Skip to content
  1. Apr 09, 2018
    • Takashi Iwai's avatar
      ALSA: pcm: Remove WARN_ON() at snd_pcm_hw_params() error · e1a3a981
      Takashi Iwai authored 
      

snd_pcm_hw_params() (more exactly snd_pcm_hw_params_choose()) contains
a check of the return error from snd_pcm_hw_param_first() and _last()
with snd_BUG_ON() -- i.e. it may trigger WARN_ON() depending on the
kconfig.

This was a valid check in the past, as these functions shouldn't
return any error if the parameters have been already refined via
snd_pcm_hw_refine() beforehand.  However, the recent rewrite
introduced a kmalloc() in snd_pcm_hw_refine() for removing VLA, and
this brought a possibility to trigger an error.  As a result, syzbot
caught lots of superfluous kernel WARN_ON() and paniced via fault
injection.

As the WARN_ON() is no longer valid with the introduction of
kmalloc(), let's drop snd_BUG_ON() check, in order to make the world
peaceful place again.

Reported-by: default avatar <syzbot+803e0047ac3a3096bb4f@syzkaller.appspotmail.com>
Fixes: 5730f9f7

 ("ALSA: pcm: Remove VLA usage")
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      e1a3a981
  3. Apr 07, 2018
  5. Apr 03, 2018
    • Takashi Iwai's avatar
      ALSA: pcm: Fix UAF at PCM release via PCM timer access · a820ccbe
      Takashi Iwai authored 
      

The PCM runtime object is created and freed dynamically at PCM stream
open / close time.  This is tracked via substream->runtime, and it's
cleared at snd_pcm_detach_substream().

The runtime object assignment is protected by PCM open_mutex, so for
all PCM operations, it's safely handled.  However, each PCM substream
provides also an ALSA timer interface, and user-space can access to
this while closing a PCM substream.  This may eventually lead to a
UAF, as snd_pcm_timer_resolution() tries to access the runtime while
clearing it in other side.

Fortunately, it's the only concurrent access from the PCM timer, and
it merely reads runtime->timer_resolution field.  So, we can avoid the
race by reordering kfree() and wrapping the substream->runtime
clearance with the corresponding timer lock.

Reported-by: default avatar <syzbot+8e62ff4e07aa2ce87826@syzkaller.appspotmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      a820ccbe
    • Takashi Iwai's avatar
      Merge tag 'asoc-v4.17' of... · 903d271a
      Takashi Iwai authored 
      Merge tag 'asoc-v4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

ASoC: Updates for v4.17

This is a *very* big release for ASoC.  Not much change in the core but
there s the transition of all the individual drivers over to components
which is intended to support further core work.  The goal is to make it
easier to do further core work by removing the need to special case all
the different driver classes in the core, many of the devices end up
being used in multiple roles in modern systems.

We also have quite a lot of new drivers added this month of all kinds,
quite a few for simple devices but also some more advanced ones with
more substantial code.

 - The biggest thing is the huge series from Morimoto-san which
   converted everything over to components.  This is a huge change by
   code volume but was fairly mechanical
 - Many fixes for some of the Realtek based Baytrail systems covering
   both the CODECs and the CPUs, contributed by Hans de Goode.
 - Lots of cleanups for Samsung based Odroid systems from Sylwester
   Nawrocki.
 - The Freescale SSI driver also got a lot of cleanups from Nicolin
   Chen.
 - The Blackfin drivers have been removed as part of the removal of the
   architecture.
 - New drivers for AKM AK4458 and AK5558, several AMD based machines,
   several Intel based machines, Maxim MAX9759, Motorola CPCAP,
   Socionext Uniphier SoCs, and TI PCM1789 and TDA7419
      903d271a
    • Takashi Iwai's avatar
      Merge branch 'for-next' into for-linus · bc334cb6
      Takashi Iwai authored 
      

Preparation for 4.17 merge.

Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      bc334cb6
  7. Mar 29, 2018
  9. Mar 28, 2018