The timer instance per queue is exclusive, and snd_seq_timer_open()
should have managed the concurrent accesses. It looks as if it's
checking the already existing timer instance at the beginning, but
it's not right, because there is no protection, hence any later
concurrent call of snd_seq_timer_open() may override the timer
instance easily. This may result in UAF, as the leftover timer
instance can keep running while the queue itself gets closed, as
spotted by syzkaller recently.
For avoiding the race, add a proper check at the assignment of
tmr->timeri again, and return -EBUSY if it's been already registered.
Reported-by: syzbot+ddc1260a83ed1cbf6fb5@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/000000000000dce34f05c42f110c@google.com
Link: https://lore.kernel.org/r/20210610152059.24633-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The snd_ctl_led_sysfs_add and snd_ctl_led_sysfs_remove should contain
the refcount operations in pair. However, snd_ctl_led_sysfs_remove fails
to decrease the refcount to zero, which causes device_release never to
be invoked. This leads to memory leak to some resources, like struct
device_private. In addition, we also free some other similar memory
leaks in snd_ctl_led_init/snd_ctl_led_exit.
Fix this by replacing device_del to device_unregister
in snd_ctl_led_sysfs_remove/snd_ctl_led_init/snd_ctl_led_exit.
Note that, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device will
call kobject_release and delay the release of kobject, which will cause
use-after-free when the memory backing the kobject is freed at once.
Reported-by: syzbot+08a7d8b51ea048a74ffb@syzkaller.appspotmail.com
Fixes: a135dfb5de ("ALSA: led control - add sysfs kcontrol LED marking layer")
Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20210602034136.2762497-1-mudongliangabcd@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
We've got a report about the possible race in the user control element
counts (card->user_ctl_count), and it was confirmed that the race
wasn't serious in the old code up to 5.12. There, the value
modification itself was exclusive and protected via a write semaphore,
hence it's at most concurrent reads and evaluations before the
increment. Since it's only about the soft-limit to avoid the
exhausting memory usage, one-off isn't a big problem at all.
Meanwhile, the relevant code has been largely modified recently, and
now card->user_ctl_count was replaced with card->user_ctl_alloc_size,
and a few more places were added to access this field. And, in this
new code, it turned out to be more serious: the modifications are
scattered in various places, and a few of them are without protection.
It implies that it may lead to an inconsistent value by racy
accesses.
For addressing it, this patch extends the range covered by the
card->controls_rwsem write lock at snd_ctl_elem_add() so that the all
code paths that modify and refer to card->user_ctl_alloc_size are
protected by the rwsem properly.
The patch adds also comments in a couple of functions to indicate that
they are under the rwsem lock.
Fixes: 66c6d1ef86 ("ALSA: control: Add memory consumption limit to user controls")
Link: https://lore.kernel.org/r/FEEBF384-44BE-42CF-8FB3-93470933F64F@purdue.edu
Link: https://lore.kernel.org/r/20210415131856.13113-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
It's a bad idea to allocate big structures on the stack.
Mark the variables as static and add a note for the locking.
Fixes: 22d8de62f1 ("ALSA: control - add generic LED trigger module as the new control layer")
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20210414105858.1937710-1-perex@perex.cz
Signed-off-by: Takashi Iwai <tiwai@suse.de>
"group - 1" was intended here instead of "group". The current error
handling will double free the first item in the array and leak the last
item.
Fixes: cb17fe0045 ("ALSA: control - add sysfs support to the LED trigger module")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/YHBJ4frGxErWB182@mwanda
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA control interface allows users to add arbitrary control elements
(called "user controls" or "user elements"), and its resource usage is
limited just by the max number of control sets (currently 32). This
limit, however, is quite loose: each allocation of control set may
have 1028 elements, and each element may have up to 512 bytes (ILP32) or
1024 bytes (LP64) of value data. Moreover, each control set may contain
the enum strings and TLV data, which can be up to 64kB and 128kB,
respectively. Totally, the whole memory consumption may go over 38MB --
it's quite large, and we'd rather like to reduce the size.
OTOH, there have been other requests even to increase the max number
of user elements; e.g. ALSA firewire stack require the more user
controls, hence we want to raise the bar, too.
For satisfying both requirements, this patch changes the management of
user controls: instead of setting the upper limit of the number of
user controls, we check the actual memory allocation size and set the
upper limit of the total allocation in bytes. As long as the memory
consumption stays below the limit, more user controls are allowed than
the current limit 32. At the same time, we set the lower limit (8MB)
as default than the current theoretical limit, in order to lower the
risk of DoS.
As a compromise for lowering the default limit, now the actual memory
limit is defined as a module option, 'max_user_ctl_alloc_size', so that
user can increase/decrease the limit if really needed, too.
Link: https://lore.kernel.org/r/s5htur3zl5e.wl-tiwai@suse.de
Co-developed-by: Takashi Iwai <tiwai@suse.de>
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Tested-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Link: https://lore.kernel.org/r/20210408103149.40357-1-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Iwai <tiwai@suse.de>
If count is 16 then this will put the NUL terminator one element beyond
the end of the array.
Fixes: cb17fe0045 ("ALSA: control - add sysfs support to the LED trigger module")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/YGcDOtrimR46vr0k@mwanda
Signed-off-by: Takashi Iwai <tiwai@suse.de>
It may be possible that the string pointer does not move
when parsing. Add a code which detects this state and
simply break the parser loop in this case.
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20210331180725.663623-1-perex@perex.cz
Signed-off-by: Takashi Iwai <tiwai@suse.de>
This patchset tries to resolve the diversity in the audio LED
control among the ALSA drivers. A new control layer registration
is introduced which allows to run additional operations on
top of the elementary ALSA sound controls.
A new control access group (three bits in the access flags)
was introduced to carry the LED group information for
the sound controls. The low-level sound drivers can just
mark those controls using this access group. This information
is not exported to the user space, but user space can
manage the LED sound control associations through sysfs
(last patch) per Mark's request. It makes things fully
configurable in the kernel and user space (UCM).
The actual state ('route') evaluation is really easy
(the minimal value check for all channels / controls / cards).
If there's more complicated logic for a given hardware,
the card driver may eventually export a new read-only
sound control for the LED group and do the logic itself.
The new LED trigger control code is completely separated
and possibly optional (there's no symbol dependency).
The full code separation allows eventually to move this
LED trigger control to the user space in future.
Actually it replaces the already present functionality
in the kernel space (HDA drivers) and allows a quick adoption
for the recent hardware (ASoC codecs including SoundWire).
snd_ctl_led 24576 0
The sound driver implementation is really easy:
1) call snd_ctl_led_request() when control LED layer should be
automatically activated
/ it calls module_request("snd-ctl-led") on demand /
2) mark all related kcontrols with
SNDRV_CTL_ELEM_ACCESS_SPK_LED or
SNDRV_CTL_ELEM_ACCESS_MIC_LED
Link: https://lore.kernel.org/r/20210317172945.842280-1-perex@perex.cz
Signed-off-by: Takashi Iwai <tiwai@suse.de>
-----BEGIN PGP SIGNATURE-----
iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAmBjRuQOHHRpd2FpQHN1
c2UuZGUACgkQLtJE4w1nLE9ZQw/6Ao2X1io4TVnyO/gO8HtwmnZ6TWcrLUlySaep
H6Suf0RHsOQO9VOaMcUarA3Wnz1vZ44qJ/fkdLTslnIPGSRJDUx15bbb+n2N6pQJ
gS7Umxy6n73rQyEoDjd3ZorvDGjFSVFpjM+RYjk/Ohq+yziz7nQ/SZuHPPeqm1GU
C5d9SxyXGdqlJJ6yFCHzbtjSmIey+l1TZ+j3rSSww/CzDKxB2l5J6JZAMUjVdL9b
J80Mcw0XLdG9iTtEnkUt3TwvLMcMl95UPeQHIkVQlwsRRb3BtHNIwJLPQ/n+Cou7
Hre3y2miUYHrNICEzMdMlpDzQBqu5wvpXgbgIV0CwAwCXPZBVWE1hVJ9gG0l+r1G
fy1a75OmEin4V9g8w+wNTWDEgjwAOkWhA67WVjpbvHtd6kEbISzt4JHFksG1rjU2
vXOIj2VBmQN6zHtxfcZqY8Ge4A7XGo7tAM/3NsUxin+2y7ZXI6sDvv+0esYmqrYr
9as/tD84L5LTrbUYewaUgEdauQXluQI1egRi7pSeg7hZyLeYYkmszk54Ra3zdlmM
m7Hr6u+Y/G7yeFdn/WdeG3VzdmxhC2ZFfk3gq0vneBS3WrATbf6nAORp2bwzGSz4
pUsVLSv+vhpZdSF+IxpUuMnsLkkbUCvFivXLjQ6irSWvp7uts1HWdRowdg7Pe2lC
FVbFRuA=
=1uM7
-----END PGP SIGNATURE-----
Merge tag 'tags/mute-led-rework' into for-next
ALSA: control - add generic LED API
This patchset tries to resolve the diversity in the audio LED
control among the ALSA drivers. A new control layer registration
is introduced which allows to run additional operations on
top of the elementary ALSA sound controls.
A new control access group (three bits in the access flags)
was introduced to carry the LED group information for
the sound controls. The low-level sound drivers can just
mark those controls using this access group. This information
is not exported to the user space, but user space can
manage the LED sound control associations through sysfs
(last patch) per Mark's request. It makes things fully
configurable in the kernel and user space (UCM).
The actual state ('route') evaluation is really easy
(the minimal value check for all channels / controls / cards).
If there's more complicated logic for a given hardware,
the card driver may eventually export a new read-only
sound control for the LED group and do the logic itself.
The new LED trigger control code is completely separated
and possibly optional (there's no symbol dependency).
The full code separation allows eventually to move this
LED trigger control to the user space in future.
Actually it replaces the already present functionality
in the kernel space (HDA drivers) and allows a quick adoption
for the recent hardware (ASoC codecs including SoundWire).
snd_ctl_led 24576 0
The sound driver implementation is really easy:
1) call snd_ctl_led_request() when control LED layer should be
automatically activated
/ it calls module_request("snd-ctl-led") on demand /
2) mark all related kcontrols with
SNDRV_CTL_ELEM_ACCESS_SPK_LED or
SNDRV_CTL_ELEM_ACCESS_MIC_LED
Link: https://lore.kernel.org/r/20210317172945.842280-1-perex@perex.cz
Signed-off-by: Takashi Iwai <tiwai@suse.de>
We need to manage the kcontrol entries association for the LED trigger
from the user space. This patch adds a layer to the sysfs tree like:
/sys/devices/virtual/sound/ctl-led/mic
+ card0
| + attach
| + detach
| ...
+ card1
+ attach
...
Operations:
attach and detach
- amixer style ID is accepted and easy strings for numid and
simple names
reset
- reset all associated kcontrol entries
list
- list associated kcontrol entries (numid values only)
Additional symlinks:
/sys/devices/virtual/sound/ctl-led/mic/card0/card ->
/sys/class/sound/card0
/sys/class/sound/card0/controlC0/led-mic ->
/sys/devices/virtual/sound/ctl-led/mic/card0
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20210317172945.842280-7-perex@perex.cz
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Create SYSFS/devices/virtual/sound/ctl-led tree
(with SYSFS/class/sound/ctl-led symlink).
speaker/
+-- mode
+-- brightness
mic/
+-- mode
+-- brightness
Copy the idea from the HDA driver and allow to set the audio
LEDs based on the various modes:
- follow mute
- follow moute (inverted to follow mute)
- off
- on
Also, the actual LED state is exposed.
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20210317172945.842280-6-perex@perex.cz
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The recent laptops have usually two LEDs assigned to reflect
the speaker and microphone mute state. This implementation
adds a tiny layer on top of the control API which calculates
the state for those LEDs using the driver callbacks.
Two new access flags are introduced to describe the controls
which affects the audio path settings (an easy code change
for drivers).
The LED resource can be shared with multiple sound cards with
this code. The user space controls may be added to the state
chain on demand, too.
This code should replace the LED code in the HDA driver and
add a possibility to easy extend the other drivers (ASoC
codecs etc.).
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20210317172945.842280-4-perex@perex.cz
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The layer registration allows to handle an extra functionality
on top of the control API. It can be used for the audio
LED control for example.
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20210317172945.842280-3-perex@perex.cz
Signed-off-by: Takashi Iwai <tiwai@suse.de>
This helper is required for the following generic LED mute
patch. The helper also simplifies some other functions.
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20210317172945.842280-2-perex@perex.cz
Signed-off-by: Takashi Iwai <tiwai@suse.de>
modification in commit 2a3f7221ac ("ALSA: core: Fix card races between
register and disconnect") resulting in this problem.
Fixes: 2a3f7221ac ("ALSA: core: Fix card races between register and disconnect")
Signed-off-by: Jia Zhou <zhou.jia2@zte.com.cn>
Signed-off-by: Yi Wang <wang.yi59@zte.com.cn>
Link: https://lore.kernel.org/r/1616989007-34429-1-git-send-email-wang.yi59@zte.com.cn
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Building with 'make W=1' shows some warnings about empty function-style
macros:
sound/core/pcm_memory.c: In function 'preallocate_pages':
sound/core/pcm_memory.c:236:49: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body]
236 | preallocate_info_init(substream);
sound/core/seq_device.c: In function 'snd_seq_device_dev_register':
sound/core/seq_device.c:163:41: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body]
163 | queue_autoload_drivers();
Change them to empty inline functions, which are more robust here.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20210322103128.547199-1-arnd@kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Add debug prints after calls of do_alloc_pages. One simplification would
be to move print into do_alloc_pages, however it would cause spam in
logs, as preallocate_pcm_pages loops over do_alloc_pages trying lower
values in case of failures.
Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Link: https://lore.kernel.org/r/20210318160618.2504068-2-amadeuszx.slawinski@linux.intel.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Another quiet release in terms of features, though several of the
drivers got quite a bit of work and there were a lot of general changes
resulting from Morimoto-san's ongoing cleanup work.
- As ever, lots of hard work by Morimoto-san cleaning up the code and
making it more consistent.
- Many improvements in the Intel drivers including a wide range of
quirks and bug fixes.
- A KUnit testsuite for the topology code.
- Support for Ingenic JZ4760(B), Intel AlderLake-P, DT configured
nVidia cards, Qualcomm lpass-rx-macro and lpass-tx-macro
- Removal of obsolete SIRF prima/atlas, Txx9 and ZTE zx drivers.
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmAtZ7cACgkQJNaLcl1U
h9DD5Af/eeERQ2uVOqtw0If+XL1xRYe6RewgDoNcO/l/5WxBLrBH6NbEf0OwNJeg
vzZAkUBtxmx6XiW2M/h+4ucW1OPcg5IzxIWTHfGDMlKIxzb0jgWugRnJ7sdTnOs3
c+QHnvuOT7QzZBviAIkc5uZ5thAImYF8zDyKoGF5llztmnBYymtgpnvnRNZGM0ou
76oUzSvkCFI2b0Yf6bpGok2nBVlOu82HSHOUKjXVWk+LAeiivlYGOEZpdIKEe3S8
u6atQJ29XRr52Yuc2z4xnFQTW1cIDlwj2Fk5x/z8hX+5nRhNSGuIv1l5m7TfBj3e
mCO9cltKZxly0NXysgekn95JHwwwkA==
=MJSb
-----END PGP SIGNATURE-----
Merge tag 'asoc-v5.12' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
ASoC: Updates for v5.12
Another quiet release in terms of features, though several of the
drivers got quite a bit of work and there were a lot of general changes
resulting from Morimoto-san's ongoing cleanup work.
- As ever, lots of hard work by Morimoto-san cleaning up the code and
making it more consistent.
- Many improvements in the Intel drivers including a wide range of
quirks and bug fixes.
- A KUnit testsuite for the topology code.
- Support for Ingenic JZ4760(B), Intel AlderLake-P, DT configured
nVidia cards, Qualcomm lpass-rx-macro and lpass-tx-macro
- Removal of obsolete SIRF prima/atlas, Txx9 and ZTE zx drivers.
There are a few places doing the same loop iterating all PCM
substreams belonging to the PCM object. Introduce a local helper
macro, for_each_pcm_substream(), to simplify the code.
Link: https://lore.kernel.org/r/20210206203656.15959-5-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The PCM stop operation sets the stop_operating flag for indicating the
sync_stop post-process. This flag is, however, set unconditionally
even if the PCM trigger weren't issued. This may lead to
inconsistency in the driver side.
Correct the code to set stop_operating flag only after the trigger
STOP is actually called.
Fixes: 1e850beea2 ("ALSA: pcm: Add the support for sync-stop operation")
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210206203656.15959-4-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The current PCM code calls the sync_stop at the resume action due to
the analogy to the PCM prepare call pattern. But, it makes little
sense, as the sync should have been done rather at the suspend time,
not at the resume time.
This patch corrects the sync_stop call at suspend/resume to assure the
sync before finishing the suspend.
Fixes: 1e850beea2 ("ALSA: pcm: Add the support for sync-stop operation")
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210206203656.15959-3-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The PCM core should perform the sync for the pending stop operations
at disconnection. Otherwise it may lead to unexpected access.
Currently the old user of sync_stop, USB-audio driver, has its own
sync, so this isn't needed, but it's better to guarantee the sync in
the PCM core level.
This patch adds the missing sync_stop call at PCM disconnection
callback. It also assures the IRQ sync if it's specified in the
card. snd_pcm_sync_stop() is slightly modified to be called also for
any PCM substream object now.
Fixes: 1e850beea2 ("ALSA: pcm: Add the support for sync-stop operation")
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210206203656.15959-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The commit e7bbb7acab ("dmaengine: add peripheral configuration")
adds peripheral configuration for dma_slave_config.
This configuration is useful for some audio peripherals, for
example, the peripheral supports multi fifos, we can
let the DMA know which fifos are selected. So also add
this configuration for snd_dmaengine_dai_dma_data.
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://lore.kernel.org/r/1612509985-11063-1-git-send-email-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
The commit 2d670ea2bd ("ALSA: jack: implement software jack
injection via debugfs") introduced a debugfs root for each sound card
object. The debugfs entry gets removed at the card removal, too, but
it turned out that debugfs_remove() is called at a wrong place; it's
after the card object gets freed, hence it leads to use-after-free.
Fix it by moving the debugfs_remove() at the right place, the
destructor of the card device.
Fixes: 2d670ea2bd ("ALSA: jack: implement software jack injection via debugfs")
Reported-and-tested-by: Chris Wilson <chris@chris-wilson.co.uk>
Link: https://lore.kernel.org/r/161228343605.1150.8862281636043446562@build.alporthouse.com
Link: https://lore.kernel.org/r/20210202225629.1965-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
This change adds audio jack injection feature through debugfs, with
this feature, we could validate alsa userspace changes by injecting
plugin or plugout events to the non-phantom audio jacks.
With this change, the sound core will build the folders
$debugfs_mount_dir/sound/cardN if SND_DEBUG and DEBUG_FS are enabled.
And if users also enable the SND_JACK_INJECTION_DEBUG, the jack
injection nodes will be built in the folder cardN like below:
$tree $debugfs_mount_dir/sound
$debugfs_mount_dir/sound
├── card0
│ ├── HDMI_DP_pcm_10_Jack
│ │ ├── jackin_inject
│ │ ├── kctl_id
│ │ ├── mask_bits
│ │ ├── status
│ │ ├── sw_inject_enable
│ │ └── type
...
│ └── HDMI_DP_pcm_9_Jack
│ ├── jackin_inject
│ ├── kctl_id
│ ├── mask_bits
│ ├── status
│ ├── sw_inject_enable
│ └── type
└── card1
├── HDMI_DP_pcm_5_Jack
│ ├── jackin_inject
│ ├── kctl_id
│ ├── mask_bits
│ ├── status
│ ├── sw_inject_enable
│ └── type
...
├── Headphone_Jack
│ ├── jackin_inject
│ ├── kctl_id
│ ├── mask_bits
│ ├── status
│ ├── sw_inject_enable
│ └── type
└── Headset_Mic_Jack
├── jackin_inject
├── kctl_id
├── mask_bits
├── status
├── sw_inject_enable
└── type
The nodes kctl_id, mask_bits, status and type are read-only, users
could check jack or jack_kctl's information through them.
The nodes sw_inject_enable and jackin_inject are directly used for
injection. The sw_inject_enable is read-write, users could check if
software injection is enabled or not on this jack, and users could
echo 1 or 0 to enable or disable software injection on this jack. Once
the injection is enabled, the jack will not change by hardware events
anymore, once the injection is disabled, the jack will restore the
last reported hardware events to the jack. The jackin_inject is
write-only, if the injection is enabled, users could echo 1 or 0 to
this node to inject plugin or plugout events to this jack.
For the detailed usage information on these nodes, please refer to
Documentation/sound/designs/jack-injection.rst.
Reviewed-by: Takashi Iwai <tiwai@suse.de>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Link: https://lore.kernel.org/r/20210127085639.74954-2-hui.wang@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The fix for a long-standing USB-audio bug required one more dependency
variable to be added to the hw constraints. Unfortunately I didn't
realize at debugging that the new addition may result in the overflow
of the dependency array of each snd_pcm_hw_rule (up to three plus a
sentinel), because USB-audio driver adds one more dependency only for
a certain device and bus, hence it works as is for many devices. But
in a bad case, a simple open always results in -EINVAL (with kernel
WARNING if CONFIG_SND_DEBUG is set) no matter what is passed.
Since the dependencies are real and unavoidable (USB-audio restricts
the hw_params per looping over the format/rate/channels combos), the
only good solution seems to raise the bar for one more dependency for
snd_pcm_hw_rule -- so does this patch: now the hw constraint
dependencies can be up to four.
Fixes: 506c203cc3 ("ALSA: usb-audio: Fix hw constraints dependencies")
Reported-by: Jamie Heilman <jamie@audible.transient.net>
Link: https://lore.kernel.org/r/20210123155730.22576-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
snd_seq_oss_synth_make_info() didn't check the error code from
snd_seq_oss_midi_make_info(), and this leads to the call of strlcpy()
with the uninitialized string as the source, which may lead to the
access over the limit.
Add the proper error check for avoiding the failure.
Reported-by: syzbot+e42504ff21cff05a595f@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210115093428.15882-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
strlcpy is deprecated. see: Documentation/process/deprecated.rst
Change the calls that do not use the strlcpy return value to the
preferred strscpy.
Done with cocci script:
@@
expression e1, e2, e3;
@@
- strlcpy(
+ strscpy(
e1, e2, e3);
This cocci script leaves the instances where the return value is
used unchanged.
After this patch, sound/ has 3 uses of strlcpy() that need to be
manually inspected for conversion and changed one day.
$ git grep -w strlcpy sound/
sound/usb/card.c: len = strlcpy(card->longname, s, sizeof(card->longname));
sound/usb/mixer.c: return strlcpy(buf, p->name, buflen);
sound/usb/mixer.c: return strlcpy(buf, p->names[index], buflen);
Miscellenea:
o Remove trailing whitespace in conversion of sound/core/hwdep.c
Link: https://lore.kernel.org/lkml/CAHk-=wgfRnXz0W3D37d01q3JFkr_i_uTL=V6A6G1oUZcprmknw@mail.gmail.com/
Signed-off-by: Joe Perches <joe@perches.com>
Acked-by: Mark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/r/22b393d1790bb268769d0bab7bacf0866dcb0c14.camel@perches.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Use DIV_ROUND_CLOSEST() instead of open-coding it. This documents intent
and makes it more clear what is going on for the casual reviewer.
Generated using the following the Coccinelle semantic patch.
// <smpl>
@@
expression x, y;
@@
-((x) + ((y) / 2)) / (y)
+DIV_ROUND_CLOSEST(x, y)
// </smpl>
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Link: https://lore.kernel.org/r/20201223172229.781-13-lars@metafoo.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Use DIV_ROUND_UP() instead of open-coding it. This documents intent
and makes it more clear what is going on for the casual reviewer.
Generated using the following the Coccinelle semantic patch.
// <smpl>
@@
expression x, y;
@@
-(((x) + (y) - 1) / (y))
+DIV_ROUND_UP(x, y)
// </smpl>
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Link: https://lore.kernel.org/r/20201223172229.781-1-lars@metafoo.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
A collection of small fixes that came up recently for 5.11.
Majority of fixes are usual HD-audio and USB-audio quirks, while
a few PCM core fixes for addressing the information leak and yet
more UBSAN fixes in the core side.
-----BEGIN PGP SIGNATURE-----
iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAl/i9TYOHHRpd2FpQHN1
c2UuZGUACgkQLtJE4w1nLE+jBg/6Al8JBgYALZkDOFS1fdeihm7i2keRbkI16OIt
dRv1sIr3rctuLk/oCwj0pTjBNJHfhUX2UfGxcYXIz0m32O1S13t4aBKPJ7BqUi/m
x0CHYy4v8JDeJGuWm8txzdedJIA3m69m/2TZZ+pFe7p3vIl51vXekklALuLQ+JTw
tz98CaXMQxJQq+/ddlukLOKSTNI1gb/Q+T4R/ZuMYXrfn0+/WjaP3OED/a4uPvvQ
0SpLTNS1zzTbS8wK2yys90SK9uR4Y0b0lcNZ5gES1rmYR9ZLwcp0jdHFXKc1HJnJ
x3YmMHQ+qtP/tFTJz1TCEmYl0ofL6axKEb55urm3NY6Nr/xDei5teT+nuBdum4O8
tMAui110hVoD4BRz9lCLnvGARVa9MDKj4Znp7QXu1YsUmATuAN4fEzCar9ojIvOV
rv73LmotPeymeSnLkFKI4DhbesxjJa4/eQkwPGFXsbjwt/E9N4zFpSxyTcWzYK1q
wl1jyPE6TuMD6nm/Ef2G5h6XIlnZD+AeSSNkVQSsd97Ttvp6kCU5Aidc+IQpQ1b5
tWRhM8dphiiO+Y2j4pbJNDQMWarXVMp2deXIZzohVNluWM1t/0k76bWa+wATodFJ
okuZE4knHCUXJ+HO+oTt+85t/H+qgIx0I9VzyQBCwvbJ03xRHYbj0+06YDgTp272
q6zhW5g=
=Ihh7
-----END PGP SIGNATURE-----
Merge tag 'sound-fix-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"A collection of small fixes that came up recently for 5.11.
The majority of fixes are usual HD-audio and USB-audio quirks, with a
few PCM core fixes for addressing the information leak and yet more
UBSAN fixes in the core side"
* tag 'sound-fix-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA/hda: apply jack fixup for the Acer Veriton N4640G/N6640G/N2510G
ALSA: hda/realtek: Apply jack fixup for Quanta NL3
ALSA: usb-audio: Add implicit feeback support for the BOSS GT-1
ALSA: usb-audio: Add alias entry for ASUS PRIME TRX40 PRO-S
ALSA: core: Remove redundant comments
ALSA: hda/realtek: Add quirk for MSI-GP73
ALSA: pcm: oss: Fix a few more UBSAN fixes
ALSA: pcm: Clear the full allocated memory at hw_params
ALSA: memalloc: Align buffer allocations in page size
ALSA: usb-audio: Disable sample read check if firmware doesn't give back
ALSA: pcm: Remove snd_pcm_lib_preallocate_dma_free()
ALSA: usb-audio: Add VID to support native DSD reproduction on FiiO devices
ALSA: core: memalloc: add page alignment for iram
ALSA: hda/realtek - Supported Dell fixed type headset
ALSA: hda/realtek: Remove dummy lineout on Acer TravelMate P648/P658
There are a few places that call round{up|down}_pow_of_two() with the
value zero, and this causes undefined behavior warnings. Avoid
calling those macros if such a nonsense value is passed; it's a minor
optimization as well, as we handle it as either an error or a value to
be skipped, instead.
Reported-by: syzbot+33ef0b6639a8d2d42b4c@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20201218161730.26596-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The PCM hw_params core function tries to clear up the PCM buffer
before actually using for avoiding the information leak from the
previous usages or the usage before a new allocation. It performs the
memset() with runtime->dma_bytes, but this might still leave some
remaining bytes untouched; namely, the PCM buffer size is aligned in
page size for mmap, hence runtime->dma_bytes doesn't necessarily cover
all PCM buffer pages, and the remaining bytes are exposed via mmap.
This patch changes the memory clearance to cover the all buffer pages
if the stream is supposed to be mmap-ready (that guarantees that the
buffer size is aligned in page size).
Reviewed-by: Lars-Peter Clausen <lars@metafoo.de>
Link: https://lore.kernel.org/r/20201218145625.2045-3-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Currently the standard memory allocator (snd_dma_malloc_pages*())
passes the byte size to allocate as is. Most of the backends
allocates real pages, hence the actual allocations are aligned in page
size. However, the genalloc doesn't seem assuring the size alignment,
hence it may result in the access outside the buffer when the whole
memory pages are exposed via mmap.
For avoiding such inconsistencies, this patch makes the allocation
size always to be aligned in page size.
Note that, after this change, snd_dma_buffer.bytes field contains the
aligned size, not the originally requested size. This value is also
used for releasing the pages in return.
Reviewed-by: Lars-Peter Clausen <lars@metafoo.de>
Link: https://lore.kernel.org/r/20201218145625.2045-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Since commit d4cfb30fce ("ALSA: pcm: Set per-card upper limit of PCM
buffer allocations") snd_pcm_lib_preallocate_dma_free() is a single line
function that has one caller, which is another single line function.
Clean this up a bit and remove snd_pcm_lib_preallocate_dma_free() and
directly call do_free_pages() from snd_pcm_lib_preallocate_free(). This is
a bit less boilerplate.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Link: https://lore.kernel.org/r/20201218153400.18394-1-lars@metafoo.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Since mmap for userspace is based on page alignment, add page alignment
for iram alloc from pool, otherwise, some good data located in the same
page of dmab->area maybe touched wrongly by userspace like pulseaudio.
Signed-off-by: Robin Gong <yibin.gong@nxp.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/1608221747-3474-1-git-send-email-yibin.gong@nxp.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Lots of changes (slightly more code increase than usual) at this
time, while most of code changes are ASoC driver-specific.
Here goes some highlight:
Core:
* The new auxiliary bus implementation for Intel DSP, which will
be used by other drivers as well
* Lots of ASoC core cleanups and refactoring
* UBSAN and KCSAN fixes in rawmidi, sequencer and a few others
* Compress-offload API enhancement for the pause during draining
HD- and USB-audio:
* Enhancements of the USB-audio implicit feedback support,
including better full-duplex operations
* Continued CA0132 improvements and fixes
* A few new quirk entries, HDMI audio fixes
ASoC:
* Support for boot time selection of Intel DSP firmware, which
should help distros/users testing new stuff more easily;
the kconfig was moved to boot time option, too
* Some basic DPCM support in audio graph card
* Removal of old pre-DT Freescale drivers
* Support for Allwinner H6 I2S, Analog Devices ADAU1372, Intel
Alderlake-S, GMediatek MT8192, NXP i.MX HDMI and XCVR, Realtek
RT715, Qualcomm SM8250 and simple GPIO based muxes
-----BEGIN PGP SIGNATURE-----
iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAl/YhGcOHHRpd2FpQHN1
c2UuZGUACgkQLtJE4w1nLE8O1RAAhuRnJZXDXOPXIG9OchsYlHI3wK4eaSiyNe+i
sI5yoAdLFYBxBY3OQ4kQCvhjzlLziUvfIfv5YZZMGGAxx9rxsb73F1zH4ttFi1qA
6ipbhk7SVgK3AQk74lWB2JRYrdBko8Y3z9HKNVqaXWnTubyV4EinoC4hzNLuNDI9
JsgyrsCL5Bzl9rlD3vs5mwPwIfiD4hw1KKSQa9f1qnOtXCcbRtL3T4iZZsF5sIph
veKrS0R1MZmXpMQoyhyMnTls1GvmW5N3mhIgw9rR1PgeVof8q8klKd2WfroKKz6s
Dek3IrgPXfvTdr2ZjNxI29x4NItIayGkbe1DFLZcHQ08yn9JrP9EKQ3Gnv7S9pVT
2gIdSOZV4XYA4OF04ubNU1Ve0n5kP4pX/LvN+cuSgyfgCE+V6HsvTF5nVyrunrM/
0bdjdWrc1dkb59GuLGOxI0M68lou7J14ZjCzeevuuQm9dNN5x62LDf3+0vDTFBEs
t9DaqoqUMZKFfaMLWG8UK04kvw3rhAHap+tQ9HOpz86VK6Qy54RBSfv43p2UK1SO
TDHRYIQxQ1GfPlHEy6XFfKOPw15VPDMJWoMPzFfoB+C6dzNKKSAgivFPnERsw88X
9T81MeLhCqqTdRLlZPnGM3S6L1btZhkZcLvyusT0WGGVg8KLgSmn4OwY2wITDebM
zIUgHTM=
=j9El
-----END PGP SIGNATURE-----
Merge tag 'sound-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound updates from Takashi Iwai:
"Lots of changes (slightly more code increase than usual) at this time,
while most of code changes are ASoC driver-specific.
Here are some highlights:
Core:
- The new auxiliary bus implementation for Intel DSP, which will be
used by other drivers as well
- Lots of ASoC core cleanups and refactoring
- UBSAN and KCSAN fixes in rawmidi, sequencer and a few others
- Compress-offload API enhancement for the pause during draining
HD- and USB-audio:
- Enhancements of the USB-audio implicit feedback support, including
better full-duplex operations
- Continued CA0132 improvements and fixes
- A few new quirk entries, HDMI audio fixes
ASoC:
- Support for boot time selection of Intel DSP firmware, which should
help distros/users testing new stuff more easily; the kconfig was
moved to boot time option, too
- Some basic DPCM support in audio graph card
- Removal of old pre-DT Freescale drivers
- Support for Allwinner H6 I2S, Analog Devices ADAU1372, Intel
Alderlake-S, GMediatek MT8192, NXP i.MX HDMI and XCVR, Realtek
RT715, Qualcomm SM8250 and simple GPIO based muxes"
* tag 'sound-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (445 commits)
ALSA: pcm: oss: Fix potential out-of-bounds shift
ALSA: usb-audio: Fix potential out-of-bounds shift
ALSA: hda/ca0132 - Add ZxR surround DAC setup.
ALSA: hda/ca0132 - Add 8051 PLL write helper functions.
ALSA: hda/hdmi: packet buffer index must be set before reading value
ASoC: SOF: imx: update kernel-doc description
ASoC: mediatek: mt8183: delete some unreachable code
ASoC: mediatek: mt8183: add PM ops to machine drivers
ASoC: topology: Fix wrong size check
ASoC: topology: Add missing size check
ASoC: SOF: Intel: hda: fix the condition passed to sof_dev_dbg_or_err
ASoC: SOF: modify the SOF_DBG flags
ASoC: SOF: Intel: hda: remove duplicated status dump
ASoC: rt1015p: delay 300ms after SDB pulling high for calibration
ASoC: rt1015p: move SDB control from trigger to DAPM
ASoC: wm_adsp: remove "ctl" from list on error in wm_adsp_create_control()
ALSA: usb-audio: Fix control 'access overflow' errors from chmap
ALSA: hda/hdmi: always print pin NIDs as hexadecimal
ALSA: hda/realtek - Add supported for more Lenovo ALC285 Headset Button
ALSA: hda/ca0132 - Remove now unnecessary DSP setup functions.
...
syzbot spotted a potential out-of-bounds shift in the PCM OSS layer
where it calculates the buffer size with the arbitrary shift value
given via an ioctl.
Add a range check for avoiding the undefined behavior.
As the value can be treated by a signed integer, the max shift should
be 30.
Reported-by: syzbot+df7dc146ebdd6435eea3@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20201209084552.17109-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>