, CS47L85 and CS47L90, Conexant
   CX2072X, Realtek RT1011 and RT1308.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-07-08 14:45:34 +02:00
Takashi Iwai b5c21c8470 Merge branch 'for-linus' into for-next
This back-merge is necessary for adjusting the latest FireWire fix
with the recent refactoring in 5.3 development branch.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-07-01 17:01:55 +02:00
Colin Ian King c3ea60c231 ALSA: seq: fix incorrect order of dest_client/dest_ports arguments
There are two occurrances of a call to snd_seq_oss_fill_addr where
the dest_client and dest_port arguments are in the wrong order. Fix
this by swapping them around.

Addresses-Coverity: ("Arguments in wrong order")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-06-28 12:03:58 +02:00
Thomas Gleixner d2912cb15b treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
Based on 2 normalized pattern(s):

  this program is free software you can redistribute it and or modify
  it under the terms of the gnu general public license version 2 as
  published by the free software foundation

  this program is free software you can redistribute it and or modify
  it under the terms of the gnu general public license version 2 as
  published by the free software foundation #

extracted by the scancode license scanner the SPDX license identifier

  GPL-2.0-only

has been chosen to replace the boilerplate/reference in 4122 file(s).

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Enrico Weigelt <info@metux.net>
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Reviewed-by: Allison Randal <allison@lohutok.net>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-19 17:09:55 +02:00
Thomas Gleixner a10e763b87 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 372
Based on 1 normalized pattern(s):

  this program is free software you can redistribute it and or modify
  it under the terms of the gnu general public license as published by
  the free software foundation version 2

extracted by the scancode license scanner the SPDX license identifier

  GPL-2.0-only

has been chosen to replace the boilerplate/reference in 135 file(s).

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Allison Randal <allison@lohutok.net>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190531081036.435762997@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-05 17:37:10 +02:00
Thomas Gleixner da607e1969 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 345
Based on 1 normalized pattern(s):

  licensed under the terms of the gnu general public license version 2

extracted by the scancode license scanner the SPDX license identifier

  GPL-2.0-only

has been chosen to replace the boilerplate/reference in 88 file(s).

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Alexios Zavras <alexios.zavras@intel.com>
Reviewed-by: Allison Randal <allison@lohutok.net>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190530000437.521539229@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-05 17:37:08 +02:00
Takashi Iwai 65be958088 ALSA: control: Use struct_size()
For code simplification and safety, use struct_size() macro for
calculating the snd_kcontrol object size with the variable array.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-05-31 11:44:44 +02:00
Thomas Gleixner 873e65bc09 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 167
Based on 1 normalized pattern(s):

  this program is free software you can redistribute it and or modify
  it under the terms of the gnu general public license as published by
  the free software foundation version 2 of the license this program
  is distributed in the hope that it will be useful but without any
  warranty without even the implied warranty of merchantability or
  fitness for a particular purpose see the gnu general public license
  for more details you should have received a copy of the gnu general
  public license along with this program if not write to the free
  software foundation inc 59 temple place suite 330 boston ma 02111
  1307 usa

extracted by the scancode license scanner the SPDX license identifier

  GPL-2.0-only

has been chosen to replace the boilerplate/reference in 83 file(s).

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Richard Fontana <rfontana@redhat.com>
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Reviewed-by: Allison Randal <allison@lohutok.net>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070034.021731668@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-05-30 11:26:39 -07:00
Thomas Gleixner 1a59d1b8e0 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156
Based on 1 normalized pattern(s):

  this program is free software you can redistribute it and or modify
  it under the terms of the gnu general public license as published by
  the free software foundation either version 2 of the license or at
  your option any later version this program is distributed in the
  hope that it will be useful but without any warranty without even
  the implied warranty of merchantability or fitness for a particular
  purpose see the gnu general public license for more details you
  should have received a copy of the gnu general public license along
  with this program if not write to the free software foundation inc
  59 temple place suite 330 boston ma 02111 1307 usa

extracted by the scancode license scanner the SPDX license identifier

  GPL-2.0-or-later

has been chosen to replace the boilerplate/reference in 1334 file(s).

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Allison Randal <allison@lohutok.net>
Reviewed-by: Richard Fontana <rfontana@redhat.com>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070033.113240726@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-05-30 11:26:35 -07:00
Thomas Gleixner 2874c5fd28 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
Based on 1 normalized pattern(s):

  this program is free software you can redistribute it and or modify
  it under the terms of the gnu general public license as published by
  the free software foundation either version 2 of the license or at
  your option any later version

extracted by the scancode license scanner the SPDX license identifier

  GPL-2.0-or-later

has been chosen to replace the boilerplate/reference in 3029 file(s).

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Allison Randal <allison@lohutok.net>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070032.746973796@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-05-30 11:26:32 -07:00
Thomas Gleixner a912e80bd0 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 151
Based on 1 normalized pattern(s):

  this program is free software you can redistribute it and or modify
  it under the terms of the gnu general public license as published by
  the free software foundation either version 2 of the license or at
  your option any later version you should have received a copy of the
  gnu general public license along with this program if not write to
  the free software foundation inc 675 mass ave cambridge ma 02139 usa

extracted by the scancode license scanner the SPDX license identifier

  GPL-2.0-or-later

has been chosen to replace the boilerplate/reference in 35 file(s).

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Armijn Hemel <armijn@tjaldur.nl>
Reviewed-by: Richard Fontana <rfontana@redhat.com>
Reviewed-by: Allison Randal <allison@lohutok.net>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070032.655028468@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-05-30 11:26:28 -07:00
Gustavo A. R. Silva 92bfa664ae ALSA: pcm: oss: Use struct_size() helper
Make use of the struct_size() helper instead of an open-coded version
in order to avoid any potential type mistakes, in particular in the
context in which this code is being used.

So, replace the following form:

sizeof(struct rate_priv) + src_format->channels * sizeof(struct rate_channel)

with:

struct_size(data, channels, src_format->channels)

This code was detected with the help of Coccinelle.

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-05-24 07:59:19 +02:00
Thomas Gleixner ec8f24b7fa treewide: Add SPDX license identifier - Makefile/Kconfig
Add SPDX license identifiers to all Make/Kconfig files which:

 - Have no license information of any form

These files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:

  GPL-2.0-only

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-05-21 10:50:46 +02:00
Linus Torvalds e57ccca1ba sound updates for 5.2-rc1
The most significant changes at this cycle are the Sound Open Firmware
 support from Intel for the common DSP framework along with its support
 for Intel platforms. It's a door opened to a real "free" firmware (in
 the sense of FOSS), and other parties show interests in it.
 
 In addition to SOF, we've got a bunch of updates and fixes as usual.
 Some highlights are below.
 
 ALSA core:
  - Cleanups and fixes in ALSA timer code to cover some races spotted
    by syzkaller
  - Cleanups and fixes in ALSA sequencer code to cover some races,
    again unsurprisingly, spotted by syzkaller
  - Optimize the common page allocation helper with alloc_pages_exact()
 
 ASoC:
  - Add SOF core support, as well as Intel SOF platform support
  - Generic card driver improvements: support for MCLK/sample rate
    ratio and pin switches
  - A big set of improvements to TLV320AIC32x4 drivers
  - New drivers for Freescale audio mixers, several Intel machines,
    several Mediatek machines, Meson G12A, Spreadtrum compressed audio
    and DMA devices
 
 HD-audio:
  - A few Realtek codec fixes for reducing pop noises
  - Quirks for Chromebooks
  - Workaround for faulty connection report on AMD/Nvidia HDMI
 
 Others:
  - A quirk for Focusrite Scarlett Solo USB-audio
  - Add support for MOTU 8pre FireWire
  - 24bit sample format support in aloop
  - GUS patch format support (finally, over a decade) in native
    emux synth code
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAlzUKVAOHHRpd2FpQHN1
 c2UuZGUACgkQLtJE4w1nLE/FtQ/+LWWV9wIXeKYCSxKUdUF21Cpdo9eh3P55MTIR
 ooxbasNywsllYC1l2IXYi/HYKUlpIwg7kA2itfxaPSW7pveWKPt4mufJsvWpRZws
 XUre1MPR9vzTwDqhiG+8rH3osS0YVu9kOipRej043hFHsnXxbOfsnSQ2I+tst6tS
 12s5Hmhx/YFyR6fJMCIm3CoR59spz/SWXftna6bnkKbEYkeDmI3TtM1s9jum3U5F
 KReBigp1qffRzSjUYhw8YRujkJPqB65cLGguRyPDkuUoDbLzhu2QBNXwlQvk2+rH
 bgreE7hqmm2ZwRnjSwJFtrFSuOfULjBjXqv2QMG+Lby5e/VzrzV0wdZJd2YXk9VX
 VzhjiHmAGI2l30JClGuz9wN2MXuvtQFr2dJF56Nuw535mwuBUzxQwXY5qkX6uJ1z
 KXADrUz7atA2VVYRgPEj8D30c1RlAzmiPLTxLTKouk0LdcOih90z/SaT/qlUHfsA
 7TUaYBJt6PKbmrGK+PxUTpw/M88w+frbcV+PZNAynLeJfiRROl1Yg/6Tc0QC9nts
 cHs9Migp2tf37gEvYcXFEPHI/A+sfIb5RZuTQySpUN09vODb37cZXl+lI4FuLGcJ
 F4d45b05gNcybt+SFj63CGpW+k4QO8M6TUzy7gvQ0DdUmhd0mEvAmGfEPBoaBsau
 5uJEfOQ=
 =0tyg
 -----END PGP SIGNATURE-----

Merge tag 'sound-5.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound updates from Takashi Iwai:
 "The most significant changes at this cycle are the Sound Open Firmware
  support from Intel for the common DSP framework along with its support
  for Intel platforms. It's a door opened to a real "free" firmware (in
  the sense of FOSS), and other parties show interests in it.

  In addition to SOF, we've got a bunch of updates and fixes as usual.
  Some highlights are below.

  ALSA core:
   - Cleanups and fixes in ALSA timer code to cover some races spotted
     by syzkaller
   - Cleanups and fixes in ALSA sequencer code to cover some races,
     again unsurprisingly, spotted by syzkaller
   - Optimize the common page allocation helper with alloc_pages_exact()

  ASoC:
   - Add SOF core support, as well as Intel SOF platform support
   - Generic card driver improvements: support for MCLK/sample rate
     ratio and pin switches
   - A big set of improvements to TLV320AIC32x4 drivers
   - New drivers for Freescale audio mixers, several Intel machines,
     several Mediatek machines, Meson G12A, Spreadtrum compressed audio
     and DMA devices

  HD-audio:
   - A few Realtek codec fixes for reducing pop noises
   - Quirks for Chromebooks
   - Workaround for faulty connection report on AMD/Nvidia HDMI

  Others:
   - A quirk for Focusrite Scarlett Solo USB-audio
   - Add support for MOTU 8pre FireWire
   - 24bit sample format support in aloop
   - GUS patch format support (finally, over a decade) in native emux
     synth code"

* tag 'sound-5.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (375 commits)
  ASoC: SOF: Fix unused variable warnings
  ALSA: line6: toneport: Fix broken usage of timer for delayed execution
  ALSA: aica: Fix a long-time build breakage
  ALSA: hda/realtek - Support low power consumption for ALC256
  ASoC: stm32: i2s: update pcm hardware constraints
  ASoC: codec: hdac_hdmi: no checking monitor in hw_params
  ASoC: mediatek: mt6358: save PGA for mixer control
  ASoC: mediatek: mt6358: save output volume for mixer controls
  ASoC: mediatek: mt6358: initialize setting when ramping volume
  ASoC: SOF: core: fix undefined nocodec reference
  ASoC: SOF: xtensa: fix undefined references
  ASoC: SOF: Propagate sof_get_ctrl_copy_params() error properly
  ALSA: hdea/realtek - Headset fixup for System76 Gazelle (gaze14)
  ALSA: hda/intel: add CometLake PCI IDs
  ALSA: hda/realtek - Support low power consumption for ALC295
  ASoC: rockchip: Fix an uninitialized variable compile warning
  ASoC: SOF: Fix a compile warning with CONFIG_PCI=n
  ASoC: da7219: Fix a compile warning at CONFIG_COMMON_CLK=n
  ASoC: sound/soc/sof/: fix kconfig dependency warning
  ASoC: stm32: spdifrx: change trace level on iec control
  ...
2019-05-09 08:26:55 -07:00
Kirill Smelkov c5bf68fe0c *: convert stream-like files from nonseekable_open -> stream_open
Using scripts/coccinelle/api/stream_open.cocci added in 10dce8af34
("fs: stream_open - opener for stream-like files so that read and write
can run simultaneously without deadlock"), search and convert to
stream_open all in-kernel nonseekable_open users for which read and
write actually do not depend on ppos and where there is no other methods
in file_operations which assume @offset access.

I've verified each generated change manually - that it is correct to convert -
and each other nonseekable_open instance left - that it is either not correct
to convert there, or that it is not converted due to current stream_open.cocci
limitations. The script also does not convert files that should be valid to
convert, but that currently have .llseek = noop_llseek or generic_file_llseek
for unknown reason despite file being opened with nonseekable_open (e.g.
drivers/input/mousedev.c)

Among cases converted 14 were potentially vulnerable to read vs write deadlock
(see details in 10dce8af34):

	drivers/char/pcmcia/cm4000_cs.c:1685:7-23: ERROR: cm4000_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
	drivers/gnss/core.c:45:1-17: ERROR: gnss_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
	drivers/hid/uhid.c:635:1-17: ERROR: uhid_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
	drivers/infiniband/core/user_mad.c:988:1-17: ERROR: umad_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
	drivers/input/evdev.c:527:1-17: ERROR: evdev_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
	drivers/input/misc/uinput.c:401:1-17: ERROR: uinput_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
	drivers/isdn/capi/capi.c:963:8-24: ERROR: capi_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
	drivers/leds/uleds.c:77:1-17: ERROR: uleds_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
	drivers/media/rc/lirc_dev.c:198:1-17: ERROR: lirc_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
	drivers/s390/char/fs3270.c:488:1-17: ERROR: fs3270_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
	drivers/usb/misc/ldusb.c:310:1-17: ERROR: ld_usb_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
	drivers/xen/evtchn.c:667:8-24: ERROR: evtchn_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
	net/batman-adv/icmp_socket.c:80:1-17: ERROR: batadv_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
	net/rfkill/core.c:1146:8-24: ERROR: rfkill_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.

and the rest were just safe to convert to stream_open because their read and
write do not use ppos at all and corresponding file_operations do not
have methods that assume @offset file access(*):

	arch/powerpc/platforms/52xx/mpc52xx_gpt.c:631:8-24: WARNING: mpc52xx_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_ibox_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
	arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_ibox_stat_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
	arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_mbox_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
	arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_mbox_stat_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
	arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_wbox_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_wbox_stat_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
	arch/um/drivers/harddog_kern.c:88:8-24: WARNING: harddog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	arch/x86/kernel/cpu/microcode/core.c:430:33-49: WARNING: microcode_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/char/ds1620.c:215:8-24: WARNING: ds1620_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/char/dtlk.c:301:1-17: WARNING: dtlk_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/char/ipmi/ipmi_watchdog.c:840:9-25: WARNING: ipmi_wdog_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/char/pcmcia/scr24x_cs.c:95:8-24: WARNING: scr24x_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/char/tb0219.c:246:9-25: WARNING: tb0219_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/firewire/nosy.c:306:8-24: WARNING: nosy_ops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/hwmon/fschmd.c:840:8-24: WARNING: watchdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/hwmon/w83793.c:1344:8-24: WARNING: watchdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/infiniband/core/ucma.c:1747:8-24: WARNING: ucma_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/infiniband/core/ucm.c:1178:8-24: WARNING: ucm_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/infiniband/core/uverbs_main.c:1086:8-24: WARNING: uverbs_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/input/joydev.c:282:1-17: WARNING: joydev_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/pci/switch/switchtec.c:393:1-17: WARNING: switchtec_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/platform/chrome/cros_ec_debugfs.c:135:8-24: WARNING: cros_ec_console_log_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/rtc/rtc-ds1374.c:470:9-25: WARNING: ds1374_wdt_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/rtc/rtc-m41t80.c:805:9-25: WARNING: wdt_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/s390/char/tape_char.c:293:2-18: WARNING: tape_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/s390/char/zcore.c:194:8-24: WARNING: zcore_reipl_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/s390/crypto/zcrypt_api.c:528:8-24: WARNING: zcrypt_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/spi/spidev.c:594:1-17: WARNING: spidev_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/staging/pi433/pi433_if.c:974:1-17: WARNING: pi433_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/acquirewdt.c:203:8-24: WARNING: acq_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/advantechwdt.c:202:8-24: WARNING: advwdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/alim1535_wdt.c:252:8-24: WARNING: ali_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/alim7101_wdt.c:217:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/ar7_wdt.c:166:8-24: WARNING: ar7_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/at91rm9200_wdt.c:113:8-24: WARNING: at91wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/ath79_wdt.c:135:8-24: WARNING: ath79_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/bcm63xx_wdt.c:119:8-24: WARNING: bcm63xx_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/cpu5wdt.c:143:8-24: WARNING: cpu5wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/cpwd.c:397:8-24: WARNING: cpwd_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/eurotechwdt.c:319:8-24: WARNING: eurwdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/f71808e_wdt.c:528:8-24: WARNING: watchdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/gef_wdt.c:232:8-24: WARNING: gef_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/geodewdt.c:95:8-24: WARNING: geodewdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/ib700wdt.c:241:8-24: WARNING: ibwdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/ibmasr.c:326:8-24: WARNING: asr_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/indydog.c:80:8-24: WARNING: indydog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/intel_scu_watchdog.c:307:8-24: WARNING: intel_scu_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/iop_wdt.c:104:8-24: WARNING: iop_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/it8712f_wdt.c:330:8-24: WARNING: it8712f_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/ixp4xx_wdt.c:68:8-24: WARNING: ixp4xx_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/ks8695_wdt.c:145:8-24: WARNING: ks8695wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/m54xx_wdt.c:88:8-24: WARNING: m54xx_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/machzwd.c:336:8-24: WARNING: zf_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/mixcomwd.c:153:8-24: WARNING: mixcomwd_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/mtx-1_wdt.c:121:8-24: WARNING: mtx1_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/mv64x60_wdt.c:136:8-24: WARNING: mv64x60_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/nuc900_wdt.c:134:8-24: WARNING: nuc900wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/nv_tco.c:164:8-24: WARNING: nv_tco_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/pc87413_wdt.c:289:8-24: WARNING: pc87413_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/pcwd.c:698:8-24: WARNING: pcwd_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/pcwd.c:737:8-24: WARNING: pcwd_temp_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/pcwd_pci.c:581:8-24: WARNING: pcipcwd_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/pcwd_pci.c:623:8-24: WARNING: pcipcwd_temp_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/pcwd_usb.c:488:8-24: WARNING: usb_pcwd_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/pcwd_usb.c:527:8-24: WARNING: usb_pcwd_temperature_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/pika_wdt.c:121:8-24: WARNING: pikawdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/pnx833x_wdt.c:119:8-24: WARNING: pnx833x_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/rc32434_wdt.c:153:8-24: WARNING: rc32434_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/rdc321x_wdt.c:145:8-24: WARNING: rdc321x_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/riowd.c:79:1-17: WARNING: riowd_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/sa1100_wdt.c:62:8-24: WARNING: sa1100dog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/sbc60xxwdt.c:211:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/sbc7240_wdt.c:139:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/sbc8360.c:274:8-24: WARNING: sbc8360_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/sbc_epx_c3.c:81:8-24: WARNING: epx_c3_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/sbc_fitpc2_wdt.c:78:8-24: WARNING: fitpc2_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/sb_wdog.c:108:1-17: WARNING: sbwdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/sc1200wdt.c:181:8-24: WARNING: sc1200wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/sc520_wdt.c:261:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/sch311x_wdt.c:319:8-24: WARNING: sch311x_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/scx200_wdt.c:105:8-24: WARNING: scx200_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/smsc37b787_wdt.c:369:8-24: WARNING: wb_smsc_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/w83877f_wdt.c:227:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/w83977f_wdt.c:301:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/wafer5823wdt.c:200:8-24: WARNING: wafwdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/watchdog_dev.c:828:8-24: WARNING: watchdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/wdrtas.c:379:8-24: WARNING: wdrtas_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/wdrtas.c:445:8-24: WARNING: wdrtas_temp_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/wdt285.c:104:1-17: WARNING: watchdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/wdt977.c:276:8-24: WARNING: wdt977_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/wdt.c:424:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/wdt.c:484:8-24: WARNING: wdt_temp_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/wdt_pci.c:464:8-24: WARNING: wdtpci_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
	drivers/watchdog/wdt_pci.c:527:8-24: WARNING: wdtpci_temp_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
	net/batman-adv/log.c:105:1-17: WARNING: batadv_log_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
	sound/core/control.c:57:7-23: WARNING: snd_ctl_f_ops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
	sound/core/rawmidi.c:385:7-23: WARNING: snd_rawmidi_f_ops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
	sound/core/seq/seq_clientmgr.c:310:7-23: WARNING: snd_seq_f_ops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
	sound/core/timer.c:1428:7-23: WARNING: snd_timer_f_ops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.

One can also recheck/review the patch via generating it with explanation comments included via

	$ make coccicheck MODE=patch COCCI=scripts/coccinelle/api/stream_open.cocci SPFLAGS="-D explain"

(*) This second group also contains cases with read/write deadlocks that
stream_open.cocci don't yet detect, but which are still valid to convert to
stream_open since ppos is not used. For example drivers/pci/switch/switchtec.c
calls wait_for_completion_interruptible() in its .read, but stream_open.cocci
currently detects only "wait_event*" as blocking.

Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Yongzhi Pan <panyongzhi@gmail.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: David Vrabel <david.vrabel@citrix.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Tejun Heo <tj@kernel.org>
Cc: Kirill Tkhai <ktkhai@virtuozzo.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Julia Lawall <Julia.Lawall@lip6.fr>
Cc: Nikolaus Rath <Nikolaus@rath.org>
Cc: Han-Wen Nienhuys <hanwen@google.com>
Cc: Anatolij Gustschin <agust@denx.de>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "James R. Van Zandt" <jrv@vanzandt.mv.com>
Cc: Corey Minyard <minyard@acm.org>
Cc: Harald Welte <laforge@gnumonks.org>
Acked-by: Lubomir Rintel <lkundrak@v3.sk> [scr24x_cs]
Cc: Stefan Richter <stefanr@s5r6.in-berlin.de>
Cc: Johan Hovold <johan@kernel.org>
Cc: David Herrmann <dh.herrmann@googlemail.com>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: Jean Delvare <jdelvare@suse.com>
Acked-by: Guenter Roeck <linux@roeck-us.net>	[watchdog/* hwmon/*]
Cc: Rudolf Marek <r.marek@assembler.cz>
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Karsten Keil <isdn@linux-pingi.de>
Cc: Jacek Anaszewski <jacek.anaszewski@gmail.com>
Cc: Pavel Machek <pavel@ucw.cz>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: Kurt Schwemmer <kurt.schwemmer@microsemi.com>
Acked-by: Logan Gunthorpe <logang@deltatee.com> [drivers/pci/switch/switchtec]
Acked-by: Bjorn Helgaas <bhelgaas@google.com> [drivers/pci/switch/switchtec]
Cc: Benson Leung <bleung@chromium.org>
Acked-by: Enric Balletbo i Serra <enric.balletbo@collabora.com> [platform/chrome]
Cc: Alessandro Zummo <a.zummo@towertech.it>
Acked-by: Alexandre Belloni <alexandre.belloni@bootlin.com> [rtc/*]
Cc: Mark Brown <broonie@kernel.org>
Cc: Wim Van Sebroeck <wim@linux-watchdog.org>
Cc: Florian Fainelli <f.fainelli@gmail.com>
Cc: bcm-kernel-feedback-list@broadcom.com
Cc: Wan ZongShun <mcuos.com@gmail.com>
Cc: Zwane Mwaikambo <zwanem@gmail.com>
Cc: Marek Lindner <mareklindner@neomailbox.ch>
Cc: Simon Wunderlich <sw@simonwunderlich.de>
Cc: Antonio Quartulli <a@unstable.cc>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Signed-off-by: Kirill Smelkov <kirr@nexedi.com>
2019-05-06 17:46:41 +03:00
Takashi Iwai 17b89c8031 Merge branch 'for-linus' into for-next
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-05-06 15:07:57 +02:00
Takashi Iwai f4fa968950 ALSA: core: Don't refer to snd_cards array directly
The snd_cards[] array holds the card pointers that have been currently
registered, and it's exported for the external modules that may need
to refer a card object.  But accessing to this array can be racy
against the driver probe or removal, as the card registration or free
may happen concurrently.

This patch gets rid of the direct access to snd_cards[] array and
provides a helper function to give the card object from the index
number with a refcount management.  Then the caller can access to the
given card object safely, and releases it via snd_card_unref().

While we're at it, add a proper comment to snd_card_unref() and make
it an inlined function for type-safety, too.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-17 07:16:15 +02:00
Takashi Iwai 2a3f7221ac ALSA: core: Fix card races between register and disconnect
There is a small race window in the card disconnection code that
allows the registration of another card with the very same card id.
This leads to a warning in procfs creation as caught by syzkaller.

The problem is that we delete snd_cards and snd_cards_lock entries at
the very beginning of the disconnection procedure.  This makes the
slot available to be assigned for another card object while the
disconnection procedure is being processed.  Then it becomes possible
to issue a procfs registration with the existing file name although we
check the conflict beforehand.

The fix is simply to move the snd_cards and snd_cards_lock clearances
at the end of the disconnection procedure.  The references to these
entries are merely either from the global proc files like
/proc/asound/cards or from the card registration / disconnection, so
it should be fine to shift at the very end.

Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-16 17:06:33 +02:00
Takashi Iwai 8c2f870890 ALSA: info: Fix racy addition/deletion of nodes
The ALSA proc helper manages the child nodes in a linked list, but its
addition and deletion is done without any lock.  This leads to a
corruption if they are operated concurrently.  Usually this isn't a
problem because the proc entries are added sequentially in the driver
probe procedure itself.  But the card registrations are done often
asynchronously, and the crash could be actually reproduced with
syzkaller.

This patch papers over it by protecting the link addition and deletion
with the parent's mutex.  There is "access" mutex that is used for the
file access, and this can be reused for this purpose as well.

Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-16 15:49:48 +02:00
Takashi Iwai b5fd12d6c0 ALSA: seq: Correct unlock sequence at snd_seq_client_ioctl_unlock()
The doubly unlock sequence at snd_seq_client_ioctl_unlock() is tricky.
I took a direct unref call since I thought it would avoid
misunderstanding, but rather this seems more confusing.  Let's use
snd_seq_client_unlock() consistently even if they look strange to be
called twice, and add more comments for avoiding reader's confusion.

Fixes: 6b580f5231 ("ALSA: seq: Protect racy pool manipulation from OSS sequencer")
Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-15 12:04:31 +02:00
Takashi Iwai 99fff44fe3 Merge branch 'for-linus' into for-next
Back-merge the 5.1 devel branch for the further HD-audio development.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-13 10:09:46 +02:00
Takashi Iwai 6b580f5231 ALSA: seq: Protect racy pool manipulation from OSS sequencer
OSS sequencer emulation still allows to queue and issue the events
that manipulate the client pool concurrently in a racy way.  This
patch serializes the access like the normal sequencer write / ioctl
via taking the client ioctl_mutex.  Since the access to the sequencer
client is done indirectly via a client id number, a new helper to
take/release the mutex is introduced.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-12 13:07:25 +02:00
Takashi Iwai 6740ea6776 ALSA: seq: Simplify snd_seq_kernel_client_enqueue() helper
We have two helpers for queuing a sequencer event from the kernel
client, and both are used only from OSS sequencer layer without any
hop and atomic set.  Let's simplify and unify two helpers into one.

No functional change, just a call pattern change.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-12 12:51:22 +02:00
Takashi Iwai 7c32ae35fb ALSA: seq: Cover unsubscribe_port() in list_mutex
The call of unsubscribe_port() which manages the group count and
module refcount from delete_and_unsubscribe_port() looks racy; it's
not covered by the group list lock, and it's likely a cause of the
reported unbalance at port deletion.  Let's move the call inside the
group list_mutex to plug the hole.

Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-12 12:50:10 +02:00
Takashi Iwai f0654ba94e Revert "ALSA: seq: Protect in-kernel ioctl calls with mutex"
This reverts commit feb689025f.

The fix attempt was incorrect, leading to the mutex deadlock through
the close of OSS sequencer client.  The proper fix needs more
consideration, so let's revert it now.

Fixes: feb689025f ("ALSA: seq: Protect in-kernel ioctl calls with mutex")
Reported-by: syzbot+47ded6c0f23016cde310@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-11 19:58:43 +02:00
Takashi Iwai 5d704b0d3b ALSA: timer: Coding style fixes
Avoid old school C style but do plain and clear way.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-10 08:42:26 +02:00
Takashi Iwai 41672c0c24 ALSA: timer: Simplify error path in snd_timer_open()
Just a minor refactoring to use the standard goto for error paths in
snd_timer_open() instead of open code.  The first mutex_lock() is
moved to the beginning of the function to make the code clearer.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-10 08:42:22 +02:00
Takashi Iwai 2eabc5ec8a ALSA: seq: Fix race of get-subscription call vs port-delete ioctls
The snd_seq_ioctl_get_subscription() retrieves the port subscriber
information as a pointer, while the object isn't protected, hence it
may be deleted before the actual reference.  This race was spotted by
syzkaller and may lead to a UAF.

The fix is simply copying the data in the lookup function that
performs in the rwsem to protect against the deletion.

Reported-by: syzbot+9437020c82413d00222d@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-09 18:54:13 +02:00
Takashi Iwai feb689025f ALSA: seq: Protect in-kernel ioctl calls with mutex
ALSA OSS sequencer calls the ioctl function indirectly via
snd_seq_kernel_client_ctl().  While we already applied the protection
against races between the normal ioctls and writes via the client's
ioctl_mutex, this code path was left untouched.  And this seems to be
the cause of still remaining some rare UAF as spontaneously triggered
by syzkaller.

For the sake of robustness, wrap the ioctl_mutex also for the call via
snd_seq_kernel_client_ctl(), too.

Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-09 18:54:12 +02:00
Takashi Iwai f823b8a755 ALSA: seq: Remove superfluous irqsave flags
spin_lock_irqsave() is used unnecessarily in various places in
sequencer core code although it's pretty obvious that the context is
sleepable.  Remove irqsave and use the plain spin_lock_irq() in such
places for simplicity.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-09 17:22:46 +02:00
Takashi Iwai 4b24b960b1 ALSA: seq: Align temporary re-locking with irqsave version
In a few places in sequencer core, we temporarily unlock / re-lock the
pool spin lock while waiting for the allocation in the blocking mode.
There spin_unlock_irq() / spin_lock_irq() pairs are called while
initially spin_lock_irqsave() is used (and spin_lock_irqrestore() at
the end of the function again).  This is likely OK for now, but it's a
bit confusing and error-prone.

This patch replaces these temporary relocking lines with the irqsave
variant to make the lock/unlock sequence more consistently.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-09 17:22:46 +02:00
Takashi Iwai fd7ae83de1 ALSA: seq: Use kvmalloc() for cell pools
Use kvmalloc() for allocating cell pools since the pool size can be
relatively small that may be covered better by slab.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-09 17:22:46 +02:00
Takashi Iwai df55531b8b ALSA: timer: Revert active callback sync check at close
This is essentially a revert of the commit a7588c896b ("ALSA: timer:
Check ack_list emptiness instead of bit flag").  The intended change
by the commit turns out to be insufficient, as snd_timer_close*()
always calls snd_timer_stop() that deletes the ack_list beforehand.

In theory, we can change the behavior of snd_timer_stop() to sync the
pending ack_list, but this will become a deadlock for the callback
like sequencer that calls again snd_timer_stop() from itself.  So,
reverting the change is a more straightforward solution.

Fixes: a7588c896b ("ALSA: timer: Check ack_list emptiness instead of bit flag")
Reported-by: syzbot+58813d77154713f4de15@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-09 12:29:34 +02:00
Zubin Mithra 212ac181c1 ALSA: seq: Fix OOB-reads from strlcpy
When ioctl calls are made with non-null-terminated userspace strings,
strlcpy causes an OOB-read from within strlen. Fix by changing to use
strscpy instead.

Signed-off-by: Zubin Mithra <zsm@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-05 14:33:01 +02:00
Takashi Iwai 3a23fd0415 Merge branch 'topic/timer-fixes' into for-next
Pull yet another ALSA core timer fixes and cleanups.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-28 08:33:50 +01:00
Takashi Iwai 734b5a0bbd ALSA: Replace snd_malloc_pages() and snd_free_pages() with standard helpers, take#2
snd_malloc_pages() and snd_free_pages() are merely thin wrappers of
the standard page allocator / free functions.  Even the arguments are
compatible with some standard helpers, so there is little merit of
keeping these wrappers.

This patch replaces the all existing callers of snd_malloc_pages() and
snd_free_pages() with the direct calls of the standard helper
functions.  In this version, we use a recently introduced one,
alloc_pages_exact(), which suits better than the old
snd_malloc_pages() implementation for our purposes.  Then we can avoid
the waste of pages by alignment to power-of-two.

Since alloc_pages_exact() does split pages, we need no longer
__GFP_COMP flag; or better to say, we must not pass __GFP_COMP to
alloc_pages_exact().  So the former unconditional addition of
__GFP_COMP flag in snd_malloc_pages() is dropped, as well as in most
other places.

Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-27 17:15:01 +01:00
Takashi Iwai fe1b26c93d ALSA: timer: Make snd_timer_close() really kill pending actions
snd_timer_close() is supposed to close the timer instance and sync
with the deactivation of pending actions.  However, there are still
some overlooked cases:

- It calls snd_timer_stop() at the beginning, but some other might
  re-trigger the timer right after that.

- snd_timer_stop() calls del_timer_sync() only when all belonging
  instances are closed.  If multiple instances were assigned to a
  timer object and one is closed, the timer is still running.  Then
  the pending action assigned to this timer might be left.

Actually either of the above is the likely cause of the reported
syzkaller UAF.

This patch plug these holes by introducing SNDRV_TIMER_IFLG_DEAD
flag.  This is set at the beginning of snd_timer_close(), and the flag
is checked at snd_timer_start*() and else, so that no longer new
action is left after snd_timer_close().

Reported-by: syzbot+d5136d4d3240cbe45a2a@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-27 17:02:40 +01:00
Takashi Iwai a7588c896b ALSA: timer: Check ack_list emptiness instead of bit flag
For checking the pending timer instance that is still left on the
timer object that is being closed, we set/clear a bit flag
SNDRV_TIMER_IFLG_CALLBACK around the call of callbacks.  This can be
simplified by replace with the list_empty() call for ti->ack_list.
This covers the existence more comprehensively and safely.

A gratis bonus is that we can get rid of SNDRV_TIMER_IFLG_CALLBACK bit
flag definition as well.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-27 16:56:08 +01:00
Takashi Iwai 7bb4a8a2cc ALSA: timer: Make sure to clear pending ack list
When a card is under disconnection, we bail out immediately at each
timer interrupt or tasklet.  This might leave some items left in ack
list.  For a better integration of the upcoming change to check
ack_list emptiness, clear out the whole list upon the emergency exit
route.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-27 16:51:58 +01:00
Takashi Iwai 8748b850be ALSA: timer: Unify timer callback process code
The timer core has two almost identical code for processing callbacks:
once in snd_timer_interrupt() for fast callbacks and another in
snd_timer_tasklet() for delayed callbacks.  Let's unify them.

In the new version, the resolution is read from ti->resolution at each
call, and this must be fine; ti->resolution is set in the preparation
step in snd_timer_interrupt().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-27 16:42:51 +01:00
Takashi Iwai 113ce08109 ALSA: pcm: Don't suspend stream in unrecoverable PCM state
Currently PCM core sets each opened stream forcibly to SUSPENDED state
via snd_pcm_suspend_all() call, and the user-space is responsible for
re-triggering the resume manually either via snd_pcm_resume() or
prepare call.  The scheme works fine usually, but there are corner
cases where the stream can't be resumed by that call: the streams
still in OPEN state before finishing hw_params.  When they are
suspended, user-space cannot perform resume or prepare because they
haven't been set up yet.  The only possible recovery is to re-open the
device, which isn't nice at all.  Similarly, when a stream is in
DISCONNECTED state, it makes no sense to change it to SUSPENDED
state.  Ditto for in SETUP state; which you can re-prepare directly.

So, this patch addresses these issues by filtering the PCM streams to
be suspended by checking the PCM state.  When a stream is in either
OPEN, SETUP or DISCONNECTED as well as already SUSPENDED, the suspend
action is skipped.

To be noted, this problem was originally reported for the PCM runtime
PM on HD-audio.  And, the runtime PM problem itself was already
addressed (although not intended) by the code refactoring commits
3d21ef0b49 ("ALSA: pcm: Suspend streams globally via device type PM
ops") and 17bc4815de ("ALSA: pci: Remove superfluous
snd_pcm_suspend*() calls").  These commits eliminated the
snd_pcm_suspend*() calls from the runtime PM suspend callback code
path, hence the racy OPEN state won't appear while runtime PM.
(FWIW, the race window is between snd_pcm_open_substream() and the
first power up in azx_pcm_open().)

Although the runtime PM issue was already "fixed", the same problem is
still present for the system PM, hence this patch is still needed.
And for stable trees, this patch alone should suffice for fixing the
runtime PM problem, too.

Reported-and-tested-by: Jon Hunter <jonathanh@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-25 16:36:30 +01:00
Takashi Iwai ca0214ee28 ALSA: pcm: Fix possible OOB access in PCM oss plugins
The PCM OSS emulation converts and transfers the data on the fly via
"plugins".  The data is converted over the dynamically allocated
buffer for each plugin, and recently syzkaller caught OOB in this
flow.

Although the bisection by syzbot pointed out to the commit
65766ee0bf ("ALSA: oss: Use kvzalloc() for local buffer
allocations"), this is merely a commit to replace vmalloc() with
kvmalloc(), hence it can't be the cause.  The further debug action
revealed that this happens in the case where a slave PCM doesn't
support only the stereo channels while the OSS stream is set up for a
mono channel.  Below is a brief explanation:

At each OSS parameter change, the driver sets up the PCM hw_params
again in snd_pcm_oss_change_params_lock().  This is also the place
where plugins are created and local buffers are allocated.  The
problem is that the plugins are created before the final hw_params is
determined.  Namely, two snd_pcm_hw_param_near() calls for setting the
period size and periods may influence on the final result of channels,
rates, etc, too, while the current code has already created plugins
beforehand with the premature values.  So, the plugin believes that
channels=1, while the actual I/O is with channels=2, which makes the
driver reading/writing over the allocated buffer size.

The fix is simply to move the plugin allocation code after the final
hw_params call.

Reported-by: syzbot+d4503ae45b65c5bc1194@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-22 16:27:03 +01:00
Gustavo A. R. Silva c709f14f06 ALSA: seq: oss: Fix Spectre v1 vulnerability
dev is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

sound/core/seq/oss/seq_oss_synth.c:626 snd_seq_oss_synth_make_info() warn: potential spectre issue 'dp->synths' [w] (local cap)

Fix this by sanitizing dev before using it to index dp->synths.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/

Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-21 13:23:51 +01:00
Gustavo A. R. Silva 2b1d9c8f87 ALSA: rawmidi: Fix potential Spectre v1 vulnerability
info->stream is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

sound/core/rawmidi.c:604 __snd_rawmidi_info_select() warn: potential spectre issue 'rmidi->streams' [r] (local cap)

Fix this by sanitizing info->stream before using it to index
rmidi->streams.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/

Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-21 13:21:15 +01:00
Ricardo Biehl Pasquali 932a815195 ALSA: pcm: Comment why read blocks when PCM is not running
This avoids bringing back the problem introduced by
62ba568f7a ("ALSA: pcm: Return 0 when size <
start_threshold in capture") and fixed in 00a399cad1
("ALSA: pcm: Revert capture stream behavior change in
blocking mode"), which prevented the user from starting
capture from another thread.

Signed-off-by: Ricardo Biehl Pasquali <pasqualirb@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-13 08:01:05 +01:00
Takashi Iwai 5a23f38568 Merge branch 'for-linus' into for-next
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-13 08:00:54 +01:00
Ranjani Sridharan d9c0b2afe8 ALSA: PCM: check if ops are defined before suspending PCM
BE dai links only have internal PCM's and their substream ops may
not be set. Suspending these PCM's will result in their
 ops->trigger() being invoked and cause a kernel oops.
So skip suspending PCM's if their ops are NULL.

[ NOTE: this change is required now for following the recent PCM core
  change to get rid of snd_pcm_suspend() call.  Since DPCM BE takes
  the runtime carried from FE while keeping NULL ops, it can hit this
  bug.  See details at:
     https://github.com/thesofproject/linux/pull/582
  -- tiwai ]

Signed-off-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-11 17:04:25 +01:00
Takashi Iwai 00a399cad1 ALSA: pcm: Revert capture stream behavior change in blocking mode
In the commit 62ba568f7a ("ALSA: pcm: Return 0 when size <
start_threshold in capture"), we changed the behavior of
__snd_pcm_lib_xfer() to return immediately with 0 when a capture
stream has a high start_threshold.  This was intended to be a
correction of the behavior consistency and looked harmless, but this
was the culprit of the recent breakage reported by syzkaller, which
was fixed by the commit e190161f96 ("ALSA: pcm: Fix tight loop of
OSS capture stream").

At the time for the OSS fix, I didn't touch the behavior for ALSA
native API, as assuming that this behavior actually is good.  But this
turned out to be also broken actually for a similar deployment,
e.g. one thread goes to a write loop in blocking mode while another
thread controls the start/stop of the stream manually.

Overall, the original commit is harmful, and it brings less merit to
keep that behavior.  Let's revert it.

Fixes: 62ba568f7a ("ALSA: pcm: Return 0 when size < start_threshold in capture")
Fixes: e190161f96 ("ALSA: pcm: Fix tight loop of OSS capture stream")
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-08 16:54:31 +01:00
Takashi Iwai bb580602f3 ALSA: pcm: Define snd_pcm_lib_preallocate_*() as returning void
Now all callers no longer check the return value from
snd_pcm_lib_preallocate_pages() and co, let's make them to return
void, so that any new code won't fall into the same pitfall.

Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-08 14:24:12 +01:00
Takashi Iwai 29b2625ff6 ALSA: info: Move card id proc creation into info.c
The creation of card's id proc file can be moved gracefully into
info.c.  Also, the assignment of card->proc_id is superfluous and can
be dropped.  So let's do it.

Basically this is no functional change but code refactoring, but one
potential behavior change is that now it returns properly the error
code from snd_info_card_register(), which is a good thing (tm).

Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-06 18:11:58 +01:00
Takashi Iwai a858ee6655 ALSA: info: Minor optimization
Just a minor code optimization to reduce the source code size
slightly.  No functional changes.

Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-06 18:11:58 +01:00
Takashi Iwai 9725752867 ALSA: info: Drop unused snd_info_entry.card field
It's referred only in snd_card_id_read() which can receive the card
object via private_data.

Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-06 18:11:58 +01:00
Takashi Iwai 7453e1dafd ALSA: info: Add standard helpers for card proc file entries
Two new helper functions are added here for cleaning up the existing
lengthy calls.

Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-06 18:11:55 +01:00
Takashi Iwai 4a471d7cc9 ALSA: compress: Remove superfluous snd_info_register() calls
The calls of snd_info_register() are superfluous and should be avoided
at the procfs creation time.  They are called at the end of the whole
initialization via snd_card_register().  This patch drops such
superfluous calls.

Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-06 18:11:54 +01:00
Takashi Iwai a8d149813b ALSA: pcm: Remove superfluous snd_info_register() calls
The calls of snd_info_register() are superfluous and should be avoided
at the procfs creation time.  They are called at the end of the whole
initialization via snd_card_register().  This patch drops such
superfluous calls, as well as cleaning up the calls of substream proc
entries with a common helper.

Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-06 18:11:54 +01:00
Takashi Iwai 348c5ad5d6 ALSA: info: Always register entries recursively
Make sure that all children entries are registered by a single call of
snd_info_register().  OTOH, don't register if a parent isn't
registered yet.

This allows us to create the whole procfs tree in a shot at the last
stage of card registration phase in a later patch.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-05 13:58:03 +01:00
Takashi Iwai 6ce1d63ed7 ALSA: core: Don't allow NULL device for memory allocation
Since we covered all callers with NULL device pointer, let's catch the
remaining calls with NULL and warn explicitly.

Acked-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-05 11:05:26 +01:00
Guennadi Liakhovetski 515548fdd8 ALSA: pcm: remove a superfluous function declaration
Declaration of snd_pcm_drop() in sound/core/pcm_native.c is superfluous
since the function isn't called before being defined. Remove the
declaration.

Signed-off-by: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-31 12:23:39 +01:00
Takashi Iwai 286406c2e1 Merge branch 'for-linus' into for-next
Pull 5.0 branch for further development of USB-audio quirks

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-29 11:07:48 +01:00
Takashi Iwai e190161f96 ALSA: pcm: Fix tight loop of OSS capture stream
When the trigger=off is passed for a PCM OSS stream, it sets the
start_threshold of the given substream to the boundary size, so that
it won't be automatically started.  This can be problematic for a
capture stream, unfortunately, as detected by syzkaller.  The scenario
is like the following:

- In __snd_pcm_lib_xfer() that is invoked from snd_pcm_oss_read()
  loop, we have a check whether the stream was already started or the
  stream can be auto-started.
- The function at this check returns 0 with trigger=off since we
  explicitly disable the auto-start.
- The loop continues and repeats calling __snd_pcm_lib_xfer() tightly,
  which may lead to an RCU stall.

This patch fixes the bug by simply allowing the wait for non-started
stream in the case of OSS capture.  For native usages, it's supposed
to be done by the caller side (which is user-space), hence it returns
zero like before.

(In theory, __snd_pcm_lib_xfer() could wait even for the native API
 usage cases, too; but I'd like to stay in a safer side for not
 breaking the existing stuff for now.)

Reported-by: syzbot+fbe0496f92a0ce7b786c@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-25 19:45:46 +01:00
Takashi Iwai 315d9f1bee ALSA: pcm: Use the common error path in __snd_pcm_lib_xfer()
An open-coded error path in __snd_pcm_lib_xfer() can be replaced with
the simple goto to the common error path.  This also makes the error
handling more consistent, i.e. when some samples have been already
processed, return that size instead of the error code.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-25 17:31:59 +01:00
Takashi Iwai 205d6bcf9b Merge branch 'topic/pcm-lock-refactor' into for-next
Pull PCM lock refactoring.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-24 14:46:21 +01:00
Takashi Iwai 3a55437141 ALSA: proc: Avoid possible leaks of snd_info_entry objects
This patch changes the parent pointer assignment of snd_info_entry
object to be always non-NULL.  More specifically,check the parent
argument in snd_info_create_module_entry() & co, and assign
snd_proc_root if NULL is passed there.

This assures that the proc object is always freed when the root is
freed, so avoid possible memory leaks.  For example, some error paths
(e.g. snd_info_register() error at snd_minor_info_init()) may leave
snd_info_entry object although the proc file itself is freed.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-24 14:40:26 +01:00
Takashi Iwai 480e32ebd5 ALSA: pcm: Simplify proc file destruction
The proc files are recursively freed by calling with the root
snd_info_entry object, so we don't have to keep each object for
releasing one by one.  Move the release of the PCM stream proc root at
the beginning, so that we can remove the redundant code and resource.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-24 14:40:25 +01:00
Takashi Iwai de89750c56 ALSA: pcm: Drop unused snd_pcm_substream.file field
It's assigned but nowhere used.  Let's remove it.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-24 14:40:25 +01:00
Takashi Iwai ef2056b8f3 ALSA: pcm: Cleanup snd_pcm_stream_lock() & co
After the previous code refactoring, the PCM stream locking code
became nothing but the PCM group lock with self_group object.  Use the
existing helper function for simplifying the code.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-23 07:40:49 +01:00
Takashi Iwai ecb41f0f44 ALSA: pcm: Remove down_write() hack for snd_pcm_link_rwsem
Remove the hackish down_write_nonfifo() that was introduced as a
workaround of rwsem deadlock.

It used to be a problem for non-atomic PCM streams that take the rwsem
for the locking and hit the high lock contention.  Since the current
PCM locking refactoring, we'll no longer hit it as the hot code-paths
don't take global locks.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-23 07:40:49 +01:00
Takashi Iwai f57f3df03a ALSA: pcm: More fine-grained PCM link locking
We have currently two global locks, a rwlock and a rwsem, that are
used for managing linking the PCM streams.  Due to these global locks,
once when a linked stream is used, the lock granularity suffers a
lot.

This patch attempts to eliminate the former global lock for atomic
ops.  The latter rwsem needs remaining because of the loosy way of the
loop calls in snd_pcm_action_nonatomic(), as well as for avoiding the
deadlock at linking.  However, these are used far rarely, actually
only by two actions (prepare and  reset), where both are no timing
critical ones.  So this can be still seen as a good improvement.

The basic strategy to eliminate the rwlock is to assure group->lock at
adding or removing a stream to / from the group.  Since we already
takes the group lock whenever taking the all substream locks under the
group, this shouldn't be a big problem.  The reference to group
pointer in snd_pcm_substream object is protected by the stream lock
itself.

However, there are still pitfalls: a race window at re-locking and the
lifecycle of group object.  The former is a small race window for
dereferencing the substream group object opened while snd_pcm_action()
performs re-locking to avoid ABBA deadlocks.  This includes the unlink
of group during that window, too.  And the latter is the kfree
performed after all streams are removed from the group while it's
still dereferenced.

For addressing these corner cases, two new tricks are introduced:
- After re-locking, the group assigned to the stream is checked again;
  if the group is changed, we retry the whole procedure.
- Introduce a refcount to snd_pcm_group object, so that it's freed
  only when it's empty and really no one refers to it.

(Some readers might wonder why not RCU for the latter.  RCU in this
case would cost more than refcounting, unfortunately.  We take the
group lock sooner or later, hence the performance improvement by RCU
would be negligible.  Meanwhile, because we need to deal with
schedulable context depending on the pcm->nonatomic flag, it'll become
dynamic RCU/SRCU switch, and the grace period may become too long.)

Along with these changes, there are a significant amount of code
refactoring.  The complex group re-lock & ref code is factored out to
snd_pcm_stream_group_ref() function, for example.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-23 07:25:08 +01:00
Takashi Iwai 7df5a5f66b ALSA: pcm: Avoid confusing loop in snd_pcm_unlink()
The snd_pcm_group_for_each_entry() loop found in snd_pcm_unlink() is
only for taking the first list entry.  Use list_first_entry() to make
clearer.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-21 16:40:19 +01:00
Takashi Iwai a41c4cb913 ALSA: pcm: Make PCM linked list consistent while re-grouping
Make a common helper to re-assign the PCM link using list_move() instead
of open code with manual list_del() and list_add_tail().  This assures
the consistency and we can get rid of snd_pcm_group.count field -- its
purpose is only to check whether the list is singular, and we can know
it by list_is_singular() call now.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-21 16:39:54 +01:00
Takashi Iwai 73365cb10b ALSA: pcm: Unify snd_pcm_group initialization
There are multiple open codes that initialize the same object.
Create a common helper function instead.

Also, use kzalloc() to be safer at creating a group object, and move
the initialization out of the critical section.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-21 16:39:35 +01:00
Takashi Iwai d819fb21ee ALSA: pcm: Call snd_card_unref() inside in_pcm_file()
The snd_card_unref() call in snd_pcm_link() looks suspicious through a
quick glance, but it's a correct usage; this is needed just because
the file descriptor check in is_pcm_file() calls the helper
snd_lookup_minor_data() that keeps the card refcount.

Despite of the correctness, the code still looks confusing.
Basically, keeping the card ref for the whole code isn't needed
as fdget() blocks the release of the opened file.  Hence it's more
understandable if snd_card_unref() is moved into is_pcm_file(), then
the caller doesn't have to take care after the call.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-21 16:38:15 +01:00
Takashi Iwai b3c4014c2b ASoC: Fixes for v5.0
Quite a big batch of fixes here.  There's a couple of things going on,
 the main one is that we found some issues with not deferring probe when
 we should, causing us to skip some driver initialization.  The fixes for
 this then in turn exposed some issues with how we were searching for
 components which had previously gone unnoticed due to the original
 issue.
 
 There's also been the normal driver specific stuff and there's been what
 looks like several batches of automated scanning for issues which have
 generated quite a large set of smaller fixes for potential crashes and
 missed error handling.
 -----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAlxBy/wTHGJyb29uaWVA
 a2VybmVsLm9yZwAKCRAk1otyXVSH0HNQB/wI7qx/bNGOX1p2C0M5ENdgsMcYDpMh
 OHD073hL4wDkNJ/O2josnceCtrPUS5tuOxmx765IFXrAR4FWlNezQL4dHwTNGfG9
 Femd6iAxv47lC2fROpuHfB0j32LIjVrHLYDG0wAiDvteXK2VrGbj8vedfWqflOBj
 PX2kqkkgWfSCTrEYdrE09ExYoYKYdEqU/LEKFmIUnMuXc/HNHLo6e1sFNzTo8DIo
 g5P8nQ//Qgi1U9UWMabKjy4lYL2Tcid9jcNlz0QIffK2qwIEpVBeuhqJaT4sQrf5
 G51UrSk2y4lJ0t9WXv1SwQTDi2slCCGcOHA3fylGkJl1cxgOFMAR37Xs
 =ev1L
 -----END PGP SIGNATURE-----

Merge tag 'asoc-fix-v5.0-rc2' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

ASoC: Fixes for v5.0

Quite a big batch of fixes here.  There's a couple of things going on,
the main one is that we found some issues with not deferring probe when
we should, causing us to skip some driver initialization.  The fixes for
this then in turn exposed some issues with how we were searching for
components which had previously gone unnoticed due to the original
issue.

There's also been the normal driver specific stuff and there's been what
looks like several batches of automated scanning for issues which have
generated quite a large set of smaller fixes for potential crashes and
missed error handling.
2019-01-18 15:17:17 +01:00
Takashi Iwai ce7f93e2bd ALSA: pcm: Make snd_pcm_suspend() local static
snd_pcm_suspend() is no longer called from outside, so let's make it
local static.  Also drop a superfluous NULL check there.

Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-15 17:48:23 +01:00
Takashi Iwai 3d21ef0b49 ALSA: pcm: Suspend streams globally via device type PM ops
Until now we rely on each driver calling snd_pcm_suspend*() explicitly
at its own PM handling.  However, this can be done far more easily by
setting the PM ops to each actual snd_pcm device object.

This patch adds the device_type object for PCM stream and assigns to
each PCM stream object.  The type contains only the PM ops for system
suspend; we don't need to deal with the resume in general.

The suspend hook simply calls snd_pcm_suspend_all() for the given PCM
streams.  This implies that the PM order is correctly put, i.e. PCM is
suspended before the main (or codec) driver, which should be true in
general.  If a special ordering is needed, you'd need to adjust the
device PM order manually later.

This patch introduces a new flag, snd_pcm.no_device_suspend, too.
With this flag set, the PCM device object won't invoke
snd_pcm_suspend_all() by itself.  This is needed for ASoC who wants to
manage the PM call orders in its serialized way, and the flag is set
in soc_new_pcm() as default.

For the non-ASoC world, we can get rid of the manual snd_pcm_suspend
calls.  This will be done in the later patches.

Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-15 17:46:36 +01:00
Linus Torvalds 96d4f267e4 Remove 'type' argument from access_ok() function
Nobody has actually used the type (VERIFY_READ vs VERIFY_WRITE) argument
of the user address range verification function since we got rid of the
old racy i386-only code to walk page tables by hand.

It existed because the original 80386 would not honor the write protect
bit when in kernel mode, so you had to do COW by hand before doing any
user access.  But we haven't supported that in a long time, and these
days the 'type' argument is a purely historical artifact.

A discussion about extending 'user_access_begin()' to do the range
checking resulted this patch, because there is no way we're going to
move the old VERIFY_xyz interface to that model.  And it's best done at
the end of the merge window when I've done most of my merges, so let's
just get this done once and for all.

This patch was mostly done with a sed-script, with manual fix-ups for
the cases that weren't of the trivial 'access_ok(VERIFY_xyz' form.

There were a couple of notable cases:

 - csky still had the old "verify_area()" name as an alias.

 - the iter_iov code had magical hardcoded knowledge of the actual
   values of VERIFY_{READ,WRITE} (not that they mattered, since nothing
   really used it)

 - microblaze used the type argument for a debug printout

but other than those oddities this should be a total no-op patch.

I tried to fix up all architectures, did fairly extensive grepping for
access_ok() uses, and the changes are trivial, but I may have missed
something.  Any missed conversion should be trivially fixable, though.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-01-03 18:57:57 -08:00
Dan Carpenter 678e2b44c8
ALSA: compress: prevent potential divide by zero bugs
The problem is seen in the q6asm_dai_compr_set_params() function:

	ret = q6asm_map_memory_regions(dir, prtd->audio_client, prtd->phys,
				       (prtd->pcm_size / prtd->periods),
                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
				       prtd->periods);

In this code prtd->pcm_size is the buffer_size and prtd->periods comes
from params->buffer.fragments.  If we allow the number of fragments to
be zero then it results in a divide by zero bug.  One possible fix would
be to use prtd->pcm_count directly instead of using the division to
re-calculate it.  But I decided that it doesn't really make sense to
allow zero fragments.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
2019-01-03 16:32:57 +00:00
Takashi Iwai ed49e83919 ASoC: Updates for v4.21
Not much work on the core this time around but we've seen quite a bit of
 driver work, including on the generic DT drivers.  There's also a large
 part of the diff from a merge of the DaVinci and OMAP directories, along
 with some active development there:
 
  - Preparatory work from Morimoto-san for merging the audio-graph and
    audio-graph-scu cards.
  - A merge of the TI OMAP and DaVinci directories, the OMAP product line
    has been merged into the DaVinci product line so there is now a lot
    of IP sharing which meant that the split directories just got in the
    way.  This has pulled in a few architecture changes as well.
  - A big cleanup of the Maxim MAX9867 driver from Ladislav Michl.
  - Support for Asahi Kaesi AKM4118, AMD ACP3x, Intel platforms with
    RT5660, Meson AXG S/PDIF inputs, several Qualcomm IPs and Xilinx I2S
    controllers.
 -----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAlwY7KsTHGJyb29uaWVA
 a2VybmVsLm9yZwAKCRAk1otyXVSH0MFqB/4m9nlfUeXTpiSD1FgVIlMmdPNUg4V2
 6Ybztaw4kRc5LuQN8PXQmaFLx020yAnLvI7Zzj7l3K8r6a9lfyFs+pKL0wtBnNK2
 9QEFmOVQ3QFpt31Yb2IQeO4dfNbiyKeczjLau4mXWTl0j5dc/UH+HasE1dRZOxsC
 rqJ8IsdibIVxVtQ7ZmcnU+y6XK0inBHAAh6ksMehsufShGrfrLs/nRBaXRZcRqJg
 ciSFY5uYRYkDxTgogTpNRfVy4nr17N10+0sgrQ3RtaaqgG3gBXsHca1meyxKYW3Q
 TssOJGIl3+uGiAMNyZqzxe5pAwwuGhZ3hAAAODtfYJQtAuAOW3/45Wqh
 =phWF
 -----END PGP SIGNATURE-----

Merge tag 'asoc-v4.21' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-next

ASoC: Updates for v4.21

Not much work on the core this time around but we've seen quite a bit of
driver work, including on the generic DT drivers.  There's also a large
part of the diff from a merge of the DaVinci and OMAP directories, along
with some active development there:

 - Preparatory work from Morimoto-san for merging the audio-graph and
   audio-graph-scu cards.
 - A merge of the TI OMAP and DaVinci directories, the OMAP product line
   has been merged into the DaVinci product line so there is now a lot
   of IP sharing which meant that the split directories just got in the
   way.  This has pulled in a few architecture changes as well.
 - A big cleanup of the Maxim MAX9867 driver from Ladislav Michl.
 - Support for Asahi Kaesi AKM4118, AMD ACP3x, Intel platforms with
   RT5660, Meson AXG S/PDIF inputs, several Qualcomm IPs and Xilinx I2S
   controllers.
2018-12-18 14:59:56 +01:00
Mark Brown a7a850dba8
Merge branch 'asoc-4.21' into asoc-next 2018-12-18 12:23:59 +00:00
Srinivas Kandagatla d00f749b00
ALSA: compress: make use of runtime buffer for copy
Default copy function uses kmalloc to allocate buffers, lets check
if the runtime buffers are setup before making this allocations.
This can be useful if the buffers are dma buffers.

Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Acked-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
2018-12-14 12:43:45 +00:00
Gustavo A. R. Silva 94ffb030b6 ALSA: pcm: Fix potential Spectre v1 vulnerability
stream is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

sound/core/pcm.c:140 snd_pcm_control_ioctl() warn: potential spectre issue 'pcm->streams' [r] (local cap)

Fix this by sanitizing stream before using it to index pcm->streams

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Cc: stable@vger.kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-12-13 09:14:33 +01:00
Takashi Iwai 2bff7e97eb Merge branch 'for-linus' into for-next
Back-merge for applying the more HD-audio quirks on top of the latest
code.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-12-07 11:40:04 +01:00
Chanho Min b888a5f713 ALSA: pcm: Fix starvation on down_write_nonblock()
Commit 67ec1072b0 ("ALSA: pcm: Fix rwsem deadlock for non-atomic PCM
stream") fixes deadlock for non-atomic PCM stream. But, This patch
causes antother stuck.
If writer is RT thread and reader is a normal thread, the reader
thread will be difficult to get scheduled. It may not give chance to
release readlocks and writer gets stuck for a long time if they are
pinned to single cpu.

The deadlock described in the previous commit is because the linux
rwsem queues like a FIFO. So, we might need non-FIFO writelock, not
non-block one.

My suggestion is that the writer gives reader a chance to be scheduled
by using the minimum msleep() instaed of spinning without blocking by
writer. Also, The *_nonblock may be changed to *_nonfifo appropriately
to this concept.
In terms of performance, when trylock is failed, this minimum periodic
msleep will have the same performance as the tick-based
schedule()/wake_up_q().

[ Although this has a fairly high performance penalty, the relevant
  code path became already rare due to the previous commit ("ALSA:
  pcm: Call snd_pcm_unlink() conditionally at closing").  That is, now
  this unconditional msleep appears only when using linked streams,
  and this must be a rare case.  So we accept this as a quick
  workaround until finding a more suitable one -- tiwai ]

Fixes: 67ec1072b0 ("ALSA: pcm: Fix rwsem deadlock for non-atomic PCM stream")
Suggested-by: Wonmin Jung <wonmin.jung@lge.com>
Signed-off-by: Chanho Min <chanho.min@lge.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-11-29 08:15:19 +01:00
Takashi Iwai b51abed835 ALSA: pcm: Call snd_pcm_unlink() conditionally at closing
Currently the PCM core calls snd_pcm_unlink() always unconditionally
at closing a stream.  However, since snd_pcm_unlink() invokes the
global rwsem down, the lock can be easily contended.  More badly, when
a thread runs in a high priority RT-FIFO, it may stall at spinning.

Basically the call of snd_pcm_unlink() is required only for the linked
streams that are already rare occasion.  For normal use cases, this
code path is fairly superfluous.

As an optimization (and also as a workaround for the RT problem
above in normal situations without linked streams), this patch adds a
check before calling snd_pcm_unlink() and calls it only when needed.

Reported-by: Chanho Min <chanho.min@lge.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-11-29 08:14:52 +01:00
Takashi Iwai 3103c08f96 ALSA: control: Consolidate helpers for adding and replacing ctl elements
Both snd_ctl_add() and snd_ctl_replace() process the things in a
fairly similar way, and indeed the most of the codes can be unified.

This patch is a refactoring to consolidate the both functions to call
a single helper with an extra "mode" argument.  There should be no
functional difference, except for one additional sanity check applied
now to snd_ctl_replace() (which was rather overlooking, IMO), too.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-11-24 20:04:10 +01:00
Takashi Iwai e1a7bfe380 ALSA: control: Fix race between adding and removing a user element
The procedure for adding a user control element has some window opened
for race against the concurrent removal of a user element.  This was
caught by syzkaller, hitting a KASAN use-after-free error.

This patch addresses the bug by wrapping the whole procedure to add a
user control element with the card->controls_rwsem, instead of only
around the increment of card->user_ctl_count.

This required a slight code refactoring, too.  The function
snd_ctl_add() is split to two parts: a core function to add the
control element and a part calling it.  The former is called from the
function for adding a user control element inside the controls_rwsem.

One change to be noted is that snd_ctl_notify() for adding a control
element gets called inside the controls_rwsem as well while it was
called outside the rwsem.  But this should be OK, as snd_ctl_notify()
takes another (finer) rwlock instead of rwsem, and the call of
snd_ctl_notify() inside rwsem is already done in another code path.

Reported-by: syzbot+dc09047bce3820621ba2@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-11-24 19:57:51 +01:00
Takashi Iwai 65766ee0bf ALSA: oss: Use kvzalloc() for local buffer allocations
PCM OSS layer may allocate a few temporary buffers, one for the core
read/write and another for the conversions via plugins.  Currently
both are allocated via vmalloc().  But as the allocation size is
equivalent with the PCM period size, the required size might be quite
small, depending on the application.

This patch replaces these vmalloc() calls with kvzalloc() for covering
small period sizes better.  Also, we use "z"-alloc variant here for
addressing the possible uninitialized access reported by syzkaller.

Reported-by: syzbot+1cb36954e127c98dd037@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-11-09 14:12:04 +01:00
Takashi Iwai e8c92251a8 ALSA: seq: oss: Use the standard fall-through annotation
As a preparatory patch for the upcoming -Wimplicit-fallthrough
compiler checks, replace with the standard "fall through" annotation.
Unfortunately gcc doesn't understand a chattier text.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-10-12 09:31:29 +02:00
Takashi Iwai 3c4cfa7bf6 ALSA: memalloc: Add fall-through annotation
As a preparatory patch for the upcoming -Wimplicit-fallthrough
compiler checks, add the "fall through" annotation in
snd_dma_alloc_pages().  Note that this seems necessary to be put
exactly before the next label, so it's outside the ifdef block.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-10-12 09:31:23 +02:00
Takashi Iwai 6aea5702e2 ALSA: rawmidi: A lightweight function to discard pending bytes
For discarding the pending bytes on rawmidi, we process with a loop of
snd_rawmidi_transmit() which is just a waste of CPU power.
Implement a lightweight API function to discard the pending bytes and
the proceed the ring buffer instantly, and use it instead of open
codes.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-10-04 20:13:17 +02:00
Ricardo Biehl Pasquali 64b6acf60b ALSA: pcm: Update hardware pointer before start capture
This ensures the transfer loop won't waste a run to read
the few frames (if any) between start and hw_ptr update.
It will wait for the next interrupt with wait_for_avail().

Signed-off-by: Ricardo Biehl Pasquali <pasqualirb@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-09-10 09:06:55 +02:00
Takashi Iwai 70f7922c25 Merge branch 'topic/pcm-indirect-fixes' into for-next
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-09-04 20:23:40 +02:00
Takashi Iwai 5a7b44a8df ALSA: rawmidi: Initialize allocated buffers
syzbot reported the uninitialized value exposure in certain situations
using virmidi loop.  It's likely a very small race at writing and
reading, and the influence is almost negligible.  But it's safer to
paper over this just by replacing the existing kvmalloc() with
kvzalloc().

Reported-by: syzbot+194dffdb8b22fc5d207a@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-09-03 15:16:43 +02:00
Takashi Iwai 42e748a0b3 ALSA: memalloc: Add non-cached buffer type
In some cases (mainly for x86), we need the DMA coherent buffer with
non-cached pages.  Although this has been done in each driver side
like HD-audio and intel8x0, it can be done cleaner in the core memory
allocator.

This patch adds the new types, SNDRV_DMA_TYPE_DEV_UC and
SNDRV_DMA_TYPE_DEV_UC_SG, for allocating such non-cached buffer
pages.  On non-x86 architectures, they work as same as the standard
SNDRV_DMA_TYPE_DEV and *_SG.

One additional change by this move is that we can assure to pass the
non-cached pgprot to the vmapped buffer, too.  It eventually fixes the
case like non-snoop mode without mmap access on HD-audio.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-08-28 13:56:47 +02:00
Takashi Iwai 28f3f4f685 ALSA: memalloc: Simplify snd_malloc_dev_pages() calls
snd_malloc_dev_pages() and snd_free_dev_pages() are local functions
and the parameters passed there are all contained in snd_dma_buffer
object.  As a code-simplification, pass snd_dma_buffer object and
assign the address there like other allocators do (except for
snd_malloc_pages() which is called from outside, hence we can't change
easily).

Only code refactoring, no functional changes.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-08-28 13:56:46 +02:00
Takashi Iwai 03486830c5 ALSA: memalloc: Don't align the size to power-of-two
The size passed to dma_alloc_coherent() doesn't have to be aligned
with power-of-two, rather it should be the raw size.  As a minor
optimization, remove the size adjustment in the current code.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-08-28 13:56:46 +02:00
Takashi Iwai b8e131542b ALSA: seq: Do error checks at creating system ports
snd_seq_system_client_init() doesn't check the errors returned from
its port creations.  Let's do it properly and handle the error paths.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-08-28 12:52:02 +02:00
Dan Carpenter c4f1957e14 ALSA: seq: add error check in snd_seq_system_client_init()
Static checkers complain that snd_seq_create_kernel_client() can return
-EBUSY here so we need to have some error handling.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-08-28 11:06:11 +02:00
Dan Carpenter 6f128fa41f ALSA: pcm: signedness bug in snd_pcm_plug_alloc()
The "frames" variable is unsigned so the error handling doesn't work
properly.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-08-27 11:28:40 +02:00
Ricardo Biehl Pasquali 62ba568f7a ALSA: pcm: Return 0 when size < start_threshold in capture
In __snd_pcm_lib_xfer(), when capture, if state is PREPARED
and size is less than start_threshold nothing can be done.
As there is no error, 0 is returned.

Signed-off-by: Ricardo Biehl Pasquali <pasqualirb@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-08-27 07:27:55 +02:00
Takashi Iwai 82fd4b05d7 ALSA: seq: virmidi: Fix discarding the unsubscribed output
The recent change to move the virmidi output processing to a work
slightly modified the code to discard the unsubscribed outputs so that
it works without a temporary buffer.  However, this is actually buggy,
and may spew a kernel warning due to the unexpected call of
snd_rawmidi_transmit_ack(), as triggered by syzbot.

This patch takes back to the original code in that part, use a
temporary buffer and simply repeat snd_rawmidi_transmit(), in order to
address the regression.

Fixes: f7debfe540 ("ALSA: seq: virmidi: Offload the output event processing")
Reported-by: syzbot+ec5f605c91812d200367@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-08-14 22:50:52 +02:00
Gustavo A. R. Silva eb2caeb88c ALSA: seq_oss: Mark expected switch fall-through
In preparation to enabling -Wimplicit-fallthrough, mark switch cases
where we are expecting to fall through.

Warning level 2 was used: -Wimplicit-fallthrough=2

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-08-04 08:30:45 +02:00
Gustavo A. R. Silva 2f3b94e539 ALSA: seq: Mark expected switch fall-through
In preparation to enabling -Wimplicit-fallthrough, mark switch cases
where we are expecting to fall through.

Notice that in this particular case, I replaced the code comment with
a proper "fall through" annotation, which is what GCC is expecting
to find.

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-08-04 08:30:36 +02:00
Takashi Iwai a640329989 ALSA: compress: Remove empty init and exit
For a sake of code simplification, remove the init and the exit
entries that do nothing.

Notes for readers: actually it's OK to remove *both* init and exit,
but not OK to remove the exit entry.  By removing only the exit while
keeping init, the module becomes permanently loaded; i.e. you cannot
unload it any longer!

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-08-03 16:11:23 +02:00
Takashi Iwai 93ce1b1296 ALSA: seq: Drop unused 64bit division macros
The old ugly macros remained in the code without usage.
Rip them off.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-08-01 22:54:37 +02:00
Takashi Iwai 04702e8d00 ALSA: seq: Use no intrruptible mutex_lock
All usages of mutex in ALSA sequencer core would take too long, hence
we don't have to care about the user interruption that makes things
complicated.  Let's replace them with simpler mutex_lock().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-08-01 22:54:36 +02:00
Takashi Iwai 00976ad527 ALSA: seq: Fix leftovers at probe error path
The sequencer core module doesn't call some destructors in the error
path of the init code, which may leave some resources.

This patch mainly fix these leaks by calling the destructors
appropriately at alsa_seq_init().  Also the patch brings a few
cleanups along with it, namely:

- Expand the old "if ((err = xxx) < 0)" coding style
- Get rid of empty seq_queue_init() and its caller
- Change snd_seq_info_done() to void

Last but not least, a couple of functions lose __exit annotation since
they are called also in alsa_seq_init().

No functional changes but minor code cleanups.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-08-01 22:54:36 +02:00
Takashi Iwai fc4bfd9a35 ALSA: seq: Remove dead codes
There are a few functions that have been commented out for ages.
And also there are functions that do nothing but placeholders.
Let's kill them.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-08-01 22:54:35 +02:00
Takashi Iwai ef965ad5a7 ALSA: seq: Minor cleanup of MIDI event parser helpers
snd_midi_event_encode_byte() can never fail, and it can return rather
true/false.  Change the return type to bool, adjust the argument to
receive a MIDI byte as unsigned char, and adjust the comment
accordingly.  This allows callers to drop error checks, which
simplifies the code.

Meanwhile, snd_midi_event_encode() helper is used only in seq_midi.c,
and it can be better folded into it.  This will reduce the total
amount of lines in the end.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-08-01 22:54:35 +02:00
Gustavo A. R. Silva 5a6cd13d4f ALSA: pcm: Mark expected switch fall-through
In preparation to enabling -Wimplicit-fallthrough, mark switch cases
where we are expecting to fall through.

Addresses-Coverity-ID: 1357375 ("Missing break in switch")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-08-01 18:13:04 +02:00
Takashi Iwai 89b4ab213f ALSA: seq: virmidi: Use READ_ONCE/WRITE_ONCE() macros
The trigger flag in vmidi object can be referred in different contexts
concurrently, hence it's better to be put with READ_ONCE() and
WRITE_ONCE() macros to assure the accesses.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-07-30 14:52:30 +02:00
Takashi Iwai f7debfe540 ALSA: seq: virmidi: Offload the output event processing
The virmidi sequencer stuff tries to translate the rawmidi bytes to
sequencer events and deliver the packets at trigger callback.  The
amount of the whole process of these translations and deliveries
depends on the incoming rawmidi bytes, and we have no limit for that;
this was the cause of a CPU soft lockup that had been reported and
fixed recently.

Although we've fixed the soft lockup by putting the temporary unlock
and cond_resched(), it's rather a quick band aid.  In this patch,
meanwhile, the event parsing and delivery process is offloaded to a
dedicated work, and the trigger callback just kicks it off.  It has
three merits, at least:

- The processing is always done in a sleepable context, which can
  assure the event delivery with non-atomic flag without hackish
  is_atomic() usage.

- Other relevant codes can be simplified, reducing the lines

- It makes me happier

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-07-30 14:51:51 +02:00
Takashi Iwai 16c796e8fa Merge branch 'for-linus' into topic/virmidi
Pull the latest ALSA sequencer fixes for the further development of
virmidi.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-07-29 22:39:29 +02:00
Takashi Iwai f8b6c0cfbd ALSA: pcm: Fix sparse warning wrt PCM format type
The PCM format type is with __bitwise, hence it needs the explicit
cast with __force.  It's ugly, but there is a reason for that cost...

This fixes the sparse warning:
  sound/core/oss/pcm_oss.c:1854:55: warning: incorrect type in argument 1 (different base types)

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-07-27 09:05:27 +02:00
Takashi Iwai 50e9ffb199 ALSA: virmidi: Fix too long output trigger loop
The virmidi output trigger tries to parse the all available bytes and
process sequencer events as much as possible.  In a normal situation,
this is supposed to be relatively short, but a program may give a huge
buffer and it'll take a long time in a single spin lock, which may
eventually lead to a soft lockup.

This patch simply adds a workaround, a cond_resched() call in the loop
if applicable.  A better solution would be to move the event processor
into a work, but let's put a duct-tape quickly at first.

Reported-and-tested-by: Dae R. Jeong <threeearcat@gmail.com>
Reported-by: syzbot+619d9f40141d826b097e@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-07-27 08:59:25 +02:00
Takashi Iwai 191bb51e72 ALSA: pcm: Use standard lower_32_bits() and upper_32_bits()
Instead of open codes, use the standard macros for obtaining the lower
and upper 32bit values.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-07-26 08:32:31 +02:00
Takashi Iwai a49a71f6e2 ALSA: seq: Fix poll() error return
The sanity checks in ALSA sequencer and OSS sequencer emulation codes
return falsely -ENXIO from poll callback.  They should be EPOLLERR
instead.

This was caught thanks to the recent change to the return value.

Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-07-26 08:23:26 +02:00
Takashi Iwai dfef01e150 ALSA: memalloc: Don't exceed over the requested size
snd_dma_alloc_pages_fallback() tries to allocate pages again when the
allocation fails with reduced size.  But the first try actually
*increases* the size to power-of-two, which may give back a larger
chunk than the requested size.  This confuses the callers, e.g. sgbuf
assumes that the size is equal or less, and it may result in a bad
loop due to the underflow and eventually lead to Oops.

The code of this function seems incorrectly assuming the usage of
get_order().  We need to decrease at first, then align to
power-of-two.

Reported-and-tested-by: he, bo <bo.he@intel.com>
Reported-by: zhang jun <jun.zhang@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-07-23 09:06:33 +02:00
Srikanth K H d10ee9c542 ALSA: timer: catch invalid timer object creation
A timer object for the classes SNDRV_TIMER_CLASS_CARD and
SNDRV_TIMER_CLASS_PCM has to be associated with a card object, but we
have no check at creation time.  Such a timer object with NULL card
causes various unexpected problems, e.g. NULL dereference at reading
the sound timer proc file.

So as preventive measure while the creating the sound timer object is
created the card information availability is checked for the mentioned
entries and returned error if its NULL.

Signed-off-by: Srikanth K H <srikanth.h@samsung.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-07-22 10:42:41 +02:00
Takashi Iwai ef4db239cd ALSA: rawmidi: Use kvmalloc() for buffers
The size of in-kernel rawmidi buffers may be big up to 1MB, and it can
be specified freely by user-space; which implies that user-space may
trigger kmalloc() errors frequently.

This patch replaces the buffer allocation via kvmalloc() for dealing
with bigger buffers gracefully.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-07-18 07:47:57 +02:00
Takashi Iwai f5beb598b0 ALSA: rawmidi: Minor code refactoring
Unify a few open codes with helper functions to improve the
readability.  Minor behavior changes (rather fixes) are:
- runtime->drain clearance is done within lock
- active_sensing is updated before resizing buffer in
  SNDRV_RAWMIDI_IOCTL_PARAMS ioctl.
Other than that, simply code cleanups.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-07-17 23:07:29 +02:00
Takashi Iwai 7fdc9b0807 ALSA: rawmidi: Simplify error paths
Apply the standard idiom: rewrite the multiple unlocks in error paths
in the goto-error-and-single-unlock way.

Just a code refactoring, and no functional changes.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-07-17 22:48:38 +02:00
Takashi Iwai 5bed913972 ALSA: rawmidi: Tidy up coding styles
Just minor coding style fixes like removal of superfluous white space,
adding missing blank lines, etc.  No actual code changes at all.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-07-17 22:37:07 +02:00
Takashi Iwai ed6b83d2d1 Merge branch 'for-linus' into for-next
Back-merge for further cleanup / improvements on rawmidi and HD-audio
stuff.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-07-17 22:27:03 +02:00
Takashi Iwai 39675f7a7c ALSA: rawmidi: Change resized buffers atomically
The SNDRV_RAWMIDI_IOCTL_PARAMS ioctl may resize the buffers and the
current code is racy.  For example, the sequencer client may write to
buffer while it being resized.

As a simple workaround, let's switch to the resized buffer inside the
stream runtime lock.

Reported-by: syzbot+52f83f0ea8df16932f7f@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-07-17 17:33:17 +02:00
Timo Wischer ff2d6acdf6 ALSA: pcm: Fix snd_interval_refine first/last with open min/max
Without this commit the following intervals [x y), (x y) were be
replaced to (y-1 y) by snd_interval_refine_last(). This was also done
if y-1 is part of the previous interval.
With this changes it will be replaced with [y-1 y) in case of y-1 is
part of the previous interval. A similar behavior will be used for
snd_interval_refine_first().

This commit adapts the changes for alsa-lib of commit
9bb985c ("pcm: snd_interval_refine_first/last: exclude value only if
also excluded before")

Signed-off-by: Timo Wischer <twischer@de.adit-jv.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-07-11 08:49:59 +02:00
Liam Girdwood d64c5cf8e8 ALSA: pcm: Allow drivers to set R/W wait time.
Currently ALSA core blocks userspace for about 10 seconds for PCM R/W IO.
This needs to be configurable for modern hardware like DSPs where no
pointer update in milliseconds can indicate terminal DSP errors.

Add a substream variable to set the wait time in ms. This allows userspace
and drivers to recover more quickly from terminal DSP errors.

Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-07-06 15:00:25 +02:00
Takashi Iwai e647f5a5c5 ALSA: pcm: Use snd_pcm_stop_xrun() for xrun injection
Basically the xrun injection routine can simply call the standard
helper snd_pcm_stop_xrun(), but with one exception: it may be called
even when the stream is closed.

Make snd_pcm_stop_xrun() more robust and check the NULL runtime state,
and simplify xrun injection code by calling it.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-07-04 15:34:59 +02:00
Takashi Iwai 9cd641ed31 ALSA: pcm: trace XRUN event at injection, too
The PCM xrun injection triggers directly snd_pcm_stop() without the
standard xrun handler, hence it's not recorded on the event buffer.
Ditto for snd_pcm_stop_xrun() call and SNDRV_PCM_IOCTL_XRUN ioctl.
They are inconvenient from the debugging POV.

Let's make them to trigger XRUN via the standard helper more
consistently.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-07-04 15:34:57 +02:00
Takashi Iwai c9a4c63888 ALSA: seq: Fix UBSAN warning at SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT ioctl
The kernel may spew a WARNING with UBSAN undefined behavior at
handling ALSA sequencer ioctl SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT:

UBSAN: Undefined behaviour in sound/core/seq/seq_clientmgr.c:2007:14
signed integer overflow:
2147483647 + 1 cannot be represented in type 'int'
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x122/0x1c8 lib/dump_stack.c:113
 ubsan_epilogue+0x12/0x86 lib/ubsan.c:159
 handle_overflow+0x1c2/0x21f lib/ubsan.c:190
  __ubsan_handle_add_overflow+0x2a/0x31 lib/ubsan.c:198
 snd_seq_ioctl_query_next_client+0x1ac/0x1d0 sound/core/seq/seq_clientmgr.c:2007
 snd_seq_ioctl+0x264/0x3d0 sound/core/seq/seq_clientmgr.c:2144
 ....

It happens only when INT_MAX is passed there, as we're incrementing it
unconditionally.  So the fix is trivial, check the value with
INT_MAX.  Although the bug itself is fairly harmless, it's better to
fix it so that fuzzers won't hit this again later.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200211
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-06-25 11:18:04 +02:00
Takashi Iwai b41f794f28 ALSA: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl
The kernel may spew a WARNING about UBSAN undefined behavior at
handling ALSA timer ioctl SNDRV_TIMER_IOCTL_NEXT_DEVICE:

UBSAN: Undefined behaviour in sound/core/timer.c:1524:19
signed integer overflow:
2147483647 + 1 cannot be represented in type 'int'
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x122/0x1c8 lib/dump_stack.c:113
 ubsan_epilogue+0x12/0x86 lib/ubsan.c:159
 handle_overflow+0x1c2/0x21f lib/ubsan.c:190
 __ubsan_handle_add_overflow+0x2a/0x31 lib/ubsan.c:198
 snd_timer_user_next_device sound/core/timer.c:1524 [inline]
 __snd_timer_user_ioctl+0x204d/0x2520 sound/core/timer.c:1939
 snd_timer_user_ioctl+0x67/0x95 sound/core/timer.c:1994
 ....

It happens only when a value with INT_MAX is passed, as we're
incrementing it unconditionally.  So the fix is trivial, check the
value with INT_MAX.  Although the bug itself is fairly harmless, it's
better to fix it so that fuzzers won't hit this again later.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200213
Reported-and-tested-by: Team OWL337 <icytxw@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-06-25 11:17:01 +02:00
Mauro Carvalho Chehab 5fb94e9ca3 docs: Fix some broken references
As we move stuff around, some doc references are broken. Fix some of
them via this script:
	./scripts/documentation-file-ref-check --fix

Manually checked if the produced result is valid, removing a few
false-positives.

Acked-by: Takashi Iwai <tiwai@suse.de>
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Acked-by: Stephen Boyd <sboyd@kernel.org>
Acked-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Acked-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Reviewed-by: Coly Li <colyli@suse.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Acked-by: Jonathan Corbet <corbet@lwn.net>
2018-06-15 18:10:01 -03:00
Kees Cook 42bc47b353 treewide: Use array_size() in vmalloc()
The vmalloc() function has no 2-factor argument form, so multiplication
factors need to be wrapped in array_size(). This patch replaces cases of:

        vmalloc(a * b)

with:
        vmalloc(array_size(a, b))

as well as handling cases of:

        vmalloc(a * b * c)

with:

        vmalloc(array3_size(a, b, c))

This does, however, attempt to ignore constant size factors like:

        vmalloc(4 * 1024)

though any constants defined via macros get caught up in the conversion.

Any factors with a sizeof() of "unsigned char", "char", and "u8" were
dropped, since they're redundant.

The Coccinelle script used for this was:

// Fix redundant parens around sizeof().
@@
type TYPE;
expression THING, E;
@@

(
  vmalloc(
-	(sizeof(TYPE)) * E
+	sizeof(TYPE) * E
  , ...)
|
  vmalloc(
-	(sizeof(THING)) * E
+	sizeof(THING) * E
  , ...)
)

// Drop single-byte sizes and redundant parens.
@@
expression COUNT;
typedef u8;
typedef __u8;
@@

(
  vmalloc(
-	sizeof(u8) * (COUNT)
+	COUNT
  , ...)
|
  vmalloc(
-	sizeof(__u8) * (COUNT)
+	COUNT
  , ...)
|
  vmalloc(
-	sizeof(char) * (COUNT)
+	COUNT
  , ...)
|
  vmalloc(
-	sizeof(unsigned char) * (COUNT)
+	COUNT
  , ...)
|
  vmalloc(
-	sizeof(u8) * COUNT
+	COUNT
  , ...)
|
  vmalloc(
-	sizeof(__u8) * COUNT
+	COUNT
  , ...)
|
  vmalloc(
-	sizeof(char) * COUNT
+	COUNT
  , ...)
|
  vmalloc(
-	sizeof(unsigned char) * COUNT
+	COUNT
  , ...)
)

// 2-factor product with sizeof(type/expression) and identifier or constant.
@@
type TYPE;
expression THING;
identifier COUNT_ID;
constant COUNT_CONST;
@@

(
  vmalloc(
-	sizeof(TYPE) * (COUNT_ID)
+	array_size(COUNT_ID, sizeof(TYPE))
  , ...)
|
  vmalloc(
-	sizeof(TYPE) * COUNT_ID
+	array_size(COUNT_ID, sizeof(TYPE))
  , ...)
|
  vmalloc(
-	sizeof(TYPE) * (COUNT_CONST)
+	array_size(COUNT_CONST, sizeof(TYPE))
  , ...)
|
  vmalloc(
-	sizeof(TYPE) * COUNT_CONST
+	array_size(COUNT_CONST, sizeof(TYPE))
  , ...)
|
  vmalloc(
-	sizeof(THING) * (COUNT_ID)
+	array_size(COUNT_ID, sizeof(THING))
  , ...)
|
  vmalloc(
-	sizeof(THING) * COUNT_ID
+	array_size(COUNT_ID, sizeof(THING))
  , ...)
|
  vmalloc(
-	sizeof(THING) * (COUNT_CONST)
+	array_size(COUNT_CONST, sizeof(THING))
  , ...)
|
  vmalloc(
-	sizeof(THING) * COUNT_CONST
+	array_size(COUNT_CONST, sizeof(THING))
  , ...)
)

// 2-factor product, only identifiers.
@@
identifier SIZE, COUNT;
@@

  vmalloc(
-	SIZE * COUNT
+	array_size(COUNT, SIZE)
  , ...)

// 3-factor product with 1 sizeof(type) or sizeof(expression), with
// redundant parens removed.
@@
expression THING;
identifier STRIDE, COUNT;
type TYPE;
@@

(
  vmalloc(
-	sizeof(TYPE) * (COUNT) * (STRIDE)
+	array3_size(COUNT, STRIDE, sizeof(TYPE))
  , ...)
|
  vmalloc(
-	sizeof(TYPE) * (COUNT) * STRIDE
+	array3_size(COUNT, STRIDE, sizeof(TYPE))
  , ...)
|
  vmalloc(
-	sizeof(TYPE) * COUNT * (STRIDE)
+	array3_size(COUNT, STRIDE, sizeof(TYPE))
  , ...)
|
  vmalloc(
-	sizeof(TYPE) * COUNT * STRIDE
+	array3_size(COUNT, STRIDE, sizeof(TYPE))
  , ...)
|
  vmalloc(
-	sizeof(THING) * (COUNT) * (STRIDE)
+	array3_size(COUNT, STRIDE, sizeof(THING))
  , ...)
|
  vmalloc(
-	sizeof(THING) * (COUNT) * STRIDE
+	array3_size(COUNT, STRIDE, sizeof(THING))
  , ...)
|
  vmalloc(
-	sizeof(THING) * COUNT * (STRIDE)
+	array3_size(COUNT, STRIDE, sizeof(THING))
  , ...)
|
  vmalloc(
-	sizeof(THING) * COUNT * STRIDE
+	array3_size(COUNT, STRIDE, sizeof(THING))
  , ...)
)

// 3-factor product with 2 sizeof(variable), with redundant parens removed.
@@
expression THING1, THING2;
identifier COUNT;
type TYPE1, TYPE2;
@@

(
  vmalloc(
-	sizeof(TYPE1) * sizeof(TYPE2) * COUNT
+	array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
  , ...)
|
  vmalloc(
-	sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+	array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
  , ...)
|
  vmalloc(
-	sizeof(THING1) * sizeof(THING2) * COUNT
+	array3_size(COUNT, sizeof(THING1), sizeof(THING2))
  , ...)
|
  vmalloc(
-	sizeof(THING1) * sizeof(THING2) * (COUNT)
+	array3_size(COUNT, sizeof(THING1), sizeof(THING2))
  , ...)
|
  vmalloc(
-	sizeof(TYPE1) * sizeof(THING2) * COUNT
+	array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
  , ...)
|
  vmalloc(
-	sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+	array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
  , ...)
)

// 3-factor product, only identifiers, with redundant parens removed.
@@
identifier STRIDE, SIZE, COUNT;
@@

(
  vmalloc(
-	(COUNT) * STRIDE * SIZE
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  vmalloc(
-	COUNT * (STRIDE) * SIZE
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  vmalloc(
-	COUNT * STRIDE * (SIZE)
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  vmalloc(
-	(COUNT) * (STRIDE) * SIZE
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  vmalloc(
-	COUNT * (STRIDE) * (SIZE)
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  vmalloc(
-	(COUNT) * STRIDE * (SIZE)
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  vmalloc(
-	(COUNT) * (STRIDE) * (SIZE)
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  vmalloc(
-	COUNT * STRIDE * SIZE
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
)

// Any remaining multi-factor products, first at least 3-factor products
// when they're not all constants...
@@
expression E1, E2, E3;
constant C1, C2, C3;
@@

(
  vmalloc(C1 * C2 * C3, ...)
|
  vmalloc(
-	E1 * E2 * E3
+	array3_size(E1, E2, E3)
  , ...)
)

// And then all remaining 2 factors products when they're not all constants.
@@
expression E1, E2;
constant C1, C2;
@@

(
  vmalloc(C1 * C2, ...)
|
  vmalloc(
-	E1 * E2
+	array_size(E1, E2)
  , ...)
)

Signed-off-by: Kees Cook <keescook@chromium.org>
2018-06-12 16:19:22 -07:00
Kees Cook 6da2ec5605 treewide: kmalloc() -> kmalloc_array()
The kmalloc() function has a 2-factor argument form, kmalloc_array(). This
patch replaces cases of:

        kmalloc(a * b, gfp)

with:
        kmalloc_array(a * b, gfp)

as well as handling cases of:

        kmalloc(a * b * c, gfp)

with:

        kmalloc(array3_size(a, b, c), gfp)

as it's slightly less ugly than:

        kmalloc_array(array_size(a, b), c, gfp)

This does, however, attempt to ignore constant size factors like:

        kmalloc(4 * 1024, gfp)

though any constants defined via macros get caught up in the conversion.

Any factors with a sizeof() of "unsigned char", "char", and "u8" were
dropped, since they're redundant.

The tools/ directory was manually excluded, since it has its own
implementation of kmalloc().

The Coccinelle script used for this was:

// Fix redundant parens around sizeof().
@@
type TYPE;
expression THING, E;
@@

(
  kmalloc(
-	(sizeof(TYPE)) * E
+	sizeof(TYPE) * E
  , ...)
|
  kmalloc(
-	(sizeof(THING)) * E
+	sizeof(THING) * E
  , ...)
)

// Drop single-byte sizes and redundant parens.
@@
expression COUNT;
typedef u8;
typedef __u8;
@@

(
  kmalloc(
-	sizeof(u8) * (COUNT)
+	COUNT
  , ...)
|
  kmalloc(
-	sizeof(__u8) * (COUNT)
+	COUNT
  , ...)
|
  kmalloc(
-	sizeof(char) * (COUNT)
+	COUNT
  , ...)
|
  kmalloc(
-	sizeof(unsigned char) * (COUNT)
+	COUNT
  , ...)
|
  kmalloc(
-	sizeof(u8) * COUNT
+	COUNT
  , ...)
|
  kmalloc(
-	sizeof(__u8) * COUNT
+	COUNT
  , ...)
|
  kmalloc(
-	sizeof(char) * COUNT
+	COUNT
  , ...)
|
  kmalloc(
-	sizeof(unsigned char) * COUNT
+	COUNT
  , ...)
)

// 2-factor product with sizeof(type/expression) and identifier or constant.
@@
type TYPE;
expression THING;
identifier COUNT_ID;
constant COUNT_CONST;
@@

(
- kmalloc
+ kmalloc_array
  (
-	sizeof(TYPE) * (COUNT_ID)
+	COUNT_ID, sizeof(TYPE)
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	sizeof(TYPE) * COUNT_ID
+	COUNT_ID, sizeof(TYPE)
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	sizeof(TYPE) * (COUNT_CONST)
+	COUNT_CONST, sizeof(TYPE)
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	sizeof(TYPE) * COUNT_CONST
+	COUNT_CONST, sizeof(TYPE)
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	sizeof(THING) * (COUNT_ID)
+	COUNT_ID, sizeof(THING)
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	sizeof(THING) * COUNT_ID
+	COUNT_ID, sizeof(THING)
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	sizeof(THING) * (COUNT_CONST)
+	COUNT_CONST, sizeof(THING)
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	sizeof(THING) * COUNT_CONST
+	COUNT_CONST, sizeof(THING)
  , ...)
)

// 2-factor product, only identifiers.
@@
identifier SIZE, COUNT;
@@

- kmalloc
+ kmalloc_array
  (
-	SIZE * COUNT
+	COUNT, SIZE
  , ...)

// 3-factor product with 1 sizeof(type) or sizeof(expression), with
// redundant parens removed.
@@
expression THING;
identifier STRIDE, COUNT;
type TYPE;
@@

(
  kmalloc(
-	sizeof(TYPE) * (COUNT) * (STRIDE)
+	array3_size(COUNT, STRIDE, sizeof(TYPE))
  , ...)
|
  kmalloc(
-	sizeof(TYPE) * (COUNT) * STRIDE
+	array3_size(COUNT, STRIDE, sizeof(TYPE))
  , ...)
|
  kmalloc(
-	sizeof(TYPE) * COUNT * (STRIDE)
+	array3_size(COUNT, STRIDE, sizeof(TYPE))
  , ...)
|
  kmalloc(
-	sizeof(TYPE) * COUNT * STRIDE
+	array3_size(COUNT, STRIDE, sizeof(TYPE))
  , ...)
|
  kmalloc(
-	sizeof(THING) * (COUNT) * (STRIDE)
+	array3_size(COUNT, STRIDE, sizeof(THING))
  , ...)
|
  kmalloc(
-	sizeof(THING) * (COUNT) * STRIDE
+	array3_size(COUNT, STRIDE, sizeof(THING))
  , ...)
|
  kmalloc(
-	sizeof(THING) * COUNT * (STRIDE)
+	array3_size(COUNT, STRIDE, sizeof(THING))
  , ...)
|
  kmalloc(
-	sizeof(THING) * COUNT * STRIDE
+	array3_size(COUNT, STRIDE, sizeof(THING))
  , ...)
)

// 3-factor product with 2 sizeof(variable), with redundant parens removed.
@@
expression THING1, THING2;
identifier COUNT;
type TYPE1, TYPE2;
@@

(
  kmalloc(
-	sizeof(TYPE1) * sizeof(TYPE2) * COUNT
+	array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
  , ...)
|
  kmalloc(
-	sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+	array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
  , ...)
|
  kmalloc(
-	sizeof(THING1) * sizeof(THING2) * COUNT
+	array3_size(COUNT, sizeof(THING1), sizeof(THING2))
  , ...)
|
  kmalloc(
-	sizeof(THING1) * sizeof(THING2) * (COUNT)
+	array3_size(COUNT, sizeof(THING1), sizeof(THING2))
  , ...)
|
  kmalloc(
-	sizeof(TYPE1) * sizeof(THING2) * COUNT
+	array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
  , ...)
|
  kmalloc(
-	sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+	array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
  , ...)
)

// 3-factor product, only identifiers, with redundant parens removed.
@@
identifier STRIDE, SIZE, COUNT;
@@

(
  kmalloc(
-	(COUNT) * STRIDE * SIZE
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  kmalloc(
-	COUNT * (STRIDE) * SIZE
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  kmalloc(
-	COUNT * STRIDE * (SIZE)
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  kmalloc(
-	(COUNT) * (STRIDE) * SIZE
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  kmalloc(
-	COUNT * (STRIDE) * (SIZE)
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  kmalloc(
-	(COUNT) * STRIDE * (SIZE)
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  kmalloc(
-	(COUNT) * (STRIDE) * (SIZE)
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  kmalloc(
-	COUNT * STRIDE * SIZE
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
)

// Any remaining multi-factor products, first at least 3-factor products,
// when they're not all constants...
@@
expression E1, E2, E3;
constant C1, C2, C3;
@@

(
  kmalloc(C1 * C2 * C3, ...)
|
  kmalloc(
-	(E1) * E2 * E3
+	array3_size(E1, E2, E3)
  , ...)
|
  kmalloc(
-	(E1) * (E2) * E3
+	array3_size(E1, E2, E3)
  , ...)
|
  kmalloc(
-	(E1) * (E2) * (E3)
+	array3_size(E1, E2, E3)
  , ...)
|
  kmalloc(
-	E1 * E2 * E3
+	array3_size(E1, E2, E3)
  , ...)
)

// And then all remaining 2 factors products when they're not all constants,
// keeping sizeof() as the second factor argument.
@@
expression THING, E1, E2;
type TYPE;
constant C1, C2, C3;
@@

(
  kmalloc(sizeof(THING) * C2, ...)
|
  kmalloc(sizeof(TYPE) * C2, ...)
|
  kmalloc(C1 * C2 * C3, ...)
|
  kmalloc(C1 * C2, ...)
|
- kmalloc
+ kmalloc_array
  (
-	sizeof(TYPE) * (E2)
+	E2, sizeof(TYPE)
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	sizeof(TYPE) * E2
+	E2, sizeof(TYPE)
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	sizeof(THING) * (E2)
+	E2, sizeof(THING)
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	sizeof(THING) * E2
+	E2, sizeof(THING)
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	(E1) * E2
+	E1, E2
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	(E1) * (E2)
+	E1, E2
  , ...)
|
- kmalloc
+ kmalloc_array
  (
-	E1 * E2
+	E1, E2
  , ...)
)

Signed-off-by: Kees Cook <keescook@chromium.org>
2018-06-12 16:19:22 -07:00
Linus Torvalds 2857676045 - Introduce arithmetic overflow test helper functions (Rasmus)
- Use overflow helpers in 2-factor allocators (Kees, Rasmus)
 - Introduce overflow test module (Rasmus, Kees)
 - Introduce saturating size helper functions (Matthew, Kees)
 - Treewide use of struct_size() for allocators (Kees)
 -----BEGIN PGP SIGNATURE-----
 Comment: Kees Cook <kees@outflux.net>
 
 iQJKBAABCgA0FiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAlsYJ1gWHGtlZXNjb29r
 QGNocm9taXVtLm9yZwAKCRCJcvTf3G3AJlCTEACwdEeriAd2VwxknnsstojGD/3g
 8TTFA19vSu4Gxa6WiDkjGoSmIlfhXTlZo1Nlmencv16ytSvIVDNLUIB3uDxUIv1J
 2+dyHML9JpXYHHR7zLXXnGFJL0wazqjbsD3NYQgXqmun7EVVYnOsAlBZ7h/Lwiej
 jzEJd8DaHT3TA586uD3uggiFvQU0yVyvkDCDONIytmQx+BdtGdg9TYCzkBJaXuDZ
 YIthyKDvxIw5nh/UaG3L+SKo73tUr371uAWgAfqoaGQQCWe+mxnWL4HkCKsjFzZL
 u9ouxxF/n6pij3E8n6rb0i2fCzlsTDdDF+aqV1rQ4I4hVXCFPpHUZgjDPvBWbj7A
 m6AfRHVNnOgI8HGKqBGOfViV+2kCHlYeQh3pPW33dWzy/4d/uq9NIHKxE63LH+S4
 bY3oO2ela8oxRyvEgXLjqmRYGW1LB/ZU7FS6Rkx2gRzo4k8Rv+8K/KzUHfFVRX61
 jEbiPLzko0xL9D53kcEn0c+BhofK5jgeSWxItdmfuKjLTW4jWhLRlU+bcUXb6kSS
 S3G6aF+L+foSUwoq63AS8QxCuabuhreJSB+BmcGUyjthCbK/0WjXYC6W/IJiRfBa
 3ZTxBC/2vP3uq/AGRNh5YZoxHL8mSxDfn62F+2cqlJTTKR/O+KyDb1cusyvk3H04
 KCDVLYPxwQQqK1Mqig==
 =/3L8
 -----END PGP SIGNATURE-----

Merge tag 'overflow-v4.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Pull overflow updates from Kees Cook:
 "This adds the new overflow checking helpers and adds them to the
  2-factor argument allocators. And this adds the saturating size
  helpers and does a treewide replacement for the struct_size() usage.
  Additionally this adds the overflow testing modules to make sure
  everything works.

  I'm still working on the treewide replacements for allocators with
  "simple" multiplied arguments:

     *alloc(a * b, ...) -> *alloc_array(a, b, ...)

  and

     *zalloc(a * b, ...) -> *calloc(a, b, ...)

  as well as the more complex cases, but that's separable from this
  portion of the series. I expect to have the rest sent before -rc1
  closes; there are a lot of messy cases to clean up.

  Summary:

   - Introduce arithmetic overflow test helper functions (Rasmus)

   - Use overflow helpers in 2-factor allocators (Kees, Rasmus)

   - Introduce overflow test module (Rasmus, Kees)

   - Introduce saturating size helper functions (Matthew, Kees)

   - Treewide use of struct_size() for allocators (Kees)"

* tag 'overflow-v4.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
  treewide: Use struct_size() for devm_kmalloc() and friends
  treewide: Use struct_size() for vmalloc()-family
  treewide: Use struct_size() for kmalloc()-family
  device: Use overflow helpers for devm_kmalloc()
  mm: Use overflow helpers in kvmalloc()
  mm: Use overflow helpers in kmalloc_array*()
  test_overflow: Add memory allocation overflow tests
  overflow.h: Add allocation size calculation helpers
  test_overflow: Report test failures
  test_overflow: macrofy some more, do more tests for free
  lib: add runtime test of check_*_overflow functions
  compiler.h: enable builtin overflow checkers and add fallback code
2018-06-06 17:27:14 -07:00
Kees Cook acafe7e302 treewide: Use struct_size() for kmalloc()-family
One of the more common cases of allocation size calculations is finding
the size of a structure that has a zero-sized array at the end, along
with memory for some number of elements for that array. For example:

struct foo {
    int stuff;
    void *entry[];
};

instance = kmalloc(sizeof(struct foo) + sizeof(void *) * count, GFP_KERNEL);

Instead of leaving these open-coded and prone to type mistakes, we can
now use the new struct_size() helper:

instance = kmalloc(struct_size(instance, entry, count), GFP_KERNEL);

This patch makes the changes for kmalloc()-family (and kvmalloc()-family)
uses. It was done via automatic conversion with manual review for the
"CHECKME" non-standard cases noted below, using the following Coccinelle
script:

// pkey_cache = kmalloc(sizeof *pkey_cache + tprops->pkey_tbl_len *
//                      sizeof *pkey_cache->table, GFP_KERNEL);
@@
identifier alloc =~ "kmalloc|kzalloc|kvmalloc|kvzalloc";
expression GFP;
identifier VAR, ELEMENT;
expression COUNT;
@@

- alloc(sizeof(*VAR) + COUNT * sizeof(*VAR->ELEMENT), GFP)
+ alloc(struct_size(VAR, ELEMENT, COUNT), GFP)

// mr = kzalloc(sizeof(*mr) + m * sizeof(mr->map[0]), GFP_KERNEL);
@@
identifier alloc =~ "kmalloc|kzalloc|kvmalloc|kvzalloc";
expression GFP;
identifier VAR, ELEMENT;
expression COUNT;
@@

- alloc(sizeof(*VAR) + COUNT * sizeof(VAR->ELEMENT[0]), GFP)
+ alloc(struct_size(VAR, ELEMENT, COUNT), GFP)

// Same pattern, but can't trivially locate the trailing element name,
// or variable name.
@@
identifier alloc =~ "kmalloc|kzalloc|kvmalloc|kvzalloc";
expression GFP;
expression SOMETHING, COUNT, ELEMENT;
@@

- alloc(sizeof(SOMETHING) + COUNT * sizeof(ELEMENT), GFP)
+ alloc(CHECKME_struct_size(&SOMETHING, ELEMENT, COUNT), GFP)

Signed-off-by: Kees Cook <keescook@chromium.org>
2018-06-06 11:15:43 -07:00
Joe Perches 6a73cf46ce sound: Use octal not symbolic permissions
Convert the S_<FOO> symbolic permissions to their octal equivalents as
using octal and not symbolic permissions is preferred by many as more
readable.

see: https://lkml.org/lkml/2016/8/2/1945

Done with automated conversion via:
$ ./scripts/checkpatch.pl -f --types=SYMBOLIC_PERMS --fix-inplace <files...>

Miscellanea:

o Wrapped one multi-line call to a single line

Signed-off-by: Joe Perches <joe@perches.com>
Acked-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-05-28 11:27:20 +02:00
Colin Ian King 6231a895f5 ALSA: seq: fix spelling mistake "Unamed" -> "Unnamed"
Trivial fix to spelling mistake in string

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-05-26 23:59:32 +02:00
Takashi Iwai ed14d9ae53 Merge branch 'topic/timer-fixes' into for-next
Pull the fixes for possible races in the resolution callback.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-05-18 08:55:36 +02:00
Takashi Iwai 9d4d207d13 ALSA: timer: Assure timer resolution access always locked
There are still many places calling the timer's hw.c_resolution
callback without lock, and this may lead to some races, as we faced in
the commit a820ccbe21 ("ALSA: pcm: Fix UAF at PCM release via PCM
timer access").

This patch changes snd_timer_resolution() to take the timer->lock for
avoiding the races.  A place calling this function already inside the
lock (from the notifier) is replaced with the
snd_timer_hw_resolution() accordingly, as well as wrapping with the
lock around another place calling snd_timer_hw_resolution(), too.

Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-05-18 08:49:13 +02:00
Takashi Iwai 21244e3d6a ALSA: seq: Avoid open-code for getting timer resolution
Instead of open-coding for getting the timer resolution, use the
standard snd_timer_resolution() helper.

The original code falls back to the callback function when the
resolution is zero, but it must be always so when the callback
function is defined.  So this should be no functional change.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-05-18 08:49:13 +02:00
Takashi Iwai fdcb5761c1 ALSA: timer: Simplify timer hw resolution calls
There multiple open-codes to get the hardware timer resolution.
Make a local helper function snd_timer_hw_resolution() and call it
from all relevant places.

There is no functional change by this, just a preliminary work for the
following timer resolution hardening patch.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-05-18 08:49:12 +02:00
Ben Hutchings 3ae1809725 ALSA: timer: Fix pause event notification
Commit f65e0d2998 ("ALSA: timer: Call notifier in the same spinlock")
combined the start/continue and stop/pause functions, and in doing so
changed the event code for the pause case to SNDRV_TIMER_EVENT_CONTINUE.
Change it back to SNDRV_TIMER_EVENT_PAUSE.

Fixes: f65e0d2998 ("ALSA: timer: Call notifier in the same spinlock")
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Cc: stable@vger.kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-05-18 08:43:59 +02:00
Takashi Iwai dc82e52492 ALSA: core: Assure control device to be registered at last
The commit 289ca025ee ("ALSA: Use priority list for managing device
list") changed the way to register/disconnect/free devices via a
single priority list.  This helped to make behavior consistent, but it
also changed a slight behavior change: namely, the control device is
registered earlier than others, while it was supposed to be the very
last one.

I've put SNDRV_DEV_CONTROL in the current position as the release of
ctl elements often conflict with the private ctl elements some PCM or
other components may create, which often leads to a double-free.
But, the order of register and disconnect should be indeed fixed as
expected in the early days: the control device gets registered at
last, and disconnected at first.

This patch changes the priority list order to move SNDRV_DEV_CONTROL
as the last guy to assure the register / disconnect order.  Meanwhile,
for keeping the messy resource release order, manually treat the
control and lowlevel devices as last freed one.

Additional note:
The lowlevel device is the device where a card driver creates at
probe.  And, we still keep the release order control -> lowlevel, as
there might  be link from a control element back to a lowlevel object.

Fixes: 289ca025ee ("ALSA: Use priority list for managing device list")
Reported-by: Tzung-Bi Shih <tzungbi@google.com>
Tested-by: Tzung-Bi Shih <tzungbi@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-05-17 08:21:23 +02:00
Takashi Iwai 8def12d9cd Merge branch 'for-linus' into for-next
Back-merge of UAC3 fixes for applying further enhancements.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-05-15 07:30:23 +02:00
Takashi Sakamoto 841bdb7c0b ALSA: vmaster: use position offset macro of TLV data
A series of SNDRV_CTL_TLVO_XXX macro was introduced for position offset
of TLV data. This commit applies a code optimization.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-05-14 17:47:48 +02:00
Wenwen Wang 3f12888dfa ALSA: control: fix a redundant-copy issue
In snd_ctl_elem_add_compat(), the fields of the struct 'data' need to be
copied from the corresponding fields of the struct 'data32' in userspace.
This is achieved by invoking copy_from_user() and get_user() functions. The
problem here is that the 'type' field is copied twice. One is by
copy_from_user() and one is by get_user(). Given that the 'type' field is
not used between the two copies, the second copy is *completely* redundant
and should be removed for better performance and cleanup. Also, these two
copies can cause inconsistent data: as the struct 'data32' resides in
userspace and a malicious userspace process can race to change the 'type'
field between the two copies to cause inconsistent data. Depending on how
the data is used in the future, such an inconsistency may cause potential
security risks.

For above reasons, we should take out the second copy.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-05-13 09:27:57 +02:00
Anna-Maria Gleixner 10aa7cad37 ALSA: pcm: Hide local_irq_disable/enable() and local_irqsave/restore()
The snd_pcm_stream_lock_irq*() functions decouple disabling interrupts
from the actual locking process. This does not work as expected if the
locking primitives are replaced like on preempt-rt.

Provide one function for locking which uses correct locking primitives.

Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-05-04 18:57:13 +02:00
Takashi Iwai f13876e2c3 ALSA: pcm: Check PCM state at xfern compat ioctl
Since snd_pcm_ioctl_xfern_compat() has no PCM state check, it may go
further and hit the sanity check pcm_sanity_check() when the ioctl is
called right after open.  It may eventually spew a kernel warning, as
triggered by syzbot, depending on kconfig.

The lack of PCM state check there was just an oversight.  Although
it's no real crash, the spurious kernel warning is annoying, so let's
add the proper check.

Reported-by: syzbot+1dac3a4f6bc9c1c675d4@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-05-02 08:54:54 +02:00
Takashi Iwai 8f22e52528 ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger()
The sequencer virmidi code has an open race at its output trigger
callback: namely, virmidi keeps only one event packet for processing
while it doesn't protect for concurrent output trigger calls.

snd_virmidi_output_trigger() tries to process the previously
unfinished event before starting encoding the given MIDI stream, but
this is done without any lock.  Meanwhile, if another rawmidi stream
starts the output trigger, this proceeds further, and overwrites the
event package that is being processed in another thread.  This
eventually corrupts and may lead to the invalid memory access if the
event type is like SYSEX.

The fix is just to move the spinlock to cover both the pending event
and the new stream.

The bug was spotted by a new fuzzer, RaceFuzzer.

BugLink: http://lkml.kernel.org/r/20180426045223.GA15307@dragonet.kaist.ac.kr
Reported-by: DaeRyong Jeong <threeearcat@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-04-27 17:50:37 +02:00
Takashi Iwai 4d31c6e41e Merge branch 'for-linus' into for-next
Back-merge 4.17-rc3 fixes for further development.
This will bump the base to 4.17-rc2, too.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-04-25 16:44:36 +02:00
Takashi Iwai 8d218dd811 ALSA: seq: oss: Hardening for potential Spectre v1
As Smatch recently suggested, a few places in OSS sequencer codes may
expand the array directly from the user-space value with speculation,
namely there are a significant amount of references to either
info->ch[] or dp->synths[] array:

  sound/core/seq/oss/seq_oss_event.c:315 note_on_event() warn: potential spectre issue 'info->ch' (local cap)
  sound/core/seq/oss/seq_oss_event.c:362 note_off_event() warn: potential spectre issue 'info->ch' (local cap)
  sound/core/seq/oss/seq_oss_synth.c:470 snd_seq_oss_synth_load_patch() warn: potential spectre issue 'dp->synths' (local cap)
  sound/core/seq/oss/seq_oss_event.c:293 note_on_event() warn: potential spectre issue 'dp->synths'
  sound/core/seq/oss/seq_oss_event.c:353 note_off_event() warn: potential spectre issue 'dp->synths'
  sound/core/seq/oss/seq_oss_synth.c:506 snd_seq_oss_synth_sysex() warn: potential spectre issue 'dp->synths'
  sound/core/seq/oss/seq_oss_synth.c:580 snd_seq_oss_synth_ioctl() warn: potential spectre issue 'dp->synths'

Although all these seem doing only the first load without further
reference, we may want to stay in a safer side, so hardening with
array_index_nospec() would still make sense.

We may put array_index_nospec() at each place, but here we take a
different approach:

- For dp->synths[], change the helpers to retrieve seq_oss_synthinfo
  pointer directly instead of the array expansion at each place

- For info->ch[], harden in a normal way, as there are only a couple
  of places

As a result, the existing helper, snd_seq_oss_synth_is_valid() is
replaced with snd_seq_oss_synth_info().  Also, we cover MIDI device
where a similar array expansion is done, too, although it wasn't
reported by Smatch.

BugLink: https://marc.info/?l=linux-kernel&m=152411496503418&w=2
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-04-25 10:37:45 +02:00
Takashi Iwai f5e94b4c6e ALSA: seq: oss: Fix unbalanced use lock for synth MIDI device
When get_synthdev() is called for a MIDI device, it returns the fixed
midi_synth_dev without the use refcounting.  OTOH, the caller is
supposed to unreference unconditionally after the usage, so this would
lead to unbalanced refcount.

This patch corrects the behavior and keep up the refcount balance also
for the MIDI synth device.

Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-04-25 10:37:45 +02:00
Souptick Joarder 41412fe921 ALSA: pcm: Change return type to vm_fault_t
Use new return type vm_fault_t for fault handler. For
now, this is just documenting that the function returns
a VM_FAULT value rather than an errno. Once all instances
are converted, vm_fault_t will become a distinct type.

Commit 1c8f422059 ("mm: change return type to vm_fault_t")

Signed-off-by: Souptick Joarder <jrdr.linux@gmail.com>
Reviewed-by: Matthew Wilcox <mawilcox@microsoft.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-04-25 08:15:45 +02:00
Takashi Iwai 1ba7862f1f ALSA: control: Fix missing __user annotation
There is one place missing __user annotation to the pointer used by
the recent code refactoring.  Reported by sparse.

Fixes: 450296f305 ("ALSA: control: code refactoring TLV ioctl handler")
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-04-23 16:19:52 +02:00
David Henningsson f853dcaae2 ALSA: core: Report audio_tstamp in snd_pcm_sync_ptr
It looks like a simple mistake that this struct member
was forgotten.

Audio_tstamp isn't used much, and on some archs (such as x86) this
ioctl is not used by default, so that might be the reason why this
has slipped for so long.

Fixes: 4eeaaeaea1 ("ALSA: core: add hooks for audio timestamps")
Signed-off-by: David Henningsson <diwic@ubuntu.com>
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Cc: <stable@vger.kernel.org> # v3.8+
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-04-23 08:47:03 +02:00
Jeffery Miller 912e4c3320 ALSA: pcm: Return negative delays from SNDRV_PCM_IOCTL_DELAY.
The commit c2c86a9717 ("ALSA: pcm: Remove set_fs() in PCM core code")
changed SNDRV_PCM_IOCTL_DELAY to return an inconsistent error instead of a
negative delay.  Originally the call would succeed and return the negative
delay.  The Chromium OS Audio Server (CRAS) gets confused and hangs when
the error is returned instead of the negative delay.

Help CRAS avoid the issue by rolling back the behavior to return a
negative delay instead of an error.

Fixes: c2c86a9717 ("ALSA: pcm: Remove set_fs() in PCM core code")
Signed-off-by: Jeffery Miller <jmiller@neverware.com>
Cc: <stable@vger.kernel.org> # v4.13+
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-04-23 08:41:35 +02:00
Takashi Iwai 8a56ef4f3f ALSA: rawmidi: Fix missing input substream checks in compat ioctls
Some rawmidi compat ioctls lack of the input substream checks
(although they do check only for rfile->output).  This many eventually
lead to an Oops as NULL substream is passed to the rawmidi core
functions.

Fix it by adding the proper checks before each function call.

The bug was spotted by syzkaller.

Reported-by: syzbot+f7a0348affc3b67bc617@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-04-19 18:16:15 +02:00
Takashi Iwai c99c5a3bb5 ALSA: pcm: Unify delay calculation in snd_pcm_status() and snd_pcm_delay()
Yet another slight code cleanup: there are two places where
calculating the PCM delay, and they can be unified in a single
helper.  It reduces the multiple open codes.

Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-04-17 13:01:16 +02:00
Takashi Iwai 6448fcba2a ALSA: pcm: Unify playback and capture poll callbacks
The poll callbacks for playback and capture directions are doing
fairly similar but with a slight difference.  This patch unifies the
two functions into a single callback.  The advantage of this
refactoring is that the direction-specific procedures become clearer.

There should be no functional change but only the code cleanup.

Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-04-17 07:37:24 +02:00
Takashi Iwai 763e5067aa ALSA: pcm: Clean up with snd_pcm_avail() and snd_pcm_hw_avail() helpers
Introduce two new direction-neutral helpers to calculate the avail and
hw_avail values, and clean up the code with them.

The two separated forward and rewind functions are gathered to the
unified functions.

No functional change but only code reductions.

Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-04-17 07:37:13 +02:00
Takashi Iwai e1a3a981e3 ALSA: pcm: Remove WARN_ON() at snd_pcm_hw_params() error
snd_pcm_hw_params() (more exactly snd_pcm_hw_params_choose()) contains
a check of the return error from snd_pcm_hw_param_first() and _last()
with snd_BUG_ON() -- i.e. it may trigger WARN_ON() depending on the
kconfig.

This was a valid check in the past, as these functions shouldn't
return any error if the parameters have been already refined via
snd_pcm_hw_refine() beforehand.  However, the recent rewrite
introduced a kmalloc() in snd_pcm_hw_refine() for removing VLA, and
this brought a possibility to trigger an error.  As a result, syzbot
caught lots of superfluous kernel WARN_ON() and paniced via fault
injection.

As the WARN_ON() is no longer valid with the introduction of
kmalloc(), let's drop snd_BUG_ON() check, in order to make the world
peaceful place again.

Reported-by: syzbot+803e0047ac3a3096bb4f@syzkaller.appspotmail.com
Fixes: 5730f9f744 ("ALSA: pcm: Remove VLA usage")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-04-09 17:39:31 +02:00
Takashi Iwai e15dc99dbb ALSA: pcm: Fix endless loop for XRUN recovery in OSS emulation
The commit 02a5d6925c ("ALSA: pcm: Avoid potential races between OSS
ioctls and read/write") split the PCM preparation code to a locked
version, and it added a sanity check of runtime->oss.prepare flag
along with the change.  This leaded to an endless loop when the stream
gets XRUN: namely, snd_pcm_oss_write3() and co call
snd_pcm_oss_prepare() without setting runtime->oss.prepare flag and
the loop continues until the PCM state reaches to another one.

As the function is supposed to execute the preparation
unconditionally, drop the invalid state check there.

The bug was triggered by syzkaller.

Fixes: 02a5d6925c ("ALSA: pcm: Avoid potential races between OSS ioctls and read/write")
Reported-by: syzbot+150189c103427d31a053@syzkaller.appspotmail.com
Reported-by: syzbot+7e3f31a52646f939c052@syzkaller.appspotmail.com
Reported-by: syzbot+4f2016cf5185da7759dc@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-04-07 13:10:11 +02:00
Takashi Iwai a820ccbe21 ALSA: pcm: Fix UAF at PCM release via PCM timer access
The PCM runtime object is created and freed dynamically at PCM stream
open / close time.  This is tracked via substream->runtime, and it's
cleared at snd_pcm_detach_substream().

The runtime object assignment is protected by PCM open_mutex, so for
all PCM operations, it's safely handled.  However, each PCM substream
provides also an ALSA timer interface, and user-space can access to
this while closing a PCM substream.  This may eventually lead to a
UAF, as snd_pcm_timer_resolution() tries to access the runtime while
clearing it in other side.

Fortunately, it's the only concurrent access from the PCM timer, and
it merely reads runtime->timer_resolution field.  So, we can avoid the
race by reordering kfree() and wrapping the substream->runtime
clearance with the corresponding timer lock.

Reported-by: syzbot+8e62ff4e07aa2ce87826@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-04-03 08:36:40 +02:00
Takashi Iwai bc334cb61b Merge branch 'for-next' into for-linus
Preparation for 4.17 merge.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-04-02 19:50:59 +02:00
Takashi Iwai f6d297df4d ALSA: pcm: Fix mutex unbalance in OSS emulation ioctls
The previous fix 40cab6e88c ("ALSA: pcm: Return -EBUSY for OSS
ioctls changing busy streams") introduced some mutex unbalance; the
check of runtime->oss.rw_ref was inserted in a wrong place after the
mutex lock.

This patch fixes the inconsistency by rewriting with the helper
functions to lock/unlock parameters with the stream check.

Fixes: 40cab6e88c ("ALSA: pcm: Return -EBUSY for OSS ioctls changing busy streams")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-03-27 16:20:02 +02:00
Dan Carpenter 5607dddbfc ALSA: pcm: potential uninitialized return values
Smatch complains that "tmp" can be uninitialized if we do a zero size
write.

Fixes: 02a5d6925c ("ALSA: pcm: Avoid potential races between OSS ioctls and read/write")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-03-27 15:20:19 +02:00
Stefan Roese 9066ae7ff5 ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()
When trying to use the driver (e.g. aplay *.wav), the 4MiB DMA buffer
will get mmapp'ed in 16KiB chunks. But this fails with the 2nd 16KiB
area, as the page offset is outside of the VMA range (size), which is
currently used as size parameter in snd_pcm_lib_default_mmap(). By
using the DMA buffer size (dma_bytes) instead, the complete DMA buffer
can be mmapp'ed and the issue is fixed.

This issue was detected on an ARM platform (TI AM57xx) using the RME
HDSP MADI PCIe soundcard.

Fixes: 657b1989da ("ALSA: pcm - Use dma_mmap_coherent() if available")
Signed-off-by: Stefan Roese <sr@denx.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-03-26 16:33:50 +02:00
Takashi Iwai 40cab6e88c ALSA: pcm: Return -EBUSY for OSS ioctls changing busy streams
OSS PCM stream management isn't modal but it allows ioctls issued at
any time for changing the parameters.  In the previous hardening
patch ("ALSA: pcm: Avoid potential races between OSS ioctls and
read/write"), we covered these races and prevent the corruption by
protecting the concurrent accesses via params_lock mutex.  However,
this means that some ioctls that try to change the stream parameter
(e.g. channels or format) would be blocked until the read/write
finishes, and it may take really long.

Basically changing the parameter while reading/writing is an invalid
operation, hence it's even more user-friendly from the API POV if it
returns -EBUSY in such a situation.

This patch adds such checks in the relevant ioctls with the addition
of read/write access refcount.

Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-03-23 22:18:05 +01:00
Takashi Iwai 02a5d6925c ALSA: pcm: Avoid potential races between OSS ioctls and read/write
Although we apply the params_lock mutex to the whole read and write
operations as well as snd_pcm_oss_change_params(), we may still face
some races.

First off, the params_lock is taken inside the read and write loop.
This is intentional for avoiding the too long locking, but it allows
the in-between parameter change, which might lead to invalid
pointers.  We check the readiness of the stream and set up via
snd_pcm_oss_make_ready() at the beginning of read and write, but it's
called only once, by assuming that it remains ready in the rest.

Second, many ioctls that may change the actual parameters
(i.e. setting runtime->oss.params=1) aren't protected, hence they can
be processed in a half-baked state.

This patch is an attempt to plug these holes.  The stream readiness
check is moved inside the read/write inner loop, so that the stream is
always set up in a proper state before further processing.  Also, each
ioctl that may change the parameter is wrapped with the params_lock
for avoiding the races.

The issues were triggered by syzkaller in a few different scenarios,
particularly the one below appearing as GPF in loopback_pos_update.

Reported-by: syzbot+c4227aec125487ec3efa@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-03-23 22:17:56 +01:00
Takashi Iwai 4654eba8cb Merge branch 'for-linus' into for-next
Back-merge of for-linus branch for applying the further UAC3 patches.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-03-19 17:00:01 +01:00
Takashi Iwai 09b9ddfaa1 ALSA: pcm: Use krealloc() for resizing the rules array
Just a minor simplification.  Change from kcalloc() shouldn't matter
as each array element is fully initialized.

Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-03-13 15:37:58 +01:00
Takashi Iwai 5730f9f744 ALSA: pcm: Remove VLA usage
A helper function used by snd_pcm_hw_refine() still keeps using VLA
for timestamps of hw constraint rules that are non-fixed size.

Let's replace the VLA with a simple kmalloc() array.

Reference: https://lkml.org/lkml/2018/3/7/621
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-03-13 15:37:56 +01:00
Takashi Iwai 01c0b4265c ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats()
snd_pcm_oss_get_formats() has an obvious use-after-free around
snd_mask_test() calls, as spotted by syzbot.  The passed format_mask
argument is a pointer to the hw_params object that is freed before the
loop.  What a surprise that it has been present since the original
code of decades ago...

Reported-by: syzbot+4090700a4f13fccaf648@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-03-11 10:25:10 +01:00
Takashi Iwai a2ff19f7b7 ALSA: seq: Clear client entry before deleting else at closing
When releasing a client, we need to clear the clienttab[] entry at
first, then call snd_seq_queue_client_leave().  Otherwise, the
in-flight cell in the queue might be picked up by the timer interrupt
via snd_seq_check_queue() before calling snd_seq_queue_client_leave(),
and it's delivered to another queue while the client is clearing
queues.  This may eventually result in an uncleared cell remaining in
a queue, and the later snd_seq_pool_delete() may need to wait for a
long time until the event gets really processed.

By moving the clienttab[] clearance at the beginning of release, any
event delivery of a cell belonging to this client will fail at a later
point, since snd_seq_client_ptr() returns NULL.  Thus the cell that
was picked up by the timer interrupt will be returned immediately
without further delivery, and the long stall of snd_seq_delete_pool()
can be avoided, too.

Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-03-10 17:30:01 +01:00
Takashi Iwai d0f8330652 ALSA: seq: Fix possible UAF in snd_seq_check_queue()
Although we've covered the races between concurrent write() and
ioctl() in the previous patch series, there is still a possible UAF in
the following scenario:

A: user client closed		B: timer irq
  -> snd_seq_release()		  -> snd_seq_timer_interrupt()
    -> snd_seq_free_client()	    -> snd_seq_check_queue()
				      -> cell = snd_seq_prioq_cell_peek()
      -> snd_seq_prioq_leave()
         .... removing all cells
      -> snd_seq_pool_done()
         .... vfree()
				      -> snd_seq_compare_tick_time(cell)
				         ... Oops

So the problem is that a cell is peeked and accessed without any
protection until it's retrieved from the queue again via
snd_seq_prioq_cell_out().

This patch tries to address it, also cleans up the code by a slight
refactoring.  snd_seq_prioq_cell_out() now receives an extra pointer
argument.  When it's non-NULL, the function checks the event timestamp
with the given pointer.  The caller needs to pass the right reference
either to snd_seq_tick or snd_seq_realtime depending on the event
timestamp type.

A good news is that the above change allows us to remove the
snd_seq_prioq_cell_peek(), too, thus the patch actually reduces the
code size.

Reviewed-by: Nicolai Stange <nstange@suse.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-03-10 17:29:49 +01:00
Takashi Iwai 85d59b57be ALSA: seq: Remove superfluous snd_seq_queue_client_leave_cells() call
With the previous two fixes for the write / ioctl races:
  ALSA: seq: Don't allow resizing pool in use
  ALSA: seq: More protection for concurrent write and ioctl races
the cells aren't any longer in queues at the point calling
snd_seq_pool_done() in snd_seq_ioctl_set_client_pool().  Hence the
function call snd_seq_queue_client_leave_cells() can be dropped safely
from there.

Suggested-by: Nicolai Stange <nstange@suse.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-03-08 12:06:07 +01:00
Takashi Iwai 7bd8009156 ALSA: seq: More protection for concurrent write and ioctl races
This patch is an attempt for further hardening against races between
the concurrent write and ioctls.  The previous fix d15d662e89
("ALSA: seq: Fix racy pool initializations") covered the race of the
pool initialization at writer and the pool resize ioctl by the
client->ioctl_mutex (CVE-2018-1000004).  However, basically this mutex
should be applied more widely to the whole write operation for
avoiding the unexpected pool operations by another thread.

The only change outside snd_seq_write() is the additional mutex
argument to helper functions, so that we can unlock / relock the given
mutex temporarily during schedule() call for blocking write.

Fixes: d15d662e89 ("ALSA: seq: Fix racy pool initializations")
Reported-by: 范龙飞 <long7573@126.com>
Reported-by: Nicolai Stange <nstange@suse.de>
Reviewed-and-tested-by: Nicolai Stange <nstange@suse.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-03-08 12:05:37 +01:00
Takashi Iwai d85739367c ALSA: seq: Don't allow resizing pool in use
This is a fix for a (sort of) fallout in the recent commit
d15d662e89 ("ALSA: seq: Fix racy pool initializations") for
CVE-2018-1000004.
As the pool resize deletes the existing cells, it may lead to a race
when another thread is writing concurrently, eventually resulting a
UAF.

A simple workaround is not to allow the pool resizing when the pool is
in use.  It's an invalid behavior in anyway.

Fixes: d15d662e89 ("ALSA: seq: Fix racy pool initializations")
Reported-by: 范龙飞 <long7573@126.com>
Reported-by: Nicolai Stange <nstange@suse.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-03-08 08:59:26 +01:00
Takashi Iwai 7a33a02ffb ALSA: vmaster: Zero-clear ctl before calling slave get
Use kzalloc() instead of kmalloc() so that we don't need to rely fully
on the slave get() callback to clear the control value that might be
copied to user-space.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-03-08 08:41:13 +01:00
Takashi Iwai 2e2c177ca8 ALSA: vmaster: Propagate slave error
In slave_update() of vmaster code ignores the error from the slave
get() callback and copies the values.  It's not only about the missing
error code but also that this may potentially lead to a leak of
uninitialized variables when the slave get() don't clear them.

This patch fixes slave_update() not to copy the potentially
uninitialized values when an error is returned from the slave get()
callback, and to propagate the error value properly.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-03-08 08:41:12 +01:00
Richard Fitzgerald dd5f313be0 ALSA: control: Fix a bunch of whitespace errors
Remove a bunch of trailing whitespace errors. They are
fairly annoying if you have your editor set to strip trailing
whitespace because you find you've introduced more changes
than you were trying to make.

Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-02-28 08:18:26 +01:00
Takashi Iwai 3b8bd500c9 Merge branch 'for-linus' into for-next
Back-merge for applying a cleanup to core/control

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-02-28 08:17:54 +01:00
Richard Fitzgerald 5a23699a39 ALSA: control: Fix memory corruption risk in snd_ctl_elem_read
The patch "ALSA: control: code refactoring for ELEM_READ/ELEM_WRITE
operations" introduced a potential for kernel memory corruption due
to an incorrect if statement allowing non-readable controls to fall
through and call the get function. For TLV controls a driver can omit
SNDRV_CTL_ELEM_ACCESS_READ to ensure that only the TLV get function
can be called. Instead the normal get() can be invoked unexpectedly
and as the driver expects that this will only be called for controls
<= 512 bytes, potentially try to copy >512 bytes into the 512 byte
return array, so corrupting kernel memory.

The problem is an attempt to refactor the snd_ctl_elem_read function
to invert the logic so that it conditionally aborted if the control
is unreadable instead of conditionally executing. But the if statement
wasn't inverted correctly.

The correct inversion of

    if (a && !b)

is
    if (!a || b)

Fixes: becf9e5d55 ("ALSA: control: code refactoring for ELEM_READ/ELEM_WRITE operations")
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-02-28 08:15:56 +01:00
Jaejoong Kim ef21e17501 ALSA: Use scnprintf() instead of snprintf() for show
The show() method should use scnprintf() not snprintf() because snprintf()
may returns a value that exceeds its second argument.

Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-02-27 09:16:52 +01:00
Takashi Iwai d15d662e89 ALSA: seq: Fix racy pool initializations
ALSA sequencer core initializes the event pool on demand by invoking
snd_seq_pool_init() when the first write happens and the pool is
empty.  Meanwhile user can reset the pool size manually via ioctl
concurrently, and this may lead to UAF or out-of-bound accesses since
the function tries to vmalloc / vfree the buffer.

A simple fix is to just wrap the snd_seq_pool_init() call with the
recently introduced client->ioctl_mutex; as the calls for
snd_seq_pool_init() from other side are always protected with this
mutex, we can avoid the race.

Reported-by: 范龙飞 <long7573@126.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-02-14 10:39:08 +01:00
Linus Torvalds a9a08845e9 vfs: do bulk POLL* -> EPOLL* replacement
This is the mindless scripted replacement of kernel use of POLL*
variables as described by Al, done by this script:

    for V in IN OUT PRI ERR RDNORM RDBAND WRNORM WRBAND HUP RDHUP NVAL MSG; do
        L=`git grep -l -w POLL$V | grep -v '^t' | grep -v /um/ | grep -v '^sa' | grep -v '/poll.h$'|grep -v '^D'`
        for f in $L; do sed -i "-es/^\([^\"]*\)\(\<POLL$V\>\)/\\1E\\2/" $f; done
    done

with de-mangling cleanups yet to come.

NOTE! On almost all architectures, the EPOLL* constants have the same
values as the POLL* constants do.  But they keyword here is "almost".
For various bad reasons they aren't the same, and epoll() doesn't
actually work quite correctly in some cases due to this on Sparc et al.

The next patch from Al will sort out the final differences, and we
should be all done.

Scripted-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2018-02-11 14:34:03 -08:00
Linus Torvalds 19e7b5f994 Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull misc vfs updates from Al Viro:
 "All kinds of misc stuff, without any unifying topic, from various
  people.

  Neil's d_anon patch, several bugfixes, introduction of kvmalloc
  analogue of kmemdup_user(), extending bitfield.h to deal with
  fixed-endians, assorted cleanups all over the place..."

* 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (28 commits)
  alpha: osf_sys.c: use timespec64 where appropriate
  alpha: osf_sys.c: fix put_tv32 regression
  jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path
  dcache: delete unused d_hash_mask
  dcache: subtract d_hash_shift from 32 in advance
  fs/buffer.c: fold init_buffer() into init_page_buffers()
  fs: fold __inode_permission() into inode_permission()
  fs: add RWF_APPEND
  sctp: use vmemdup_user() rather than badly open-coding memdup_user()
  snd_ctl_elem_init_enum_names(): switch to vmemdup_user()
  replace_user_tlv(): switch to vmemdup_user()
  new primitive: vmemdup_user()
  memdup_user(): switch to GFP_USER
  eventfd: fold eventfd_ctx_get() into eventfd_ctx_fileget()
  eventfd: fold eventfd_ctx_read() into eventfd_read()
  eventfd: convert to use anon_inode_getfd()
  nfs4file: get rid of pointless include of btrfs.h
  uvc_v4l2: clean copyin/copyout up
  vme_user: don't use __copy_..._user()
  usx2y: don't bother with memdup_user() for 16-byte structure
  ...
2018-01-31 09:25:20 -08:00
Linus Torvalds 168fe32a07 Merge branch 'misc.poll' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull poll annotations from Al Viro:
 "This introduces a __bitwise type for POLL### bitmap, and propagates
  the annotations through the tree. Most of that stuff is as simple as
  'make ->poll() instances return __poll_t and do the same to local
  variables used to hold the future return value'.

  Some of the obvious brainos found in process are fixed (e.g. POLLIN
  misspelled as POLL_IN). At that point the amount of sparse warnings is
  low and most of them are for genuine bugs - e.g. ->poll() instance
  deciding to return -EINVAL instead of a bitmap. I hadn't touched those
  in this series - it's large enough as it is.

  Another problem it has caught was eventpoll() ABI mess; select.c and
  eventpoll.c assumed that corresponding POLL### and EPOLL### were
  equal. That's true for some, but not all of them - EPOLL### are
  arch-independent, but POLL### are not.

  The last commit in this series separates userland POLL### values from
  the (now arch-independent) kernel-side ones, converting between them
  in the few places where they are copied to/from userland. AFAICS, this
  is the least disruptive fix preserving poll(2) ABI and making epoll()
  work on all architectures.

  As it is, it's simply broken on sparc - try to give it EPOLLWRNORM and
  it will trigger only on what would've triggered EPOLLWRBAND on other
  architectures. EPOLLWRBAND and EPOLLRDHUP, OTOH, are never triggered
  at all on sparc. With this patch they should work consistently on all
  architectures"

* 'misc.poll' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (37 commits)
  make kernel-side POLL... arch-independent
  eventpoll: no need to mask the result of epi_item_poll() again
  eventpoll: constify struct epoll_event pointers
  debugging printk in sg_poll() uses %x to print POLL... bitmap
  annotate poll(2) guts
  9p: untangle ->poll() mess
  ->si_band gets POLL... bitmap stored into a user-visible long field
  ring_buffer_poll_wait() return value used as return value of ->poll()
  the rest of drivers/*: annotate ->poll() instances
  media: annotate ->poll() instances
  fs: annotate ->poll() instances
  ipc, kernel, mm: annotate ->poll() instances
  net: annotate ->poll() instances
  apparmor: annotate ->poll() instances
  tomoyo: annotate ->poll() instances
  sound: annotate ->poll() instances
  acpi: annotate ->poll() instances
  crypto: annotate ->poll() instances
  block: annotate ->poll() instances
  x86: annotate ->poll() instances
  ...
2018-01-30 17:58:07 -08:00
Al Viro 59aeaf3fef snd_ctl_elem_init_enum_names(): switch to vmemdup_user()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2018-01-19 22:35:58 -05:00