Based on 1 normalized pattern(s):
licensed under the terms of the gnu general public license version 2
extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-only
has been chosen to replace the boilerplate/reference in 88 file(s).
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Alexios Zavras <alexios.zavras@intel.com>
Reviewed-by: Allison Randal <allison@lohutok.net>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190530000437.521539229@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
For code simplification and safety, use struct_size() macro for
calculating the snd_kcontrol object size with the variable array.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Based on 1 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation version 2 of the license this program
is distributed in the hope that it will be useful but without any
warranty without even the implied warranty of merchantability or
fitness for a particular purpose see the gnu general public license
for more details you should have received a copy of the gnu general
public license along with this program if not write to the free
software foundation inc 59 temple place suite 330 boston ma 02111
1307 usa
extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-only
has been chosen to replace the boilerplate/reference in 83 file(s).
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Richard Fontana <rfontana@redhat.com>
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Reviewed-by: Allison Randal <allison@lohutok.net>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070034.021731668@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Based on 1 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation either version 2 of the license or at
your option any later version this program is distributed in the
hope that it will be useful but without any warranty without even
the implied warranty of merchantability or fitness for a particular
purpose see the gnu general public license for more details you
should have received a copy of the gnu general public license along
with this program if not write to the free software foundation inc
59 temple place suite 330 boston ma 02111 1307 usa
extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-or-later
has been chosen to replace the boilerplate/reference in 1334 file(s).
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Allison Randal <allison@lohutok.net>
Reviewed-by: Richard Fontana <rfontana@redhat.com>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070033.113240726@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Based on 1 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation either version 2 of the license or at
your option any later version
extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-or-later
has been chosen to replace the boilerplate/reference in 3029 file(s).
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Allison Randal <allison@lohutok.net>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070032.746973796@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Based on 1 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation either version 2 of the license or at
your option any later version you should have received a copy of the
gnu general public license along with this program if not write to
the free software foundation inc 675 mass ave cambridge ma 02139 usa
extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-or-later
has been chosen to replace the boilerplate/reference in 35 file(s).
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Armijn Hemel <armijn@tjaldur.nl>
Reviewed-by: Richard Fontana <rfontana@redhat.com>
Reviewed-by: Allison Randal <allison@lohutok.net>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070032.655028468@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Make use of the struct_size() helper instead of an open-coded version
in order to avoid any potential type mistakes, in particular in the
context in which this code is being used.
So, replace the following form:
sizeof(struct rate_priv) + src_format->channels * sizeof(struct rate_channel)
with:
struct_size(data, channels, src_format->channels)
This code was detected with the help of Coccinelle.
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Add SPDX license identifiers to all Make/Kconfig files which:
- Have no license information of any form
These files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:
GPL-2.0-only
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The most significant changes at this cycle are the Sound Open Firmware
support from Intel for the common DSP framework along with its support
for Intel platforms. It's a door opened to a real "free" firmware (in
the sense of FOSS), and other parties show interests in it.
In addition to SOF, we've got a bunch of updates and fixes as usual.
Some highlights are below.
ALSA core:
- Cleanups and fixes in ALSA timer code to cover some races spotted
by syzkaller
- Cleanups and fixes in ALSA sequencer code to cover some races,
again unsurprisingly, spotted by syzkaller
- Optimize the common page allocation helper with alloc_pages_exact()
ASoC:
- Add SOF core support, as well as Intel SOF platform support
- Generic card driver improvements: support for MCLK/sample rate
ratio and pin switches
- A big set of improvements to TLV320AIC32x4 drivers
- New drivers for Freescale audio mixers, several Intel machines,
several Mediatek machines, Meson G12A, Spreadtrum compressed audio
and DMA devices
HD-audio:
- A few Realtek codec fixes for reducing pop noises
- Quirks for Chromebooks
- Workaround for faulty connection report on AMD/Nvidia HDMI
Others:
- A quirk for Focusrite Scarlett Solo USB-audio
- Add support for MOTU 8pre FireWire
- 24bit sample format support in aloop
- GUS patch format support (finally, over a decade) in native
emux synth code
-----BEGIN PGP SIGNATURE-----
iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAlzUKVAOHHRpd2FpQHN1
c2UuZGUACgkQLtJE4w1nLE/FtQ/+LWWV9wIXeKYCSxKUdUF21Cpdo9eh3P55MTIR
ooxbasNywsllYC1l2IXYi/HYKUlpIwg7kA2itfxaPSW7pveWKPt4mufJsvWpRZws
XUre1MPR9vzTwDqhiG+8rH3osS0YVu9kOipRej043hFHsnXxbOfsnSQ2I+tst6tS
12s5Hmhx/YFyR6fJMCIm3CoR59spz/SWXftna6bnkKbEYkeDmI3TtM1s9jum3U5F
KReBigp1qffRzSjUYhw8YRujkJPqB65cLGguRyPDkuUoDbLzhu2QBNXwlQvk2+rH
bgreE7hqmm2ZwRnjSwJFtrFSuOfULjBjXqv2QMG+Lby5e/VzrzV0wdZJd2YXk9VX
VzhjiHmAGI2l30JClGuz9wN2MXuvtQFr2dJF56Nuw535mwuBUzxQwXY5qkX6uJ1z
KXADrUz7atA2VVYRgPEj8D30c1RlAzmiPLTxLTKouk0LdcOih90z/SaT/qlUHfsA
7TUaYBJt6PKbmrGK+PxUTpw/M88w+frbcV+PZNAynLeJfiRROl1Yg/6Tc0QC9nts
cHs9Migp2tf37gEvYcXFEPHI/A+sfIb5RZuTQySpUN09vODb37cZXl+lI4FuLGcJ
F4d45b05gNcybt+SFj63CGpW+k4QO8M6TUzy7gvQ0DdUmhd0mEvAmGfEPBoaBsau
5uJEfOQ=
=0tyg
-----END PGP SIGNATURE-----
Merge tag 'sound-5.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound updates from Takashi Iwai:
"The most significant changes at this cycle are the Sound Open Firmware
support from Intel for the common DSP framework along with its support
for Intel platforms. It's a door opened to a real "free" firmware (in
the sense of FOSS), and other parties show interests in it.
In addition to SOF, we've got a bunch of updates and fixes as usual.
Some highlights are below.
ALSA core:
- Cleanups and fixes in ALSA timer code to cover some races spotted
by syzkaller
- Cleanups and fixes in ALSA sequencer code to cover some races,
again unsurprisingly, spotted by syzkaller
- Optimize the common page allocation helper with alloc_pages_exact()
ASoC:
- Add SOF core support, as well as Intel SOF platform support
- Generic card driver improvements: support for MCLK/sample rate
ratio and pin switches
- A big set of improvements to TLV320AIC32x4 drivers
- New drivers for Freescale audio mixers, several Intel machines,
several Mediatek machines, Meson G12A, Spreadtrum compressed audio
and DMA devices
HD-audio:
- A few Realtek codec fixes for reducing pop noises
- Quirks for Chromebooks
- Workaround for faulty connection report on AMD/Nvidia HDMI
Others:
- A quirk for Focusrite Scarlett Solo USB-audio
- Add support for MOTU 8pre FireWire
- 24bit sample format support in aloop
- GUS patch format support (finally, over a decade) in native emux
synth code"
* tag 'sound-5.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (375 commits)
ASoC: SOF: Fix unused variable warnings
ALSA: line6: toneport: Fix broken usage of timer for delayed execution
ALSA: aica: Fix a long-time build breakage
ALSA: hda/realtek - Support low power consumption for ALC256
ASoC: stm32: i2s: update pcm hardware constraints
ASoC: codec: hdac_hdmi: no checking monitor in hw_params
ASoC: mediatek: mt6358: save PGA for mixer control
ASoC: mediatek: mt6358: save output volume for mixer controls
ASoC: mediatek: mt6358: initialize setting when ramping volume
ASoC: SOF: core: fix undefined nocodec reference
ASoC: SOF: xtensa: fix undefined references
ASoC: SOF: Propagate sof_get_ctrl_copy_params() error properly
ALSA: hdea/realtek - Headset fixup for System76 Gazelle (gaze14)
ALSA: hda/intel: add CometLake PCI IDs
ALSA: hda/realtek - Support low power consumption for ALC295
ASoC: rockchip: Fix an uninitialized variable compile warning
ASoC: SOF: Fix a compile warning with CONFIG_PCI=n
ASoC: da7219: Fix a compile warning at CONFIG_COMMON_CLK=n
ASoC: sound/soc/sof/: fix kconfig dependency warning
ASoC: stm32: spdifrx: change trace level on iec control
...
Using scripts/coccinelle/api/stream_open.cocci added in 10dce8af34
("fs: stream_open - opener for stream-like files so that read and write
can run simultaneously without deadlock"), search and convert to
stream_open all in-kernel nonseekable_open users for which read and
write actually do not depend on ppos and where there is no other methods
in file_operations which assume @offset access.
I've verified each generated change manually - that it is correct to convert -
and each other nonseekable_open instance left - that it is either not correct
to convert there, or that it is not converted due to current stream_open.cocci
limitations. The script also does not convert files that should be valid to
convert, but that currently have .llseek = noop_llseek or generic_file_llseek
for unknown reason despite file being opened with nonseekable_open (e.g.
drivers/input/mousedev.c)
Among cases converted 14 were potentially vulnerable to read vs write deadlock
(see details in 10dce8af34):
drivers/char/pcmcia/cm4000_cs.c:1685:7-23: ERROR: cm4000_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
drivers/gnss/core.c:45:1-17: ERROR: gnss_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
drivers/hid/uhid.c:635:1-17: ERROR: uhid_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
drivers/infiniband/core/user_mad.c:988:1-17: ERROR: umad_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
drivers/input/evdev.c:527:1-17: ERROR: evdev_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
drivers/input/misc/uinput.c:401:1-17: ERROR: uinput_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
drivers/isdn/capi/capi.c:963:8-24: ERROR: capi_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
drivers/leds/uleds.c:77:1-17: ERROR: uleds_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
drivers/media/rc/lirc_dev.c:198:1-17: ERROR: lirc_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
drivers/s390/char/fs3270.c:488:1-17: ERROR: fs3270_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
drivers/usb/misc/ldusb.c:310:1-17: ERROR: ld_usb_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
drivers/xen/evtchn.c:667:8-24: ERROR: evtchn_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
net/batman-adv/icmp_socket.c:80:1-17: ERROR: batadv_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
net/rfkill/core.c:1146:8-24: ERROR: rfkill_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
and the rest were just safe to convert to stream_open because their read and
write do not use ppos at all and corresponding file_operations do not
have methods that assume @offset file access(*):
arch/powerpc/platforms/52xx/mpc52xx_gpt.c:631:8-24: WARNING: mpc52xx_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_ibox_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_ibox_stat_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_mbox_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_mbox_stat_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_wbox_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_wbox_stat_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
arch/um/drivers/harddog_kern.c:88:8-24: WARNING: harddog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
arch/x86/kernel/cpu/microcode/core.c:430:33-49: WARNING: microcode_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/char/ds1620.c:215:8-24: WARNING: ds1620_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/char/dtlk.c:301:1-17: WARNING: dtlk_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
drivers/char/ipmi/ipmi_watchdog.c:840:9-25: WARNING: ipmi_wdog_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
drivers/char/pcmcia/scr24x_cs.c:95:8-24: WARNING: scr24x_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
drivers/char/tb0219.c:246:9-25: WARNING: tb0219_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
drivers/firewire/nosy.c:306:8-24: WARNING: nosy_ops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/hwmon/fschmd.c:840:8-24: WARNING: watchdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/hwmon/w83793.c:1344:8-24: WARNING: watchdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/infiniband/core/ucma.c:1747:8-24: WARNING: ucma_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/infiniband/core/ucm.c:1178:8-24: WARNING: ucm_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/infiniband/core/uverbs_main.c:1086:8-24: WARNING: uverbs_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/input/joydev.c:282:1-17: WARNING: joydev_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/pci/switch/switchtec.c:393:1-17: WARNING: switchtec_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
drivers/platform/chrome/cros_ec_debugfs.c:135:8-24: WARNING: cros_ec_console_log_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/rtc/rtc-ds1374.c:470:9-25: WARNING: ds1374_wdt_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
drivers/rtc/rtc-m41t80.c:805:9-25: WARNING: wdt_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
drivers/s390/char/tape_char.c:293:2-18: WARNING: tape_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
drivers/s390/char/zcore.c:194:8-24: WARNING: zcore_reipl_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/s390/crypto/zcrypt_api.c:528:8-24: WARNING: zcrypt_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
drivers/spi/spidev.c:594:1-17: WARNING: spidev_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
drivers/staging/pi433/pi433_if.c:974:1-17: WARNING: pi433_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/acquirewdt.c:203:8-24: WARNING: acq_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/advantechwdt.c:202:8-24: WARNING: advwdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/alim1535_wdt.c:252:8-24: WARNING: ali_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/alim7101_wdt.c:217:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/ar7_wdt.c:166:8-24: WARNING: ar7_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/at91rm9200_wdt.c:113:8-24: WARNING: at91wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/ath79_wdt.c:135:8-24: WARNING: ath79_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/bcm63xx_wdt.c:119:8-24: WARNING: bcm63xx_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/cpu5wdt.c:143:8-24: WARNING: cpu5wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/cpwd.c:397:8-24: WARNING: cpwd_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/eurotechwdt.c:319:8-24: WARNING: eurwdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/f71808e_wdt.c:528:8-24: WARNING: watchdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/gef_wdt.c:232:8-24: WARNING: gef_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/geodewdt.c:95:8-24: WARNING: geodewdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/ib700wdt.c:241:8-24: WARNING: ibwdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/ibmasr.c:326:8-24: WARNING: asr_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/indydog.c:80:8-24: WARNING: indydog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/intel_scu_watchdog.c:307:8-24: WARNING: intel_scu_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/iop_wdt.c:104:8-24: WARNING: iop_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/it8712f_wdt.c:330:8-24: WARNING: it8712f_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/ixp4xx_wdt.c:68:8-24: WARNING: ixp4xx_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/ks8695_wdt.c:145:8-24: WARNING: ks8695wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/m54xx_wdt.c:88:8-24: WARNING: m54xx_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/machzwd.c:336:8-24: WARNING: zf_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/mixcomwd.c:153:8-24: WARNING: mixcomwd_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/mtx-1_wdt.c:121:8-24: WARNING: mtx1_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/mv64x60_wdt.c:136:8-24: WARNING: mv64x60_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/nuc900_wdt.c:134:8-24: WARNING: nuc900wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/nv_tco.c:164:8-24: WARNING: nv_tco_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/pc87413_wdt.c:289:8-24: WARNING: pc87413_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/pcwd.c:698:8-24: WARNING: pcwd_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/pcwd.c:737:8-24: WARNING: pcwd_temp_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/pcwd_pci.c:581:8-24: WARNING: pcipcwd_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/pcwd_pci.c:623:8-24: WARNING: pcipcwd_temp_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/pcwd_usb.c:488:8-24: WARNING: usb_pcwd_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/pcwd_usb.c:527:8-24: WARNING: usb_pcwd_temperature_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/pika_wdt.c:121:8-24: WARNING: pikawdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/pnx833x_wdt.c:119:8-24: WARNING: pnx833x_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/rc32434_wdt.c:153:8-24: WARNING: rc32434_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/rdc321x_wdt.c:145:8-24: WARNING: rdc321x_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/riowd.c:79:1-17: WARNING: riowd_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/sa1100_wdt.c:62:8-24: WARNING: sa1100dog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/sbc60xxwdt.c:211:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/sbc7240_wdt.c:139:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/sbc8360.c:274:8-24: WARNING: sbc8360_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/sbc_epx_c3.c:81:8-24: WARNING: epx_c3_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/sbc_fitpc2_wdt.c:78:8-24: WARNING: fitpc2_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/sb_wdog.c:108:1-17: WARNING: sbwdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/sc1200wdt.c:181:8-24: WARNING: sc1200wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/sc520_wdt.c:261:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/sch311x_wdt.c:319:8-24: WARNING: sch311x_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/scx200_wdt.c:105:8-24: WARNING: scx200_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/smsc37b787_wdt.c:369:8-24: WARNING: wb_smsc_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/w83877f_wdt.c:227:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/w83977f_wdt.c:301:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/wafer5823wdt.c:200:8-24: WARNING: wafwdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/watchdog_dev.c:828:8-24: WARNING: watchdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/wdrtas.c:379:8-24: WARNING: wdrtas_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/wdrtas.c:445:8-24: WARNING: wdrtas_temp_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/wdt285.c:104:1-17: WARNING: watchdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/wdt977.c:276:8-24: WARNING: wdt977_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/wdt.c:424:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/wdt.c:484:8-24: WARNING: wdt_temp_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/wdt_pci.c:464:8-24: WARNING: wdtpci_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
drivers/watchdog/wdt_pci.c:527:8-24: WARNING: wdtpci_temp_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
net/batman-adv/log.c:105:1-17: WARNING: batadv_log_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
sound/core/control.c:57:7-23: WARNING: snd_ctl_f_ops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
sound/core/rawmidi.c:385:7-23: WARNING: snd_rawmidi_f_ops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
sound/core/seq/seq_clientmgr.c:310:7-23: WARNING: snd_seq_f_ops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
sound/core/timer.c:1428:7-23: WARNING: snd_timer_f_ops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
One can also recheck/review the patch via generating it with explanation comments included via
$ make coccicheck MODE=patch COCCI=scripts/coccinelle/api/stream_open.cocci SPFLAGS="-D explain"
(*) This second group also contains cases with read/write deadlocks that
stream_open.cocci don't yet detect, but which are still valid to convert to
stream_open since ppos is not used. For example drivers/pci/switch/switchtec.c
calls wait_for_completion_interruptible() in its .read, but stream_open.cocci
currently detects only "wait_event*" as blocking.
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Yongzhi Pan <panyongzhi@gmail.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: David Vrabel <david.vrabel@citrix.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Tejun Heo <tj@kernel.org>
Cc: Kirill Tkhai <ktkhai@virtuozzo.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Julia Lawall <Julia.Lawall@lip6.fr>
Cc: Nikolaus Rath <Nikolaus@rath.org>
Cc: Han-Wen Nienhuys <hanwen@google.com>
Cc: Anatolij Gustschin <agust@denx.de>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "James R. Van Zandt" <jrv@vanzandt.mv.com>
Cc: Corey Minyard <minyard@acm.org>
Cc: Harald Welte <laforge@gnumonks.org>
Acked-by: Lubomir Rintel <lkundrak@v3.sk> [scr24x_cs]
Cc: Stefan Richter <stefanr@s5r6.in-berlin.de>
Cc: Johan Hovold <johan@kernel.org>
Cc: David Herrmann <dh.herrmann@googlemail.com>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: Jean Delvare <jdelvare@suse.com>
Acked-by: Guenter Roeck <linux@roeck-us.net> [watchdog/* hwmon/*]
Cc: Rudolf Marek <r.marek@assembler.cz>
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Karsten Keil <isdn@linux-pingi.de>
Cc: Jacek Anaszewski <jacek.anaszewski@gmail.com>
Cc: Pavel Machek <pavel@ucw.cz>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: Kurt Schwemmer <kurt.schwemmer@microsemi.com>
Acked-by: Logan Gunthorpe <logang@deltatee.com> [drivers/pci/switch/switchtec]
Acked-by: Bjorn Helgaas <bhelgaas@google.com> [drivers/pci/switch/switchtec]
Cc: Benson Leung <bleung@chromium.org>
Acked-by: Enric Balletbo i Serra <enric.balletbo@collabora.com> [platform/chrome]
Cc: Alessandro Zummo <a.zummo@towertech.it>
Acked-by: Alexandre Belloni <alexandre.belloni@bootlin.com> [rtc/*]
Cc: Mark Brown <broonie@kernel.org>
Cc: Wim Van Sebroeck <wim@linux-watchdog.org>
Cc: Florian Fainelli <f.fainelli@gmail.com>
Cc: bcm-kernel-feedback-list@broadcom.com
Cc: Wan ZongShun <mcuos.com@gmail.com>
Cc: Zwane Mwaikambo <zwanem@gmail.com>
Cc: Marek Lindner <mareklindner@neomailbox.ch>
Cc: Simon Wunderlich <sw@simonwunderlich.de>
Cc: Antonio Quartulli <a@unstable.cc>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Signed-off-by: Kirill Smelkov <kirr@nexedi.com>
The snd_cards[] array holds the card pointers that have been currently
registered, and it's exported for the external modules that may need
to refer a card object. But accessing to this array can be racy
against the driver probe or removal, as the card registration or free
may happen concurrently.
This patch gets rid of the direct access to snd_cards[] array and
provides a helper function to give the card object from the index
number with a refcount management. Then the caller can access to the
given card object safely, and releases it via snd_card_unref().
While we're at it, add a proper comment to snd_card_unref() and make
it an inlined function for type-safety, too.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
There is a small race window in the card disconnection code that
allows the registration of another card with the very same card id.
This leads to a warning in procfs creation as caught by syzkaller.
The problem is that we delete snd_cards and snd_cards_lock entries at
the very beginning of the disconnection procedure. This makes the
slot available to be assigned for another card object while the
disconnection procedure is being processed. Then it becomes possible
to issue a procfs registration with the existing file name although we
check the conflict beforehand.
The fix is simply to move the snd_cards and snd_cards_lock clearances
at the end of the disconnection procedure. The references to these
entries are merely either from the global proc files like
/proc/asound/cards or from the card registration / disconnection, so
it should be fine to shift at the very end.
Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The ALSA proc helper manages the child nodes in a linked list, but its
addition and deletion is done without any lock. This leads to a
corruption if they are operated concurrently. Usually this isn't a
problem because the proc entries are added sequentially in the driver
probe procedure itself. But the card registrations are done often
asynchronously, and the crash could be actually reproduced with
syzkaller.
This patch papers over it by protecting the link addition and deletion
with the parent's mutex. There is "access" mutex that is used for the
file access, and this can be reused for this purpose as well.
Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The doubly unlock sequence at snd_seq_client_ioctl_unlock() is tricky.
I took a direct unref call since I thought it would avoid
misunderstanding, but rather this seems more confusing. Let's use
snd_seq_client_unlock() consistently even if they look strange to be
called twice, and add more comments for avoiding reader's confusion.
Fixes: 6b580f5231 ("ALSA: seq: Protect racy pool manipulation from OSS sequencer")
Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
OSS sequencer emulation still allows to queue and issue the events
that manipulate the client pool concurrently in a racy way. This
patch serializes the access like the normal sequencer write / ioctl
via taking the client ioctl_mutex. Since the access to the sequencer
client is done indirectly via a client id number, a new helper to
take/release the mutex is introduced.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
We have two helpers for queuing a sequencer event from the kernel
client, and both are used only from OSS sequencer layer without any
hop and atomic set. Let's simplify and unify two helpers into one.
No functional change, just a call pattern change.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The call of unsubscribe_port() which manages the group count and
module refcount from delete_and_unsubscribe_port() looks racy; it's
not covered by the group list lock, and it's likely a cause of the
reported unbalance at port deletion. Let's move the call inside the
group list_mutex to plug the hole.
Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
This reverts commit feb689025f.
The fix attempt was incorrect, leading to the mutex deadlock through
the close of OSS sequencer client. The proper fix needs more
consideration, so let's revert it now.
Fixes: feb689025f ("ALSA: seq: Protect in-kernel ioctl calls with mutex")
Reported-by: syzbot+47ded6c0f23016cde310@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Just a minor refactoring to use the standard goto for error paths in
snd_timer_open() instead of open code. The first mutex_lock() is
moved to the beginning of the function to make the code clearer.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The snd_seq_ioctl_get_subscription() retrieves the port subscriber
information as a pointer, while the object isn't protected, hence it
may be deleted before the actual reference. This race was spotted by
syzkaller and may lead to a UAF.
The fix is simply copying the data in the lookup function that
performs in the rwsem to protect against the deletion.
Reported-by: syzbot+9437020c82413d00222d@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA OSS sequencer calls the ioctl function indirectly via
snd_seq_kernel_client_ctl(). While we already applied the protection
against races between the normal ioctls and writes via the client's
ioctl_mutex, this code path was left untouched. And this seems to be
the cause of still remaining some rare UAF as spontaneously triggered
by syzkaller.
For the sake of robustness, wrap the ioctl_mutex also for the call via
snd_seq_kernel_client_ctl(), too.
Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
spin_lock_irqsave() is used unnecessarily in various places in
sequencer core code although it's pretty obvious that the context is
sleepable. Remove irqsave and use the plain spin_lock_irq() in such
places for simplicity.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
In a few places in sequencer core, we temporarily unlock / re-lock the
pool spin lock while waiting for the allocation in the blocking mode.
There spin_unlock_irq() / spin_lock_irq() pairs are called while
initially spin_lock_irqsave() is used (and spin_lock_irqrestore() at
the end of the function again). This is likely OK for now, but it's a
bit confusing and error-prone.
This patch replaces these temporary relocking lines with the irqsave
variant to make the lock/unlock sequence more consistently.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Use kvmalloc() for allocating cell pools since the pool size can be
relatively small that may be covered better by slab.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
This is essentially a revert of the commit a7588c896b ("ALSA: timer:
Check ack_list emptiness instead of bit flag"). The intended change
by the commit turns out to be insufficient, as snd_timer_close*()
always calls snd_timer_stop() that deletes the ack_list beforehand.
In theory, we can change the behavior of snd_timer_stop() to sync the
pending ack_list, but this will become a deadlock for the callback
like sequencer that calls again snd_timer_stop() from itself. So,
reverting the change is a more straightforward solution.
Fixes: a7588c896b ("ALSA: timer: Check ack_list emptiness instead of bit flag")
Reported-by: syzbot+58813d77154713f4de15@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
When ioctl calls are made with non-null-terminated userspace strings,
strlcpy causes an OOB-read from within strlen. Fix by changing to use
strscpy instead.
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
snd_malloc_pages() and snd_free_pages() are merely thin wrappers of
the standard page allocator / free functions. Even the arguments are
compatible with some standard helpers, so there is little merit of
keeping these wrappers.
This patch replaces the all existing callers of snd_malloc_pages() and
snd_free_pages() with the direct calls of the standard helper
functions. In this version, we use a recently introduced one,
alloc_pages_exact(), which suits better than the old
snd_malloc_pages() implementation for our purposes. Then we can avoid
the waste of pages by alignment to power-of-two.
Since alloc_pages_exact() does split pages, we need no longer
__GFP_COMP flag; or better to say, we must not pass __GFP_COMP to
alloc_pages_exact(). So the former unconditional addition of
__GFP_COMP flag in snd_malloc_pages() is dropped, as well as in most
other places.
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
snd_timer_close() is supposed to close the timer instance and sync
with the deactivation of pending actions. However, there are still
some overlooked cases:
- It calls snd_timer_stop() at the beginning, but some other might
re-trigger the timer right after that.
- snd_timer_stop() calls del_timer_sync() only when all belonging
instances are closed. If multiple instances were assigned to a
timer object and one is closed, the timer is still running. Then
the pending action assigned to this timer might be left.
Actually either of the above is the likely cause of the reported
syzkaller UAF.
This patch plug these holes by introducing SNDRV_TIMER_IFLG_DEAD
flag. This is set at the beginning of snd_timer_close(), and the flag
is checked at snd_timer_start*() and else, so that no longer new
action is left after snd_timer_close().
Reported-by: syzbot+d5136d4d3240cbe45a2a@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
For checking the pending timer instance that is still left on the
timer object that is being closed, we set/clear a bit flag
SNDRV_TIMER_IFLG_CALLBACK around the call of callbacks. This can be
simplified by replace with the list_empty() call for ti->ack_list.
This covers the existence more comprehensively and safely.
A gratis bonus is that we can get rid of SNDRV_TIMER_IFLG_CALLBACK bit
flag definition as well.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
When a card is under disconnection, we bail out immediately at each
timer interrupt or tasklet. This might leave some items left in ack
list. For a better integration of the upcoming change to check
ack_list emptiness, clear out the whole list upon the emergency exit
route.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The timer core has two almost identical code for processing callbacks:
once in snd_timer_interrupt() for fast callbacks and another in
snd_timer_tasklet() for delayed callbacks. Let's unify them.
In the new version, the resolution is read from ti->resolution at each
call, and this must be fine; ti->resolution is set in the preparation
step in snd_timer_interrupt().
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Currently PCM core sets each opened stream forcibly to SUSPENDED state
via snd_pcm_suspend_all() call, and the user-space is responsible for
re-triggering the resume manually either via snd_pcm_resume() or
prepare call. The scheme works fine usually, but there are corner
cases where the stream can't be resumed by that call: the streams
still in OPEN state before finishing hw_params. When they are
suspended, user-space cannot perform resume or prepare because they
haven't been set up yet. The only possible recovery is to re-open the
device, which isn't nice at all. Similarly, when a stream is in
DISCONNECTED state, it makes no sense to change it to SUSPENDED
state. Ditto for in SETUP state; which you can re-prepare directly.
So, this patch addresses these issues by filtering the PCM streams to
be suspended by checking the PCM state. When a stream is in either
OPEN, SETUP or DISCONNECTED as well as already SUSPENDED, the suspend
action is skipped.
To be noted, this problem was originally reported for the PCM runtime
PM on HD-audio. And, the runtime PM problem itself was already
addressed (although not intended) by the code refactoring commits
3d21ef0b49 ("ALSA: pcm: Suspend streams globally via device type PM
ops") and 17bc4815de ("ALSA: pci: Remove superfluous
snd_pcm_suspend*() calls"). These commits eliminated the
snd_pcm_suspend*() calls from the runtime PM suspend callback code
path, hence the racy OPEN state won't appear while runtime PM.
(FWIW, the race window is between snd_pcm_open_substream() and the
first power up in azx_pcm_open().)
Although the runtime PM issue was already "fixed", the same problem is
still present for the system PM, hence this patch is still needed.
And for stable trees, this patch alone should suffice for fixing the
runtime PM problem, too.
Reported-and-tested-by: Jon Hunter <jonathanh@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The PCM OSS emulation converts and transfers the data on the fly via
"plugins". The data is converted over the dynamically allocated
buffer for each plugin, and recently syzkaller caught OOB in this
flow.
Although the bisection by syzbot pointed out to the commit
65766ee0bf ("ALSA: oss: Use kvzalloc() for local buffer
allocations"), this is merely a commit to replace vmalloc() with
kvmalloc(), hence it can't be the cause. The further debug action
revealed that this happens in the case where a slave PCM doesn't
support only the stereo channels while the OSS stream is set up for a
mono channel. Below is a brief explanation:
At each OSS parameter change, the driver sets up the PCM hw_params
again in snd_pcm_oss_change_params_lock(). This is also the place
where plugins are created and local buffers are allocated. The
problem is that the plugins are created before the final hw_params is
determined. Namely, two snd_pcm_hw_param_near() calls for setting the
period size and periods may influence on the final result of channels,
rates, etc, too, while the current code has already created plugins
beforehand with the premature values. So, the plugin believes that
channels=1, while the actual I/O is with channels=2, which makes the
driver reading/writing over the allocated buffer size.
The fix is simply to move the plugin allocation code after the final
hw_params call.
Reported-by: syzbot+d4503ae45b65c5bc1194@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
dev is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.
This issue was detected with the help of Smatch:
sound/core/seq/oss/seq_oss_synth.c:626 snd_seq_oss_synth_make_info() warn: potential spectre issue 'dp->synths' [w] (local cap)
Fix this by sanitizing dev before using it to index dp->synths.
Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].
[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
info->stream is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.
This issue was detected with the help of Smatch:
sound/core/rawmidi.c:604 __snd_rawmidi_info_select() warn: potential spectre issue 'rmidi->streams' [r] (local cap)
Fix this by sanitizing info->stream before using it to index
rmidi->streams.
Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].
[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
This avoids bringing back the problem introduced by
62ba568f7a ("ALSA: pcm: Return 0 when size <
start_threshold in capture") and fixed in 00a399cad1
("ALSA: pcm: Revert capture stream behavior change in
blocking mode"), which prevented the user from starting
capture from another thread.
Signed-off-by: Ricardo Biehl Pasquali <pasqualirb@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
BE dai links only have internal PCM's and their substream ops may
not be set. Suspending these PCM's will result in their
ops->trigger() being invoked and cause a kernel oops.
So skip suspending PCM's if their ops are NULL.
[ NOTE: this change is required now for following the recent PCM core
change to get rid of snd_pcm_suspend() call. Since DPCM BE takes
the runtime carried from FE while keeping NULL ops, it can hit this
bug. See details at:
https://github.com/thesofproject/linux/pull/582
-- tiwai ]
Signed-off-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
In the commit 62ba568f7a ("ALSA: pcm: Return 0 when size <
start_threshold in capture"), we changed the behavior of
__snd_pcm_lib_xfer() to return immediately with 0 when a capture
stream has a high start_threshold. This was intended to be a
correction of the behavior consistency and looked harmless, but this
was the culprit of the recent breakage reported by syzkaller, which
was fixed by the commit e190161f96 ("ALSA: pcm: Fix tight loop of
OSS capture stream").
At the time for the OSS fix, I didn't touch the behavior for ALSA
native API, as assuming that this behavior actually is good. But this
turned out to be also broken actually for a similar deployment,
e.g. one thread goes to a write loop in blocking mode while another
thread controls the start/stop of the stream manually.
Overall, the original commit is harmful, and it brings less merit to
keep that behavior. Let's revert it.
Fixes: 62ba568f7a ("ALSA: pcm: Return 0 when size < start_threshold in capture")
Fixes: e190161f96 ("ALSA: pcm: Fix tight loop of OSS capture stream")
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Now all callers no longer check the return value from
snd_pcm_lib_preallocate_pages() and co, let's make them to return
void, so that any new code won't fall into the same pitfall.
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The creation of card's id proc file can be moved gracefully into
info.c. Also, the assignment of card->proc_id is superfluous and can
be dropped. So let's do it.
Basically this is no functional change but code refactoring, but one
potential behavior change is that now it returns properly the error
code from snd_info_card_register(), which is a good thing (tm).
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Just a minor code optimization to reduce the source code size
slightly. No functional changes.
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
It's referred only in snd_card_id_read() which can receive the card
object via private_data.
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Two new helper functions are added here for cleaning up the existing
lengthy calls.
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The calls of snd_info_register() are superfluous and should be avoided
at the procfs creation time. They are called at the end of the whole
initialization via snd_card_register(). This patch drops such
superfluous calls.
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The calls of snd_info_register() are superfluous and should be avoided
at the procfs creation time. They are called at the end of the whole
initialization via snd_card_register(). This patch drops such
superfluous calls, as well as cleaning up the calls of substream proc
entries with a common helper.
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Make sure that all children entries are registered by a single call of
snd_info_register(). OTOH, don't register if a parent isn't
registered yet.
This allows us to create the whole procfs tree in a shot at the last
stage of card registration phase in a later patch.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Since we covered all callers with NULL device pointer, let's catch the
remaining calls with NULL and warn explicitly.
Acked-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Declaration of snd_pcm_drop() in sound/core/pcm_native.c is superfluous
since the function isn't called before being defined. Remove the
declaration.
Signed-off-by: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
When the trigger=off is passed for a PCM OSS stream, it sets the
start_threshold of the given substream to the boundary size, so that
it won't be automatically started. This can be problematic for a
capture stream, unfortunately, as detected by syzkaller. The scenario
is like the following:
- In __snd_pcm_lib_xfer() that is invoked from snd_pcm_oss_read()
loop, we have a check whether the stream was already started or the
stream can be auto-started.
- The function at this check returns 0 with trigger=off since we
explicitly disable the auto-start.
- The loop continues and repeats calling __snd_pcm_lib_xfer() tightly,
which may lead to an RCU stall.
This patch fixes the bug by simply allowing the wait for non-started
stream in the case of OSS capture. For native usages, it's supposed
to be done by the caller side (which is user-space), hence it returns
zero like before.
(In theory, __snd_pcm_lib_xfer() could wait even for the native API
usage cases, too; but I'd like to stay in a safer side for not
breaking the existing stuff for now.)
Reported-by: syzbot+fbe0496f92a0ce7b786c@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
An open-coded error path in __snd_pcm_lib_xfer() can be replaced with
the simple goto to the common error path. This also makes the error
handling more consistent, i.e. when some samples have been already
processed, return that size instead of the error code.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
This patch changes the parent pointer assignment of snd_info_entry
object to be always non-NULL. More specifically,check the parent
argument in snd_info_create_module_entry() & co, and assign
snd_proc_root if NULL is passed there.
This assures that the proc object is always freed when the root is
freed, so avoid possible memory leaks. For example, some error paths
(e.g. snd_info_register() error at snd_minor_info_init()) may leave
snd_info_entry object although the proc file itself is freed.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The proc files are recursively freed by calling with the root
snd_info_entry object, so we don't have to keep each object for
releasing one by one. Move the release of the PCM stream proc root at
the beginning, so that we can remove the redundant code and resource.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
After the previous code refactoring, the PCM stream locking code
became nothing but the PCM group lock with self_group object. Use the
existing helper function for simplifying the code.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Remove the hackish down_write_nonfifo() that was introduced as a
workaround of rwsem deadlock.
It used to be a problem for non-atomic PCM streams that take the rwsem
for the locking and hit the high lock contention. Since the current
PCM locking refactoring, we'll no longer hit it as the hot code-paths
don't take global locks.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
We have currently two global locks, a rwlock and a rwsem, that are
used for managing linking the PCM streams. Due to these global locks,
once when a linked stream is used, the lock granularity suffers a
lot.
This patch attempts to eliminate the former global lock for atomic
ops. The latter rwsem needs remaining because of the loosy way of the
loop calls in snd_pcm_action_nonatomic(), as well as for avoiding the
deadlock at linking. However, these are used far rarely, actually
only by two actions (prepare and reset), where both are no timing
critical ones. So this can be still seen as a good improvement.
The basic strategy to eliminate the rwlock is to assure group->lock at
adding or removing a stream to / from the group. Since we already
takes the group lock whenever taking the all substream locks under the
group, this shouldn't be a big problem. The reference to group
pointer in snd_pcm_substream object is protected by the stream lock
itself.
However, there are still pitfalls: a race window at re-locking and the
lifecycle of group object. The former is a small race window for
dereferencing the substream group object opened while snd_pcm_action()
performs re-locking to avoid ABBA deadlocks. This includes the unlink
of group during that window, too. And the latter is the kfree
performed after all streams are removed from the group while it's
still dereferenced.
For addressing these corner cases, two new tricks are introduced:
- After re-locking, the group assigned to the stream is checked again;
if the group is changed, we retry the whole procedure.
- Introduce a refcount to snd_pcm_group object, so that it's freed
only when it's empty and really no one refers to it.
(Some readers might wonder why not RCU for the latter. RCU in this
case would cost more than refcounting, unfortunately. We take the
group lock sooner or later, hence the performance improvement by RCU
would be negligible. Meanwhile, because we need to deal with
schedulable context depending on the pcm->nonatomic flag, it'll become
dynamic RCU/SRCU switch, and the grace period may become too long.)
Along with these changes, there are a significant amount of code
refactoring. The complex group re-lock & ref code is factored out to
snd_pcm_stream_group_ref() function, for example.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The snd_pcm_group_for_each_entry() loop found in snd_pcm_unlink() is
only for taking the first list entry. Use list_first_entry() to make
clearer.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Make a common helper to re-assign the PCM link using list_move() instead
of open code with manual list_del() and list_add_tail(). This assures
the consistency and we can get rid of snd_pcm_group.count field -- its
purpose is only to check whether the list is singular, and we can know
it by list_is_singular() call now.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
There are multiple open codes that initialize the same object.
Create a common helper function instead.
Also, use kzalloc() to be safer at creating a group object, and move
the initialization out of the critical section.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The snd_card_unref() call in snd_pcm_link() looks suspicious through a
quick glance, but it's a correct usage; this is needed just because
the file descriptor check in is_pcm_file() calls the helper
snd_lookup_minor_data() that keeps the card refcount.
Despite of the correctness, the code still looks confusing.
Basically, keeping the card ref for the whole code isn't needed
as fdget() blocks the release of the opened file. Hence it's more
understandable if snd_card_unref() is moved into is_pcm_file(), then
the caller doesn't have to take care after the call.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Quite a big batch of fixes here. There's a couple of things going on,
the main one is that we found some issues with not deferring probe when
we should, causing us to skip some driver initialization. The fixes for
this then in turn exposed some issues with how we were searching for
components which had previously gone unnoticed due to the original
issue.
There's also been the normal driver specific stuff and there's been what
looks like several batches of automated scanning for issues which have
generated quite a large set of smaller fixes for potential crashes and
missed error handling.
-----BEGIN PGP SIGNATURE-----
iQFHBAABCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAlxBy/wTHGJyb29uaWVA
a2VybmVsLm9yZwAKCRAk1otyXVSH0HNQB/wI7qx/bNGOX1p2C0M5ENdgsMcYDpMh
OHD073hL4wDkNJ/O2josnceCtrPUS5tuOxmx765IFXrAR4FWlNezQL4dHwTNGfG9
Femd6iAxv47lC2fROpuHfB0j32LIjVrHLYDG0wAiDvteXK2VrGbj8vedfWqflOBj
PX2kqkkgWfSCTrEYdrE09ExYoYKYdEqU/LEKFmIUnMuXc/HNHLo6e1sFNzTo8DIo
g5P8nQ//Qgi1U9UWMabKjy4lYL2Tcid9jcNlz0QIffK2qwIEpVBeuhqJaT4sQrf5
G51UrSk2y4lJ0t9WXv1SwQTDi2slCCGcOHA3fylGkJl1cxgOFMAR37Xs
=ev1L
-----END PGP SIGNATURE-----
Merge tag 'asoc-fix-v5.0-rc2' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
ASoC: Fixes for v5.0
Quite a big batch of fixes here. There's a couple of things going on,
the main one is that we found some issues with not deferring probe when
we should, causing us to skip some driver initialization. The fixes for
this then in turn exposed some issues with how we were searching for
components which had previously gone unnoticed due to the original
issue.
There's also been the normal driver specific stuff and there's been what
looks like several batches of automated scanning for issues which have
generated quite a large set of smaller fixes for potential crashes and
missed error handling.
snd_pcm_suspend() is no longer called from outside, so let's make it
local static. Also drop a superfluous NULL check there.
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Until now we rely on each driver calling snd_pcm_suspend*() explicitly
at its own PM handling. However, this can be done far more easily by
setting the PM ops to each actual snd_pcm device object.
This patch adds the device_type object for PCM stream and assigns to
each PCM stream object. The type contains only the PM ops for system
suspend; we don't need to deal with the resume in general.
The suspend hook simply calls snd_pcm_suspend_all() for the given PCM
streams. This implies that the PM order is correctly put, i.e. PCM is
suspended before the main (or codec) driver, which should be true in
general. If a special ordering is needed, you'd need to adjust the
device PM order manually later.
This patch introduces a new flag, snd_pcm.no_device_suspend, too.
With this flag set, the PCM device object won't invoke
snd_pcm_suspend_all() by itself. This is needed for ASoC who wants to
manage the PM call orders in its serialized way, and the flag is set
in soc_new_pcm() as default.
For the non-ASoC world, we can get rid of the manual snd_pcm_suspend
calls. This will be done in the later patches.
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Nobody has actually used the type (VERIFY_READ vs VERIFY_WRITE) argument
of the user address range verification function since we got rid of the
old racy i386-only code to walk page tables by hand.
It existed because the original 80386 would not honor the write protect
bit when in kernel mode, so you had to do COW by hand before doing any
user access. But we haven't supported that in a long time, and these
days the 'type' argument is a purely historical artifact.
A discussion about extending 'user_access_begin()' to do the range
checking resulted this patch, because there is no way we're going to
move the old VERIFY_xyz interface to that model. And it's best done at
the end of the merge window when I've done most of my merges, so let's
just get this done once and for all.
This patch was mostly done with a sed-script, with manual fix-ups for
the cases that weren't of the trivial 'access_ok(VERIFY_xyz' form.
There were a couple of notable cases:
- csky still had the old "verify_area()" name as an alias.
- the iter_iov code had magical hardcoded knowledge of the actual
values of VERIFY_{READ,WRITE} (not that they mattered, since nothing
really used it)
- microblaze used the type argument for a debug printout
but other than those oddities this should be a total no-op patch.
I tried to fix up all architectures, did fairly extensive grepping for
access_ok() uses, and the changes are trivial, but I may have missed
something. Any missed conversion should be trivially fixable, though.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
The problem is seen in the q6asm_dai_compr_set_params() function:
ret = q6asm_map_memory_regions(dir, prtd->audio_client, prtd->phys,
(prtd->pcm_size / prtd->periods),
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
prtd->periods);
In this code prtd->pcm_size is the buffer_size and prtd->periods comes
from params->buffer.fragments. If we allow the number of fragments to
be zero then it results in a divide by zero bug. One possible fix would
be to use prtd->pcm_count directly instead of using the division to
re-calculate it. But I decided that it doesn't really make sense to
allow zero fragments.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Not much work on the core this time around but we've seen quite a bit of
driver work, including on the generic DT drivers. There's also a large
part of the diff from a merge of the DaVinci and OMAP directories, along
with some active development there:
- Preparatory work from Morimoto-san for merging the audio-graph and
audio-graph-scu cards.
- A merge of the TI OMAP and DaVinci directories, the OMAP product line
has been merged into the DaVinci product line so there is now a lot
of IP sharing which meant that the split directories just got in the
way. This has pulled in a few architecture changes as well.
- A big cleanup of the Maxim MAX9867 driver from Ladislav Michl.
- Support for Asahi Kaesi AKM4118, AMD ACP3x, Intel platforms with
RT5660, Meson AXG S/PDIF inputs, several Qualcomm IPs and Xilinx I2S
controllers.
-----BEGIN PGP SIGNATURE-----
iQFHBAABCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAlwY7KsTHGJyb29uaWVA
a2VybmVsLm9yZwAKCRAk1otyXVSH0MFqB/4m9nlfUeXTpiSD1FgVIlMmdPNUg4V2
6Ybztaw4kRc5LuQN8PXQmaFLx020yAnLvI7Zzj7l3K8r6a9lfyFs+pKL0wtBnNK2
9QEFmOVQ3QFpt31Yb2IQeO4dfNbiyKeczjLau4mXWTl0j5dc/UH+HasE1dRZOxsC
rqJ8IsdibIVxVtQ7ZmcnU+y6XK0inBHAAh6ksMehsufShGrfrLs/nRBaXRZcRqJg
ciSFY5uYRYkDxTgogTpNRfVy4nr17N10+0sgrQ3RtaaqgG3gBXsHca1meyxKYW3Q
TssOJGIl3+uGiAMNyZqzxe5pAwwuGhZ3hAAAODtfYJQtAuAOW3/45Wqh
=phWF
-----END PGP SIGNATURE-----
Merge tag 'asoc-v4.21' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-next
ASoC: Updates for v4.21
Not much work on the core this time around but we've seen quite a bit of
driver work, including on the generic DT drivers. There's also a large
part of the diff from a merge of the DaVinci and OMAP directories, along
with some active development there:
- Preparatory work from Morimoto-san for merging the audio-graph and
audio-graph-scu cards.
- A merge of the TI OMAP and DaVinci directories, the OMAP product line
has been merged into the DaVinci product line so there is now a lot
of IP sharing which meant that the split directories just got in the
way. This has pulled in a few architecture changes as well.
- A big cleanup of the Maxim MAX9867 driver from Ladislav Michl.
- Support for Asahi Kaesi AKM4118, AMD ACP3x, Intel platforms with
RT5660, Meson AXG S/PDIF inputs, several Qualcomm IPs and Xilinx I2S
controllers.
Default copy function uses kmalloc to allocate buffers, lets check
if the runtime buffers are setup before making this allocations.
This can be useful if the buffers are dma buffers.
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Acked-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
stream is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.
This issue was detected with the help of Smatch:
sound/core/pcm.c:140 snd_pcm_control_ioctl() warn: potential spectre issue 'pcm->streams' [r] (local cap)
Fix this by sanitizing stream before using it to index pcm->streams
Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].
[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Cc: stable@vger.kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Commit 67ec1072b0 ("ALSA: pcm: Fix rwsem deadlock for non-atomic PCM
stream") fixes deadlock for non-atomic PCM stream. But, This patch
causes antother stuck.
If writer is RT thread and reader is a normal thread, the reader
thread will be difficult to get scheduled. It may not give chance to
release readlocks and writer gets stuck for a long time if they are
pinned to single cpu.
The deadlock described in the previous commit is because the linux
rwsem queues like a FIFO. So, we might need non-FIFO writelock, not
non-block one.
My suggestion is that the writer gives reader a chance to be scheduled
by using the minimum msleep() instaed of spinning without blocking by
writer. Also, The *_nonblock may be changed to *_nonfifo appropriately
to this concept.
In terms of performance, when trylock is failed, this minimum periodic
msleep will have the same performance as the tick-based
schedule()/wake_up_q().
[ Although this has a fairly high performance penalty, the relevant
code path became already rare due to the previous commit ("ALSA:
pcm: Call snd_pcm_unlink() conditionally at closing"). That is, now
this unconditional msleep appears only when using linked streams,
and this must be a rare case. So we accept this as a quick
workaround until finding a more suitable one -- tiwai ]
Fixes: 67ec1072b0 ("ALSA: pcm: Fix rwsem deadlock for non-atomic PCM stream")
Suggested-by: Wonmin Jung <wonmin.jung@lge.com>
Signed-off-by: Chanho Min <chanho.min@lge.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Currently the PCM core calls snd_pcm_unlink() always unconditionally
at closing a stream. However, since snd_pcm_unlink() invokes the
global rwsem down, the lock can be easily contended. More badly, when
a thread runs in a high priority RT-FIFO, it may stall at spinning.
Basically the call of snd_pcm_unlink() is required only for the linked
streams that are already rare occasion. For normal use cases, this
code path is fairly superfluous.
As an optimization (and also as a workaround for the RT problem
above in normal situations without linked streams), this patch adds a
check before calling snd_pcm_unlink() and calls it only when needed.
Reported-by: Chanho Min <chanho.min@lge.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Both snd_ctl_add() and snd_ctl_replace() process the things in a
fairly similar way, and indeed the most of the codes can be unified.
This patch is a refactoring to consolidate the both functions to call
a single helper with an extra "mode" argument. There should be no
functional difference, except for one additional sanity check applied
now to snd_ctl_replace() (which was rather overlooking, IMO), too.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The procedure for adding a user control element has some window opened
for race against the concurrent removal of a user element. This was
caught by syzkaller, hitting a KASAN use-after-free error.
This patch addresses the bug by wrapping the whole procedure to add a
user control element with the card->controls_rwsem, instead of only
around the increment of card->user_ctl_count.
This required a slight code refactoring, too. The function
snd_ctl_add() is split to two parts: a core function to add the
control element and a part calling it. The former is called from the
function for adding a user control element inside the controls_rwsem.
One change to be noted is that snd_ctl_notify() for adding a control
element gets called inside the controls_rwsem as well while it was
called outside the rwsem. But this should be OK, as snd_ctl_notify()
takes another (finer) rwlock instead of rwsem, and the call of
snd_ctl_notify() inside rwsem is already done in another code path.
Reported-by: syzbot+dc09047bce3820621ba2@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
PCM OSS layer may allocate a few temporary buffers, one for the core
read/write and another for the conversions via plugins. Currently
both are allocated via vmalloc(). But as the allocation size is
equivalent with the PCM period size, the required size might be quite
small, depending on the application.
This patch replaces these vmalloc() calls with kvzalloc() for covering
small period sizes better. Also, we use "z"-alloc variant here for
addressing the possible uninitialized access reported by syzkaller.
Reported-by: syzbot+1cb36954e127c98dd037@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
As a preparatory patch for the upcoming -Wimplicit-fallthrough
compiler checks, replace with the standard "fall through" annotation.
Unfortunately gcc doesn't understand a chattier text.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
As a preparatory patch for the upcoming -Wimplicit-fallthrough
compiler checks, add the "fall through" annotation in
snd_dma_alloc_pages(). Note that this seems necessary to be put
exactly before the next label, so it's outside the ifdef block.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
For discarding the pending bytes on rawmidi, we process with a loop of
snd_rawmidi_transmit() which is just a waste of CPU power.
Implement a lightweight API function to discard the pending bytes and
the proceed the ring buffer instantly, and use it instead of open
codes.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
This ensures the transfer loop won't waste a run to read
the few frames (if any) between start and hw_ptr update.
It will wait for the next interrupt with wait_for_avail().
Signed-off-by: Ricardo Biehl Pasquali <pasqualirb@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
syzbot reported the uninitialized value exposure in certain situations
using virmidi loop. It's likely a very small race at writing and
reading, and the influence is almost negligible. But it's safer to
paper over this just by replacing the existing kvmalloc() with
kvzalloc().
Reported-by: syzbot+194dffdb8b22fc5d207a@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
In some cases (mainly for x86), we need the DMA coherent buffer with
non-cached pages. Although this has been done in each driver side
like HD-audio and intel8x0, it can be done cleaner in the core memory
allocator.
This patch adds the new types, SNDRV_DMA_TYPE_DEV_UC and
SNDRV_DMA_TYPE_DEV_UC_SG, for allocating such non-cached buffer
pages. On non-x86 architectures, they work as same as the standard
SNDRV_DMA_TYPE_DEV and *_SG.
One additional change by this move is that we can assure to pass the
non-cached pgprot to the vmapped buffer, too. It eventually fixes the
case like non-snoop mode without mmap access on HD-audio.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
snd_malloc_dev_pages() and snd_free_dev_pages() are local functions
and the parameters passed there are all contained in snd_dma_buffer
object. As a code-simplification, pass snd_dma_buffer object and
assign the address there like other allocators do (except for
snd_malloc_pages() which is called from outside, hence we can't change
easily).
Only code refactoring, no functional changes.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The size passed to dma_alloc_coherent() doesn't have to be aligned
with power-of-two, rather it should be the raw size. As a minor
optimization, remove the size adjustment in the current code.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
snd_seq_system_client_init() doesn't check the errors returned from
its port creations. Let's do it properly and handle the error paths.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Static checkers complain that snd_seq_create_kernel_client() can return
-EBUSY here so we need to have some error handling.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The "frames" variable is unsigned so the error handling doesn't work
properly.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
In __snd_pcm_lib_xfer(), when capture, if state is PREPARED
and size is less than start_threshold nothing can be done.
As there is no error, 0 is returned.
Signed-off-by: Ricardo Biehl Pasquali <pasqualirb@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The recent change to move the virmidi output processing to a work
slightly modified the code to discard the unsubscribed outputs so that
it works without a temporary buffer. However, this is actually buggy,
and may spew a kernel warning due to the unexpected call of
snd_rawmidi_transmit_ack(), as triggered by syzbot.
This patch takes back to the original code in that part, use a
temporary buffer and simply repeat snd_rawmidi_transmit(), in order to
address the regression.
Fixes: f7debfe540 ("ALSA: seq: virmidi: Offload the output event processing")
Reported-by: syzbot+ec5f605c91812d200367@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
In preparation to enabling -Wimplicit-fallthrough, mark switch cases
where we are expecting to fall through.
Warning level 2 was used: -Wimplicit-fallthrough=2
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
In preparation to enabling -Wimplicit-fallthrough, mark switch cases
where we are expecting to fall through.
Notice that in this particular case, I replaced the code comment with
a proper "fall through" annotation, which is what GCC is expecting
to find.
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
For a sake of code simplification, remove the init and the exit
entries that do nothing.
Notes for readers: actually it's OK to remove *both* init and exit,
but not OK to remove the exit entry. By removing only the exit while
keeping init, the module becomes permanently loaded; i.e. you cannot
unload it any longer!
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Thomas Gleixner
Takashi Iwai
Gustavo A. R. Silva
Linus Torvalds
Kirill Smelkov
Zubin Mithra
Ricardo Biehl Pasquali
Ranjani Sridharan
Guennadi Liakhovetski
Dan Carpenter
Mark Brown
Srinivas Kandagatla
Chanho Min