* lsk-44/linux-linaro-lsk-v4.4:
Linux 4.4.3
modules: fix modparam async_probe request
module: wrapper for symbol name.
itimers: Handle relative timers with CONFIG_TIME_LOW_RES proper
posix-timers: Handle relative timers with CONFIG_TIME_LOW_RES proper
timerfd: Handle relative timers with CONFIG_TIME_LOW_RES proper
prctl: take mmap sem for writing to protect against others
xfs: log mount failures don't wait for buffers to be released
Revert "xfs: clear PF_NOFREEZE for xfsaild kthread"
xfs: inode recovery readahead can race with inode buffer creation
libxfs: pack the agfl header structure so XFS_AGFL_SIZE is correct
ovl: setattr: check permissions before copy-up
ovl: root: copy attr
ovl: check dentry positiveness in ovl_cleanup_whiteouts()
ovl: use a minimal buffer in ovl_copy_xattr
ovl: allow zero size xattr
futex: Drop refcount if requeue_pi() acquired the rtmutex
devm_memremap_release(): fix memremap'd addr handling
ipc/shm: handle removed segments gracefully in shm_mmap()
intel_scu_ipcutil: underflow in scu_reg_access()
mm,thp: khugepaged: call pte flush at the time of collapse
dump_stack: avoid potential deadlocks
radix-tree: fix oops after radix_tree_iter_retry
drivers/hwspinlock: fix race between radix tree insertion and lookup
radix-tree: fix race in gang lookup
MAINTAINERS: return arch/sh to maintained state, with new maintainers
memcg: only free spare array when readers are done
numa: fix /proc/<pid>/numa_maps for hugetlbfs on s390
fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list()
scripts/bloat-o-meter: fix python3 syntax error
dma-debug: switch check from _text to _stext
m32r: fix m32104ut_defconfig build fail
xhci: Fix list corruption in urb dequeue at host removal
Revert "xhci: don't finish a TD if we get a short-transfer event mid TD"
iommu/vt-d: Clear PPR bit to ensure we get more page request interrupts
iommu/vt-d: Fix 64-bit accesses to 32-bit DMAR_GSTS_REG
iommu/vt-d: Fix mm refcounting to hold mm_count not mm_users
iommu/amd: Correct the wrong setting of alias DTE in do_attach
iommu/vt-d: Don't skip PCI devices when disabling IOTLB
Input: vmmouse - fix absolute device registration
string_helpers: fix precision loss for some inputs
Input: i8042 - add Fujitsu Lifebook U745 to the nomux list
Input: elantech - mark protocols v2 and v3 as semi-mt
mm: fix regression in remap_file_pages() emulation
mm: replace vma_lock_anon_vma with anon_vma_lock_read/write
mm: fix mlock accouting
libnvdimm: fix namespace object confusion in is_uuid_busy()
mm: soft-offline: check return value in second __get_any_page() call
perf kvm record/report: 'unprocessable sample' error while recording/reporting guest data
KVM: PPC: Fix ONE_REG AltiVec support
KVM: PPC: Fix emulation of H_SET_DABR/X on POWER8
KVM: arm/arm64: Fix reference to uninitialised VGIC
arm64: dma-mapping: fix handling of devices registered before arch_initcall
ARM: OMAP2+: Fix ppa_zero_params and ppa_por_params for rodata
ARM: OMAP2+: Fix save_secure_ram_context for rodata
ARM: OMAP2+: Fix l2dis_3630 for rodata
ARM: OMAP2+: Fix l2_inv_api_params for rodata
ARM: OMAP2+: Fix wait_dll_lock_timed for rodata
ARM: dts: at91: sama5d4ek: add phy address and IRQ for macb0
ARM: dts: at91: sama5d4 xplained: fix phy0 IRQ type
ARM: dts: at91: sama5d4: fix instance id of DBGU
ARM: dts: at91: sama5d4 xplained: properly mux phy interrupt
ARM: dts: omap5-board-common: enable rtc and charging of backup battery
ARM: dts: Fix omap5 PMIC control lines for RTC writes
ARM: dts: Fix wl12xx missing clocks that cause hangs
ARM: nomadik: fix up SD/MMC DT settings
ARM: 8517/1: ICST: avoid arithmetic overflow in icst_hz()
ARM: 8519/1: ICST: try other dividends than 1
arm64: mm: avoid calling apply_to_page_range on empty range
ARM: mvebu: remove duplicated regulator definition in Armada 388 GP
powerpc/ioda: Set "read" permission when "write" is set
powerpc/powernv: Fix stale PE primary bus
powerpc/eeh: Fix stale cached primary bus
powerpc/eeh: Fix PE location code
SUNRPC: Fixup socket wait for memory
udf: Check output buffer length when converting name to CS0
udf: Prevent buffer overrun with multi-byte characters
udf: limit the maximum number of indirect extents in a row
pNFS/flexfiles: Fix an XDR encoding bug in layoutreturn
nfs: Fix race in __update_open_stateid()
pNFS/flexfiles: Fix an Oopsable typo in ff_mirror_match_fh()
NFS: Fix attribute cache revalidation
cifs: fix erroneous return value
cifs_dbg() outputs an uninitialized buffer in cifs_readdir()
cifs: fix race between call_async() and reconnect()
cifs: Ratelimit kernel log messages
iio: inkern: fix a NULL dereference on error
iio: pressure: mpl115: fix temperature offset sign
iio: light: acpi-als: Report data as processed
iio: dac: mcp4725: set iio name property in sysfs
iio: add IIO_TRIGGER dependency to STK8BA50
iio: add HAS_IOMEM dependency to VF610_ADC
iio-light: Use a signed return type for ltr501_match_samp_freq()
iio:adc:ti_am335x_adc Fix buffered mode by identifying as software buffer.
iio: adis_buffer: Fix out-of-bounds memory access
scsi: fix soft lockup in scsi_remove_target() on module removal
SCSI: Add Marvell Console to VPD blacklist
scsi_dh_rdac: always retry MODE SELECT on command lock violation
drivers/scsi/sg.c: mark VMA as VM_IO to prevent migration
SCSI: fix crashes in sd and sr runtime PM
iscsi-target: Fix potential dead-lock during node acl delete
scsi: add Synology to 1024 sector blacklist
klist: fix starting point removed bug in klist iterators
tracepoints: Do not trace when cpu is offline
tracing: Fix freak link error caused by branch tracer
perf tools: tracepoint_error() can receive e=NULL, robustify it
tools lib traceevent: Fix output of %llu for 64 bit values read on 32 bit machines
ptrace: use fsuid, fsgid, effective creds for fs access checks
Btrfs: fix direct IO requests not reporting IO error to user space
Btrfs: fix hang on extent buffer lock caused by the inode_paths ioctl
Btrfs: fix page reading in extent_same ioctl leading to csum errors
Btrfs: fix invalid page accesses in extent_same (dedup) ioctl
btrfs: properly set the termination value of ctx->pos in readdir
Revert "btrfs: clear PF_NOFREEZE in cleaner_kthread()"
Btrfs: fix fitrim discarding device area reserved for boot loader's use
btrfs: handle invalid num_stripes in sys_array
ext4: don't read blocks from disk after extents being swapped
ext4: fix potential integer overflow
ext4: fix scheduling in atomic on group checksum failure
serial: omap: Prevent DoS using unprivileged ioctl(TIOCSRS485)
serial: 8250_pci: Add Intel Broadwell ports
tty: Add support for PCIe WCH382 2S multi-IO card
pty: make sure super_block is still valid in final /dev/tty close
pty: fix possible use after free of tty->driver_data
staging/speakup: Use tty_ldisc_ref() for paste kworker
phy: twl4030-usb: Fix unbalanced pm_runtime_enable on module reload
phy: twl4030-usb: Relase usb phy on unload
ALSA: seq: Fix double port list deletion
ALSA: seq: Fix leak of pool buffer at concurrent writes
ALSA: pcm: Fix rwsem deadlock for non-atomic PCM stream
ALSA: hda - Cancel probe work instead of flush at remove
x86/mm: Fix vmalloc_fault() to handle large pages properly
x86/uaccess/64: Handle the caching of 4-byte nocache copies properly in __copy_user_nocache()
x86/uaccess/64: Make the __copy_user_nocache() assembly code more readable
x86/mm/pat: Avoid truncation when converting cpa->numpages to address
x86/mm: Fix types used in pgprot cacheability flags translations
Linux 4.4.2
HID: multitouch: fix input mode switching on some Elan panels
mm, vmstat: fix wrong WQ sleep when memory reclaim doesn't make any progress
zsmalloc: fix migrate_zspage-zs_free race condition
zram: don't call idr_remove() from zram_remove()
zram: try vmalloc() after kmalloc()
zram/zcomp: use GFP_NOIO to allocate streams
rtlwifi: rtl8821ae: Fix 5G failure when EEPROM is incorrectly encoded
rtlwifi: rtl8821ae: Fix errors in parameter initialization
crypto: marvell/cesa - fix test in mv_cesa_dev_dma_init()
crypto: atmel-sha - remove calls of clk_prepare() from atomic contexts
crypto: atmel-sha - fix atmel_sha_remove()
crypto: algif_skcipher - Do not set MAY_BACKLOG on the async path
crypto: algif_skcipher - Do not dereference ctx without socket lock
crypto: algif_skcipher - Do not assume that req is unchanged
crypto: user - lock crypto_alg_list on alg dump
EVM: Use crypto_memneq() for digest comparisons
crypto: algif_hash - wait for crypto_ahash_init() to complete
crypto: shash - Fix has_key setting
crypto: chacha20-ssse3 - Align stack pointer to 64 bytes
crypto: caam - make write transactions bufferable on PPC platforms
crypto: algif_skcipher - sendmsg SG marking is off by one
crypto: algif_skcipher - Load TX SG list after waiting
crypto: crc32c - Fix crc32c soft dependency
crypto: algif_skcipher - Fix race condition in skcipher_check_key
crypto: algif_hash - Fix race condition in hash_check_key
crypto: af_alg - Forbid bind(2) when nokey child sockets are present
crypto: algif_skcipher - Remove custom release parent function
crypto: algif_hash - Remove custom release parent function
crypto: af_alg - Allow af_af_alg_release_parent to be called on nokey path
ahci: Intel DNV device IDs SATA
libata: disable forced PORTS_IMPL for >= AHCI 1.3
crypto: algif_skcipher - Add key check exception for cipher_null
crypto: skcipher - Add crypto_skcipher_has_setkey
crypto: algif_hash - Require setkey before accept(2)
crypto: hash - Add crypto_ahash_has_setkey
crypto: algif_skcipher - Add nokey compatibility path
crypto: af_alg - Add nokey compatibility path
crypto: af_alg - Fix socket double-free when accept fails
crypto: af_alg - Disallow bind/setkey/... after accept(2)
crypto: algif_skcipher - Require setkey before accept(2)
sched: Fix crash in sched_init_numa()
ext4 crypto: add missing locking for keyring_key access
iommu/io-pgtable-arm: Ensure we free the final level on teardown
tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
tty: Retry failed reopen if tty teardown in-progress
tty: Wait interruptibly for tty lock on reopen
n_tty: Fix unsafe reference to "other" ldisc
usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Broxton-M platforms
usb: xhci: handle both SSIC ports in PME stuck quirk
usb: phy: msm: fix error handling in probe.
usb: cdc-acm: send zero packet for intel 7260 modem
usb: cdc-acm: handle unlinked urb in acm read callback
USB: option: fix Cinterion AHxx enumeration
USB: serial: option: Adding support for Telit LE922
USB: cp210x: add ID for IAI USB to RS485 adaptor
USB: serial: ftdi_sio: add support for Yaesu SCU-18 cable
usb: hub: do not clear BOS field during reset device
USB: visor: fix null-deref at probe
USB: serial: visor: fix crash on detecting device without write_urbs
ASoC: rt5645: fix the shift bit of IN1 boost
saa7134-alsa: Only frees registered sound cards
ALSA: dummy: Implement timer backend switching more safely
ALSA: hda - Fix bad dereference of jack object
ALSA: hda - Fix speaker output from VAIO AiO machines
Revert "ALSA: hda - Fix noise on Gigabyte Z170X mobo"
ALSA: hda - Fix static checker warning in patch_hdmi.c
ALSA: hda - Add fixup for Mac Mini 7,1 model
ALSA: timer: Fix race between stop and interrupt
ALSA: timer: Fix wrong instance passed to slave callbacks
ALSA: timer: Fix race at concurrent reads
ALSA: timer: Fix link corruption due to double start or stop
ALSA: timer: Fix leftover link at closing
ALSA: timer: Code cleanup
ALSA: seq: Fix lockdep warnings due to double mutex locks
ALSA: seq: Fix race at closing in virmidi driver
ALSA: seq: Fix yet another races among ALSA timer accesses
ASoC: dpcm: fix the BE state on hw_free
ALSA: pcm: Fix potential deadlock in OSS emulation
ALSA: hda/realtek - Support Dell headset mode for ALC225
ALSA: hda/realtek - Support headset mode for ALC225
ALSA: hda/realtek - New codec support of ALC225
ALSA: rawmidi: Fix race at copying & updating the position
ALSA: rawmidi: Remove kernel WARNING for NULL user-space buffer check
ALSA: rawmidi: Make snd_rawmidi_transmit() race-free
ALSA: seq: Degrade the error message for too many opens
ALSA: seq: Fix incorrect sanity check at snd_seq_oss_synth_cleanup()
ALSA: dummy: Disable switching timer backend via sysfs
ALSA: compress: Disable GET_CODEC_CAPS ioctl for some architectures
ALSA: hda - disable dynamic clock gating on Broxton before reset
ALSA: Add missing dependency on CONFIG_SND_TIMER
ALSA: bebob: Use a signed return type for get_formation_index
ALSA: usb-audio: avoid freeing umidi object twice
ALSA: usb-audio: Add native DSD support for PS Audio NuWave DAC
ALSA: usb-audio: Fix OPPO HA-1 vendor ID
ALSA: usb-audio: Add quirk for Microsoft LifeCam HD-6000
ALSA: usb-audio: Fix TEAC UD-501/UD-503/NT-503 usb delay
hrtimer: Handle remaining time proper for TIME_LOW_RES
md/raid: only permit hot-add of compatible integrity profiles
media: i2c: Don't export ir-kbd-i2c module alias
parisc: Fix __ARCH_SI_PREAMBLE_SIZE
parisc: Protect huge page pte changes with spinlocks
printk: do cond_resched() between lines while outputting to consoles
tracing/stacktrace: Show entire trace if passed in function not found
tracing: Fix stacktrace skip depth in trace_buffer_unlock_commit_regs()
PCI: Fix minimum allocation address overwrite
PCI: host: Mark PCIe/PCI (MSI) IRQ cascade handlers as IRQF_NO_THREAD
mtd: nand: assign reasonable default name for NAND drivers
wlcore/wl12xx: spi: fix NULL pointer dereference (Oops)
wlcore/wl12xx: spi: fix oops on firmware load
ocfs2/dlm: clear refmap bit of recovery lock while doing local recovery cleanup
ocfs2/dlm: ignore cleaning the migration mle that is inuse
ALSA: hda - Implement loopback control switch for Realtek and other codecs
block: fix bio splitting on max sectors
base/platform: Fix platform drivers with no probe callback
HID: usbhid: fix recursive deadlock
ocfs2: NFS hangs in __ocfs2_cluster_lock due to race with ocfs2_unblock_lock
block: split bios to max possible length
NFSv4.1/pnfs: Fixup an lo->plh_block_lgets imbalance in layoutreturn
crypto: sun4i-ss - add missing statesize
Linux 4.4.1
arm64: kernel: fix architected PMU registers unconditional access
arm64: kernel: enforce pmuserenr_el0 initialization and restore
arm64: mm: ensure that the zero page is visible to the page table walker
arm64: Clear out any singlestep state on a ptrace detach operation
powerpc/module: Handle R_PPC64_ENTRY relocations
scripts/recordmcount.pl: support data in text section on powerpc
powerpc: Make {cmp}xchg* and their atomic_ versions fully ordered
powerpc: Make value-returning atomics fully ordered
powerpc/tm: Check for already reclaimed tasks
batman-adv: Drop immediate orig_node free function
batman-adv: Drop immediate batadv_hard_iface free function
batman-adv: Drop immediate neigh_ifinfo free function
batman-adv: Drop immediate batadv_neigh_node free function
batman-adv: Drop immediate batadv_orig_ifinfo free function
batman-adv: Avoid recursive call_rcu for batadv_nc_node
batman-adv: Avoid recursive call_rcu for batadv_bla_claim
team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid
net/mlx5_core: Fix trimming down IRQ number
bridge: fix lockdep addr_list_lock false positive splat
ipv6: update skb->csum when CE mark is propagated
net: bpf: reject invalid shifts
phonet: properly unshare skbs in phonet_rcv()
dwc_eth_qos: Fix dma address for multi-fragment skbs
bonding: Prevent IPv6 link local address on enslaved devices
net: preserve IP control block during GSO segmentation
udp: disallow UFO for sockets with SO_NO_CHECK option
net: pktgen: fix null ptr deref in skb allocation
sched,cls_flower: set key address type when present
tcp_yeah: don't set ssthresh below 2
ipv6: tcp: add rcu locking in tcp_v6_send_synack()
net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory
vxlan: fix test which detect duplicate vxlan iface
unix: properly account for FDs passed over unix sockets
xhci: refuse loading if nousb is used
usb: core: lpm: fix usb3_hardware_lpm sysfs node
USB: cp210x: add ID for ELV Marble Sound Board 1
rtlwifi: fix memory leak for USB device
ASoC: compress: Fix compress device direction check
ASoC: wm5110: Fix PGA clear when disabling DRE
ALSA: timer: Handle disconnection more safely
ALSA: hda - Flush the pending probe work at remove
ALSA: hda - Fix missing module loading with model=generic option
ALSA: hda - Fix bass pin fixup for ASUS N550JX
ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0
ALSA: hrtimer: Fix stall by hrtimer_cancel()
ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode
ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode
ALSA: hda - Add fixup for Dell Latitidue E6540
ALSA: timer: Fix double unlink of active_list
ALSA: timer: Fix race among timer ioctls
ALSA: hda - fix the headset mic detection problem for a Dell laptop
ALSA: timer: Harden slave timer list handling
ALSA: usb-audio: Fix mixer ctl regression of Native Instrument devices
ALSA: hda - Fix white noise on Dell Latitude E5550
ALSA: seq: Fix race at timer setup and close
ALSA: usb-audio: Avoid calling usb_autopm_put_interface() at disconnect
ALSA: seq: Fix missing NULL check at remove_events ioctl
ALSA: hda - Fixup inverted internal mic for Lenovo E50-80
ALSA: usb: Add native DSD support for Oppo HA-1
x86/mm: Improve switch_mm() barrier comments
x86/mm: Add barriers and document switch_mm()-vs-flush synchronization
x86/boot: Double BOOT_HEAP_SIZE to 64KB
x86/reboot/quirks: Add iMac10,1 to pci_reboot_dmi_table[]
kvm: x86: Fix vmwrite to SECONDARY_VM_EXEC_CONTROL
KVM: x86: correctly print #AC in traces
KVM: x86: expose MSR_TSC_AUX to userspace
x86/xen: don't reset vcpu_info on a cancelled suspend
KEYS: Fix keyring ref leak in join_session_keyring()
Conflicts:
arch/arm64/kernel/perf_event.c
drivers/scsi/sd.c
sound/core/compress_offload.c
Change-Id: I9f77fe42aaae249c24cd6e170202110ab1426878
Signed-off-by: Trilok Soni <tsoni@codeaurora.org>
32 bit variable is used for storing number of bytes copied to DSP,
which can overflow when playback duration goes beyond 24 hours.
Change data type for this variable to uint64_t, to prevent overflow
and related playback anomaly.
CRs-Fixed: 877677
Change-Id: Ie4dfa630cf89559bb784d4712c52526665baeca6
Signed-off-by: Dhananjay Kumar <dhakumar@codeaurora.org>
Codec specific metadata is sent only for first stream in gapless
playback. This causes incorrect configuration to be set for second
stream and distortions are observed due to framedrops in adsp.
Add support to send codec specific format during start of
next stream in gapless using set_next_track_param.
Change-Id: Ieec6b2afedec156e47873efcad9b3571160b0a29
Signed-off-by: Chaithanya Krishna Bacharaju <chaithan@codeaurora.org>
Signed-off-by: Alexy Joseph <alexyj@codeaurora.org>
Conflicts:
include/sound/compress_driver.h
Add an API to create a module under the given parent
directory and then register the info entry. This API
can be used to expose ID and version related
information.
Change-Id: I06f8bc1d8f649e6db37eb65303e948bc58eab7da
Signed-off-by: Phani Kumar Uppalapati <phaniu@codeaurora.org>
Currenlty HW params fails to set 384KHz sample rate
due to unsupported sample rate. Change to add 384KHz
sample rate support to ALSA.
Change-Id: I381f7cdcc69e6cf9339cec53aab3fa295760c17c
Signed-off-by: Vidyakumar Athota <vathota@codeaurora.org>
Propagate the error code from the compress framework for the timestamp
query. This error code will be used by the client to handle the
error case scenarios gracefully.
CRs-Fixed: 683288
Change-Id: I68ad14d52327dd0156531fe8d17ac54ba110fdf6
Signed-off-by: Aviral Gupta <aviralg@codeaurora.org>
Clean up the format specifiers for compress offload drivers
and add compat ioctl support
Change-Id: I0829830336ec62c66658d6a5199d73b61249f791
Signed-off-by: Damir Didjusto <damird@codeaurora.org>
Signed-off-by: Gopikrishnaiah Anandan <agopik@codeaurora.org>
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
Since we dont have lock over the function, we need to acquire mutex
when checking and modifying states in drain and partial_drain handlers
Change-Id: I3f8af90a226b772492fb6e09c625ebedc8ebfeb5
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Eric Laurent <elaurent@google.com>
Git-commit: bab68b886fb87ee82a3e7d86d54f7eaa025950ef
Git-repo: https://android.googlesource.com/kernel/msm
Signed-off-by: Dhananjay Kumar <dhakumar@codeaurora.org>
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
Revert some changes for compress offload path to avoid race
condition in drain and paartial-drain cases.
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
Some simple ioctls like timsetamp query, capabities query can be done anytime
and should not be under the stream lock. Move these to
snd_compress_simple_iotcls() which is invoked without lock held.
While at it, improve readblity a bit by sprinkling some empty lines.
Change-Id: Icc8ffdadd565c635f6a95e7e5bdda76257f24ea3
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Eric Laurent <elaurent@google.com>
Git-commit: 6a44374b8b92e9946dc1e5c15c2a11003aa859b1
Git-repo: https://android.googlesource.com/kernel/msm
[dhakumar@codeaurora.org: resolved merge conflicts]
Signed-off-by: Dhananjay Kumar <dhakumar@codeaurora.org>
We are not currently freeing the compressed devices at module
unload time. This could be used to help, but more investigation
needs to be done to resolve this issue.
This patch is WIP
Change-Id: I6cf8bcc56e4d446d83e9a0e63b79db3da378a901
Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
Git-commit: b2ebfd20ecb255b8e575ea8b6fad8d1affc2ea77
Git-repo: https://android.googlesource.com/kernel/msm
Signed-off-by: Dhananjay Kumar <dhakumar@codeaurora.org>
snd_compr_tstamp is initialized using aggregate initialization
that does not zero out the padded bytes. Initialize timestamp
structure to zero using memset to avoid this.
CRs-Fixed: 568717
Change-Id: I7a7d188705161f06201f1a1f2945bb6acd633d5d
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
Use SPECIAL format for AMR. Add mixer control to
input mode and rate.
Change-Id: I8746d86ce323744995575a22b6128b39daaa3d13
Signed-off-by: Helen Zeng <xiaoyunz@codeaurora.org>
[sboyd: Drop soc/msm parts]
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
Introduced a new helper function snd_pcm_add_usr_ctls() to
create control elements representing the user control for each
PCM (sub)stream
Signed-off-by: Jayasena Sangaraboina <jsanga@codeaurora.org>
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
Signed-off-by: Sudheer Papothi <spapothi@codeaurora.org>
Channel info data structure is parsed from userspace and if
user does not set the no. of channels correctly, it could lead
to security vulnerability if we don't check for overflow when the
no. of channels is multiplied with pcm bit width. Add a condition
to check for overflow during multiplication.
CRs-fixed: 537818
Change-Id: Ib9631b6e45d77b39be2c27343d4aee3e9244d8cc
Signed-off-by: Phani Kumar Uppalapati <phaniu@codeaurora.org>
Introduced a new helper function snd_pcm_add_volume_ctls() to
create control elements representing the volume for each PCM
(sub)stream.
Signed-off-by: Damir Didjusto <damird@codeaurora.org>
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
Signed-off-by: Sudheer Papothi <spapothi@codeaurora.org>
Change adds compat ioctl to listen driver for supporting 32 bit userspace
client when kernel is compiled for 64 bit.
Change-Id: Ie6a6fb1f2b6ea569e03b02bc520ef79b95c1009c
Signed-off-by: Gopikrishnaiah Anandan <agopik@codeaurora.org>
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
Compat driver should support compress ioctls when
COMPAT mode is enabled. Change adds support for
handling compress ioctls.
Change-Id: If7223ace326253240a1cd65bc9a111b8903977f1
Signed-off-by: Gopikrishnaiah Anandan <agopik@codeaurora.org>
Allow some PCM devices to be hostless, i.e. there is no PCM data transferred
to or from the host CPU. This can be used to minimise power on systems since
the CPU can idle/sleep during the PCM device operation (e.g. a phone call
where the DAI is between a MODEM and DSP)
TODO: cleanup, look at adding a read/write blocker.
Singed-off-by: Liam Girdwood <lrg@slimlogic.co.uk>
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
Signed-off-by: Sudheer Papothi <spapothi@codeaurora.org>
Handle ioctl magic 'U' as an user defined ioctl so that ALSA core calls
substream's ioctl handler. This gets rid of a requirement that ALSA core
needs to be changed every time when a new user defined ioctl is introduced.
Signed-off-by: Joonwoo Park <joonwoop@codeaurora.org>
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
Signed-off-by: Sudheer Papothi <spapothi@codeaurora.org>
This is needed to support the compressed audio till the
compressed core is done with development.
Signed-off-by: Asish Bhattacharya <asishb@codeaurora.org>
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
Signed-off-by: Sudheer Papothi <spapothi@codeaurora.org>
Incase of A2DP usecase using proxy driver, appl_ptr has
boundary value as 0x60000000 frames in sw_params for stereo(2 channels).
When this value crosses 0x40000000, then userspace calculating
appl_ptr at bytes results in crossing 32-bit value 0x100000000,
and points to 0x0 offset which can result in crash or pop.
To avoid above scenario, set the sw_params appl_ptr boundary value
within 0x40000000. Added proper check at sw_params update
to set this value correctly within 32-bit boundary(frames).
Change-Id: I537a04156699d90549a0a468ae19539ecd552d3b
CRs-Fixed: 483203
Signed-off-by: Laxminath Kasam <lkasam@codeaurora.org>
When compressed and pcm session is started the buffer pull will
Be from the DSP, in mmap mode for the scenario Hardware pointer
Is same as application pointer implies application has not filled the
Buffer to be send to DSP, and platform driver has to break and restart
The de queue process when the application has sufficient buffers.
When hardware pointer is same as application pointer it is an under run
Scenario where the ALSA framework has to trigger the under run and in HAL
The session has to re-prepare and re-triggered. based on the stop
Threshold, but in our system the stop threshold is INT_MAX which
Indicates that under run is not triggered in practical cases.
We have a brodcast usecase in which the mentioned under run case
Is hit mulitple times, and every time re-prepare and re-trigger will be
Expensive
Update the ASoC core framework to restart de queue process stopped
By platform Driver when the under run is hit, based on the available
Buffer and render flag, so the System will recover from the hang state.
To restart de queue process the ASoC core will be calling the restart
Callback registered by platform driver and this callback will be running in
Atomic context.
Change-Id: Ic9ea05a0dc6246346e9913493232882e2f5447d1
Signed-off-by: Santosh Mardi <gsantosh@codeaurora.org>
ALSA jack framework currently supports reporting only
one single microphone. Add support to report presence of
second microphone to userspace.
Signed-off-by: Phani Kumar Uppalapati <phaniu@codeaurora.org>
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
Signed-off-by: Sudheer Papothi <spapothi@codeaurora.org>
Expose sound card online/offline state to procfs so userspace application
can poll and read sound card's state.
Signed-off-by: Joonwoo Park <joonwoop@codeaurora.org>
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
Signed-off-by: Sudheer Papothi <spapothi@codeaurora.org>
commit 13d5e5d4725c64ec06040d636832e78453f477b7 upstream.
The commit [7f0973e973cd: ALSA: seq: Fix lockdep warnings due to
double mutex locks] split the management of two linked lists (source
and destination) into two individual calls for avoiding the AB/BA
deadlock. However, this may leave the possible double deletion of one
of two lists when the counterpart is being deleted concurrently.
It ends up with a list corruption, as revealed by syzkaller fuzzer.
This patch fixes it by checking the list emptiness and skipping the
deletion and the following process.
BugLink: http://lkml.kernel.org/r/CACT4Y+bay9qsrz6dQu31EcGaH9XwfW7o3oBzSQUG9fMszoh=Sg@mail.gmail.com
Fixes: 7f0973e973cd ('ALSA: seq: Fix lockdep warnings due to 'double mutex locks)
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d99a36f4728fcbcc501b78447f625bdcce15b842 upstream.
When multiple concurrent writes happen on the ALSA sequencer device
right after the open, it may try to allocate vmalloc buffer for each
write and leak some of them. It's because the presence check and the
assignment of the buffer is done outside the spinlock for the pool.
The fix is to move the check and the assignment into the spinlock.
(The current implementation is suboptimal, as there can be multiple
unnecessary vmallocs because the allocation is done before the check
in the spinlock. But the pool size is already checked beforehand, so
this isn't a big problem; that is, the only possible path is the
multiple writes before any pool assignment, and practically seen, the
current coverage should be "good enough".)
The issue was triggered by syzkaller fuzzer.
BugLink: http://lkml.kernel.org/r/CACT4Y+bSzazpXNvtAr=WXaL8hptqjHwqEyFA+VN2AWEx=aurkg@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 67ec1072b053c15564e6090ab30127895dc77a89 upstream.
A non-atomic PCM stream may take snd_pcm_link_rwsem rw semaphore twice
in the same code path, e.g. one in snd_pcm_action_nonatomic() and
another in snd_pcm_stream_lock(). Usually this is OK, but when a
write lock is issued between these two read locks, the problem
happens: the write lock is blocked due to the first reade lock, and
the second read lock is also blocked by the write lock. This
eventually deadlocks.
The reason is the way rwsem manages waiters; it's queued like FIFO, so
even if the writer itself doesn't take the lock yet, it blocks all the
waiters (including reads) queued after it.
As a workaround, in this patch, we replace the standard down_write()
with an spinning loop. This is far from optimal, but it's good
enough, as the spinning time is supposed to be relatively short for
normal PCM operations, and the code paths requiring the write lock
aren't called so often.
Reported-by: Vinod Koul <vinod.koul@intel.com>
Tested-by: Ramesh Babu <ramesh.babu@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ed8b1d6d2c741ab26d60d499d7fbb7ac801f0f51 upstream.
A slave timer element also unlinks at snd_timer_stop() but it takes
only slave_active_lock. When a slave is assigned to a master,
however, this may become a race against the master's interrupt
handling, eventually resulting in a list corruption. The actual bug
could be seen with a syzkaller fuzzer test case in BugLink below.
As a fix, we need to take timeri->timer->lock when timer isn't NULL,
i.e. assigned to a master, while the assignment to a master itself is
protected by slave_active_lock.
BugLink: http://lkml.kernel.org/r/CACT4Y+Y_Bm+7epAb=8Wi=AaWd+DYS7qawX52qxdCfOfY49vozQ@mail.gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 117159f0b9d392fb433a7871426fad50317f06f7 upstream.
In snd_timer_notify1(), the wrong timer instance was passed for slave
ccallback function. This leads to the access to the wrong data when
an incompatible master is handled (e.g. the master is the sequencer
timer and the slave is a user timer), as spotted by syzkaller fuzzer.
This patch fixes that wrong assignment.
BugLink: http://lkml.kernel.org/r/CACT4Y+Y_Bm+7epAb=8Wi=AaWd+DYS7qawX52qxdCfOfY49vozQ@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4dff5c7b7093b19c19d3a100f8a3ad87cb7cd9e7 upstream.
snd_timer_user_read() has a potential race among parallel reads, as
qhead and qused are updated outside the critical section due to
copy_to_user() calls. Move them into the critical section, and also
sanitize the relevant code a bit.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f784beb75ce82f4136f8a0960d3ee872f7109e09 upstream.
Although ALSA timer code got hardening for races, it still causes
use-after-free error. This is however rather a corrupted linked list,
not actually the concurrent accesses. Namely, when timer start is
triggered twice, list_add_tail() is called twice, too. This ends
up with the link corruption and triggers KASAN error.
The simplest fix would be replacing list_add_tail() with
list_move_tail(), but fundamentally it's the problem that we don't
check the double start/stop correctly. So, the right fix here is to
add the proper checks to snd_timer_start() and snd_timer_stop() (and
their variants).
BugLink: http://lkml.kernel.org/r/CACT4Y+ZyPRoMQjmawbvmCEDrkBD2BQuH7R09=eOkf5ESK8kJAw@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 094fd3be87b0f102589e2d5c3fa5d06b7e20496d upstream.
In ALSA timer core, the active timer instance is managed in
active_list linked list. Each element is added / removed dynamically
at timer start, stop and in timer interrupt. The problem is that
snd_timer_interrupt() has a thinko and leaves the element in
active_list when it's the last opened element. This eventually leads
to list corruption or use-after-free error.
This hasn't been revealed because we used to delete the list forcibly
in snd_timer_stop() in the past. However, the recent fix avoids the
double-stop behavior (in commit [f784beb75ce8: ALSA: timer: Fix link
corruption due to double start or stop]), and this leak hits reality.
This patch fixes the link management in snd_timer_interrupt(). Now it
simply unlinks no matter which stream is.
BugLink: http://lkml.kernel.org/r/CACT4Y+Yy2aukHP-EDp8-ziNqNNmb-NTf=jDWXMP7jB8HDa2vng@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c3b1681375dc6e71d89a3ae00cc3ce9e775a8917 upstream.
This is a minor code cleanup without any functional changes:
- Kill keep_flag argument from _snd_timer_stop(), as all callers pass
only it false.
- Remove redundant NULL check in _snd_timer_stop().
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7f0973e973cd74aa40747c9d38844560cd184ee8 upstream.
The port subscription code uses double mutex locks for source and
destination ports, and this may become racy once when wrongly set up.
It leads to lockdep warning splat, typically triggered by fuzzer like
syzkaller, although the actual deadlock hasn't been seen, so far.
This patch simplifies the handling by reducing to two single locks, so
that no lockdep warning will be trigger any longer.
By splitting to two actions, a still-in-progress element shall be
added in one list while handling another. For ignoring this element,
a new check is added in deliver_to_subscribers().
Along with it, the code to add/remove the subscribers list element was
cleaned up and refactored.
BugLink: http://lkml.kernel.org/r/CACT4Y+aKQXV7xkBW9hpQbzaDO7LrUvohxWh-UwMxXjDy-yBD=A@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2d1b5c08366acd46c35a2e9aba5d650cb5bf5c19 upstream.
The virmidi driver has an open race at closing its assigned rawmidi
device, and this may lead to use-after-free in
snd_seq_deliver_single_event().
Plug the hole by properly protecting the linked list deletion and
calling in the right order in snd_virmidi_input_close().
BugLink: http://lkml.kernel.org/r/CACT4Y+Zd66+w12fNN85-425cVQT=K23kWbhnCEcMB8s3us-Frw@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2cdc7b636d55cbcf42e1e6c8accd85e62d3e9ae8 upstream.
ALSA sequencer may open/close and control ALSA timer instance
dynamically either via sequencer events or direct ioctls. These are
done mostly asynchronously, and it may call still some timer action
like snd_timer_start() while another is calling snd_timer_close().
Since the instance gets removed by snd_timer_close(), it may lead to
a use-after-free.
This patch tries to address such a race by protecting each
snd_timer_*() call via the existing spinlock and also by avoiding the
access to timer during close call.
BugLink: http://lkml.kernel.org/r/CACT4Y+Z6RzW5MBr-HUdV-8zwg71WQfKTdPpYGvOeS7v4cyurNQ@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b248371628aad599a48540962f6b85a21a8a0c3f upstream.
There are potential deadlocks in PCM OSS emulation code while
accessing read/write and mmap concurrently. This comes from the
infamous mmap_sem usage in copy_from/to_user(). Namely,
snd_pcm_oss_write() ->
&runtime->oss.params_lock ->
copy_to_user() ->
&mm->mmap_sem
mmap() ->
&mm->mmap_sem ->
snd_pcm_oss_mmap() ->
&runtime->oss.params_lock
Since we can't avoid taking params_lock from mmap code path, use
trylock variant and aborts with -EAGAIN as a workaround of this AB/BA
deadlock.
BugLink: http://lkml.kernel.org/r/CACT4Y+bVrBKDG0G2_AcUgUQa+X91VKTeS4v+wN7BSHwHtqn3kQ@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 81f577542af15640cbcb6ef68baa4caa610cbbfc upstream.
The rawmidi read and write functions manage runtime stream status
such as runtime->appl_ptr and runtime->avail. These point where to
copy the new data and how many bytes have been copied (or to be
read). The problem is that rawmidi read/write call copy_from_user()
or copy_to_user(), and the runtime spinlock is temporarily unlocked
and relocked while copying user-space. Since the current code
advances and updates the runtime status after the spin unlock/relock,
the copy and the update may be asynchronous, and eventually
runtime->avail might go to a negative value when many concurrent
accesses are done. This may lead to memory corruption in the end.
For fixing this race, in this patch, the status update code is
performed in the same lock before the temporary unlock. Also, the
spinlock is now taken more widely in snd_rawmidi_kernel_read1() for
protecting more properly during the whole operation.
BugLink: http://lkml.kernel.org/r/CACT4Y+b-dCmNf1GpgPKfDO0ih+uZCL2JV4__j-r1kdhPLSgQCQ@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit cc85f7a634cfaf9f0713c6aa06d08817424db37a upstream.
NULL user-space buffer can be passed even in a normal path, thus it's
not good to spew a kernel warning with stack trace at each time.
Just drop snd_BUG_ON() macro usage there.
BugLink: http://lkml.kernel.org/r/CACT4Y+YfVJ3L+q0i-4vyQVyyPD7V=OMX0PWPi29x9Bo3QaBLdw@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 06ab30034ed9c200a570ab13c017bde248ddb2a6 upstream.
A kernel WARNING in snd_rawmidi_transmit_ack() is triggered by
syzkaller fuzzer:
WARNING: CPU: 1 PID: 20739 at sound/core/rawmidi.c:1136
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82999e2d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
[<ffffffff813522b9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
[<ffffffff84f80bd5>] snd_rawmidi_transmit_ack+0x275/0x400 sound/core/rawmidi.c:1136
[<ffffffff84fdb3c1>] snd_virmidi_output_trigger+0x4b1/0x5a0 sound/core/seq/seq_virmidi.c:163
[< inline >] snd_rawmidi_output_trigger sound/core/rawmidi.c:150
[<ffffffff84f87ed9>] snd_rawmidi_kernel_write1+0x549/0x780 sound/core/rawmidi.c:1223
[<ffffffff84f89fd3>] snd_rawmidi_write+0x543/0xb30 sound/core/rawmidi.c:1273
[<ffffffff817b0323>] __vfs_write+0x113/0x480 fs/read_write.c:528
[<ffffffff817b1db7>] vfs_write+0x167/0x4a0 fs/read_write.c:577
[< inline >] SYSC_write fs/read_write.c:624
[<ffffffff817b50a1>] SyS_write+0x111/0x220 fs/read_write.c:616
[<ffffffff86336c36>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185
Also a similar warning is found but in another path:
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82be2c0d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[<ffffffff81355139>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
[<ffffffff81355369>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
[<ffffffff8527e69a>] rawmidi_transmit_ack+0x24a/0x3b0 sound/core/rawmidi.c:1133
[<ffffffff8527e851>] snd_rawmidi_transmit_ack+0x51/0x80 sound/core/rawmidi.c:1163
[<ffffffff852d9046>] snd_virmidi_output_trigger+0x2b6/0x570 sound/core/seq/seq_virmidi.c:185
[< inline >] snd_rawmidi_output_trigger sound/core/rawmidi.c:150
[<ffffffff85285a0b>] snd_rawmidi_kernel_write1+0x4bb/0x760 sound/core/rawmidi.c:1252
[<ffffffff85287b73>] snd_rawmidi_write+0x543/0xb30 sound/core/rawmidi.c:1302
[<ffffffff817ba5f3>] __vfs_write+0x113/0x480 fs/read_write.c:528
[<ffffffff817bc087>] vfs_write+0x167/0x4a0 fs/read_write.c:577
[< inline >] SYSC_write fs/read_write.c:624
[<ffffffff817bf371>] SyS_write+0x111/0x220 fs/read_write.c:616
[<ffffffff86660276>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185
In the former case, the reason is that virmidi has an open code
calling snd_rawmidi_transmit_ack() with the value calculated outside
the spinlock. We may use snd_rawmidi_transmit() in a loop just for
consuming the input data, but even there, there is a race between
snd_rawmidi_transmit_peek() and snd_rawmidi_tranmit_ack().
Similarly in the latter case, it calls snd_rawmidi_transmit_peek() and
snd_rawmidi_tranmit_ack() separately without protection, so they are
racy as well.
The patch tries to address these issues by the following ways:
- Introduce the unlocked versions of snd_rawmidi_transmit_peek() and
snd_rawmidi_transmit_ack() to be called inside the explicit lock.
- Rewrite snd_rawmidi_transmit() to be race-free (the former case).
- Make the split calls (the latter case) protected in the rawmidi spin
lock.
BugLink: http://lkml.kernel.org/r/CACT4Y+YPq1+cYLkadwjWa5XjzF1_Vki1eHnVn-Lm0hzhSpu5PA@mail.gmail.com
BugLink: http://lkml.kernel.org/r/CACT4Y+acG4iyphdOZx47Nyq_VHGbpJQK-6xNpiqUjaZYqsXOGw@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit da10816e3d923565b470fec78a674baba794ed33 upstream.
ALSA OSS sequencer spews a kernel error message ("ALSA: seq_oss: too
many applications") when user-space tries to open more than the
limit. This means that it can easily fill the log buffer.
Since it's merely a normal error, it's safe to suppress it via
pr_debug() instead.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 599151336638d57b98d92338aa59c048e3a3e97d upstream.
ALSA sequencer OSS emulation code has a sanity check for currently
opened devices, but there is a thinko there, eventually it spews
warnings and skips the operation wrongly like:
WARNING: CPU: 1 PID: 7573 at sound/core/seq/oss/seq_oss_synth.c:311
Fix this off-by-one error.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 462b3f161beb62eeb290f4ec52f5ead29a2f8ac7 upstream.
Some architectures like PowerPC can handle the maximum struct size in
an ioctl only up to 13 bits, and struct snd_compr_codec_caps used by
SNDRV_COMPRESS_GET_CODEC_CAPS ioctl overflows this limit. This
problem was revealed recently by a powerpc change, as it's now treated
as a fatal build error.
This patch is a stop-gap for that: for architectures with less than 14
bit ioctl struct size, get rid of the handling of the relevant ioctl.
We should provide an alternative equivalent ioctl code later, but for
now just paper over it. Luckily, the compress API hasn't been used on
such architectures, so the impact must be effectively zero.
Reviewed-by: Mark Brown <broonie@kernel.org>
Acked-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 230323dac060123c340cf75997971145a42661ee upstream.
Currently ALSA timer device doesn't take the disconnection into
account very well; it merely unlinks the timer device at disconnection
callback but does nothing else. Because of this, when an application
accessing the timer device is disconnected, it may release the
resource before actually closed. In most cases, it results in a
warning message indicating a leftover timer instance like:
ALSA: timer xxxx is busy?
But basically this is an open race.
This patch tries to address it. The strategy is like other ALSA
devices: namely,
- Manage card's refcount at each open/close
- Wake up the pending tasks at disconnection
- Check the shutdown flag appropriately at each possible call
Note that this patch has one ugly hack to handle the wakeup of pending
tasks. It'd be cleaner to introduce a new disconnect op to
snd_timer_instance ops. But since it would lead to internal ABI
breakage and it eventually increase my own work when backporting to
stable kernels, I took a different path to implement locally in
timer.c. A cleanup patch will follow at next for 4.5 kernel.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=109431
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c0bcdbdff3ff73a54161fca3cb8b6cdbd0bb8762 upstream.
When a TLV ioctl with numid zero is handled, the driver may spew a
kernel warning with a stack trace at each call. The check was
intended obviously only for a kernel driver, but not for a user
interaction. Let's fix it.
This was spotted by syzkaller fuzzer.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2ba1fe7a06d3624f9a7586d672b55f08f7c670f3 upstream.
hrtimer_cancel() waits for the completion from the callback, thus it
must not be called inside the callback itself. This was already a
problem in the past with ALSA hrtimer driver, and the early commit
[fcfdebe707: ALSA: hrtimer - Fix lock-up] tried to address it.
However, the previous fix is still insufficient: it may still cause a
lockup when the ALSA timer instance reprograms itself in its callback.
Then it invokes the start function even in snd_timer_interrupt() that
is called in hrtimer callback itself, results in a CPU stall. This is
no hypothetical problem but actually triggered by syzkaller fuzzer.
This patch tries to fix the issue again. Now we call
hrtimer_try_to_cancel() at both start and stop functions so that it
won't fall into a deadlock, yet giving some chance to cancel the queue
if the functions have been called outside the callback. The proper
hrtimer_cancel() is called in anyway at closing, so this should be
enough.
Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 43c54b8c7cfe22f868a751ba8a59abf1724160b1 upstream.
This reverts one hunk of
commit ef44a1ec6e ("ALSA: sound/core: use memdup_user()"), which
replaced a number of kmalloc followed by memcpy with memdup calls.
In this case, we are copying from a struct snd_pcm_hw_params32 to
a struct snd_pcm_hw_params, but the latter is 4 bytes longer than
the 32-bit version, so we need to separate kmalloc and copy calls.
This actually leads to an out-of-bounds memory access later on
in sound/soc/soc-pcm.c:soc_pcm_hw_params() (detected using KASan).
Fixes: ef44a1ec6e ('ALSA: sound/core: use memdup_user()')
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
