The snd_ctl_new() function in sound/core/control.c allocates space for a
snd_kcontrol struct by performing arithmetic operations on a
user-provided size without checking for integer overflow. If a user
provides a large enough size, an overflow will occur, the allocated
chunk will be too small, and a second user-influenced value will be
written repeatedly past the bounds of this chunk. This code is
reachable by unprivileged users who have permission to open
a /dev/snd/controlC* device (on many distros, this is group "audio") via
the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The PCM proc files may open a race against substream close, which can
end up with an Oops. Use the open_mutex to protect for it.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The pm_qos_request isn't freed properly when OSS PCM emulation is used
because it skips snd_pcm_hw_free() call but directly releases the
stream. This resulted in Oops later.
Tested-by: Simon Kirby <sim@hostway.ca>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
When user want to change the card id to the same string
on the card via /sys/class/sound/cardX/id, do not
report error. Instead return with success without
doing anything.
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@nokia.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
If we pass in a device which is higher than SNDRV_RAWMIDI_DEVICES then
the "next device" should be -1. This function just returns device + 1.
But the main thing is that "device + 1" can lead to a (harmless) integer
overflow and that annoys static analysis tools.
[fix the case for device == SNDRV_RAWMIDI_DEVICE by tiwai]
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The error handling in snd_seq_oss_open() has several bad codes that
do dereferecing released pointers and double-free of kmalloc'ed data.
The object dp is release in free_devinfo() that is called via
private_free callback. The rest shouldn't touch this object any more.
The patch changes delete_port() to call kfree() in any case, and gets
rid of unnecessary calls of destructors in snd_seq_oss_open().
Fixes CVE-2010-3080.
Reported-and-tested-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
There were some new formats added in commit 15c0cee6c8 "ALSA: pcm:
Define G723 3-bit and 5-bit formats". That commit increased
SNDRV_PCM_FORMAT_LAST as well. My concern is that there are a couple
places which do:
for (i = 0; i < SNDRV_PCM_FORMAT_LAST; i++) {
if (dummy->pcm_hw.formats & (1ULL << i))
snd_iprintf(buffer, " %s", snd_pcm_format_name(i));
}
I haven't tested these but it looks like if "i" were equal to
SNDRV_PCM_FORMAT_G723_24 or higher then we might read past the end of
the array.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The current code in pcm_lib.c do all checks using only the position
in the ring buffer. Unfortunately, where the interrupts gets delayed or
merged into one, we need another timing source to check when the
buffer size boundary overlaps to avoid the wrong updating of the
ring buffer pointers.
This code uses jiffies to check the right time window without any
performance impact.
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
With some hardware combinations, the PCM interrupts are acknowledged
before the period boundary from the emu10k1 chip. The midlevel PCM code
gets confused and the playback stream is interrupted.
It seems that the interrupt processing shift by 2 samples is enough
to fix this issue. This default value does not harm other,
non-affected hardware.
More information: Kernel bugzilla bug#16300
[A copmile warning fixed by tiwai]
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6: (214 commits)
ALSA: hda - Add pin-fix for HP dc5750
ALSA: als4000: Fix potentially invalid DMA mode setup
ALSA: als4000: enable burst mode
ALSA: hda - Fix initial capsrc selection in patch_alc269()
ASoC: TWL4030: Capture route runtime DAPM ordering fix
ALSA: hda - Add PC-beep whitelist for an Intel board
ALSA: hda - More relax for pending period handling
ALSA: hda - Define AC_FMT_* constants
ALSA: hda - Fix beep frequency on IDT 92HD73xx and 92HD71Bxx codecs
ALSA: hda - Add support for HDMI HBR passthrough
ALSA: hda - Set Stream Type in Stream Format according to AES0
ALSA: hda - Fix Thinkpad X300 so SPDIF is not exposed
ALSA: hda - FIX to not expose SPDIF on Thinkpad X301, since it does not have the ability to use SPDIF
ASoC: wm9081: fix resource reclaim in wm9081_register error path
ASoC: wm8978: fix a memory leak if a wm8978_register fail
ASoC: wm8974: fix a memory leak if another WM8974 is registered
ASoC: wm8961: fix resource reclaim in wm8961_register error path
ASoC: wm8955: fix resource reclaim in wm8955_register error path
ASoC: wm8940: fix a memory leak if wm8940_register return error
ASoC: wm8904: fix resource reclaim in wm8904_register error path
...
In situation when appl_ptr is far greater then hw_ptr, the hw_avail value
can be greater than buffer_size. Check for this.
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
All current users of pm_qos_add_request() have the ability to supply
the memory required by the pm_qos routines, so make them do this and
eliminate the kmalloc() with pm_qos_add_request(). This has the
double benefit of making the call never fail and allowing it to be
called from atomic context.
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: mark gross <markgross@thegnar.org>
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
When using poll() to wait for the next period -- or avail_min samples --
one gets a consistent delay for each system call that is usually just a
little short of the selected period time. However, When using
snd_pcm_read/write(), one gets a jittery delay that alternates between
less than a millisecond and approximately two period times. This is
caused by snd_pcm_lib_{read,write}1() transferring any available samples
to the user's buffer and adjusting the application pointer prior to
sleeping to the end of the current period. When the next period
interrupt occurs, there is then less than avail_min samples remaining to
be transferred in the period, so we end up sleeping until a second
period occurs.
This is solved by using runtime->twake as the number of samples needed
for a wakeup in addition to selecting the proper wait queue to wake in
snd_pcm_update_state(). This requires twake to be non-zero when used
by snd_pcm_lib_{read,write}1() even if avail_min is zero.
Signed-off-by: Dave Dillow <dave@thedillows.org>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
This defines the 24bps and 40bps (8khz sample rate) G.723 codec
formats. They are going to be used once I submit the driver for
an mpeg4/g723 compression card.
I've updated the signed value to -1 as per Takashi's comments
since these are non-linear formats.
Signed-off-by: Ben Collins <bcollins@bluecherry.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
In the cleanup of the hw_ptr update functions in 2.6.33, the calculation
of the delta value was changed to use the modulo operator to protect
against a negative difference due to the pointer wrapping around at the
boundary.
However, the ptr variables are unsigned, so a negative difference would
result in the two complement's value which has no relation to the actual
difference relative to the boundary; the result is typically some value
near LONG_MAX-boundary. Furthermore, even if the modulo operation would
be done with signed types, the result of a negative dividend could be
negative.
The invalid delta value is then caught by the following checks, but this
means that the pointer update is ignored.
To fix this, use a range check as in the other pointer calculations.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Commit 7910b4a1db in 2.6.34 changed the
runtime->boundary calculation to make this value a multiple of both the
buffer_size and the period_size, because the latter is assumed by the
runtime->hw_ptr_interrupt calculation.
However, due to the lack of a ioctl that could read the software
parameters before they are set, the kernel requires that alsa-lib
calculates the boundary value, too. The changed algorithm leads to
a different boundary value used by alsa-lib, which makes, e.g., mplayer
fail to play a 44.1 kHz file because the silence_size parameter is now
invalid; bug report:
<https://bugtrack.alsa-project.org/alsa-bug/view.php?id=5015>.
This patch reverts the change to the boundary calculation, and instead
fixes the hw_ptr_interrupt calculation to be period-aligned regardless
of the boundary value.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6: (250 commits)
ALSA: hda: Storage class should be before const qualifier
ASoC: tpa6130a2: Remove CPVSS and HPVdd supplies
ASoC: tpa6130a2: Define output pins with SND_SOC_DAPM_OUTPUT
ASoC: sdp4430 - add sdp4430 pcm ops to DAI.
ASoC: TWL6040: Enable earphone path in codec
ASoC: SDP4430: Add support for Earphone speaker
ASoC: SDP4430: Add sdp4430 machine driver
ASoC: tlv320dac33: Avoid powering off while in BIAS_OFF
ASoC: tlv320dac33: Use dev_dbg in dac33_hard_power function
ALSA: sound/pci/asihpi: Use kzalloc
ALSA: hdmi - dont fail on extra nodes
ALSA: intelhdmi - add id for the CougarPoint chipset
ALSA: intelhdmi - user friendly codec name
ALSA: intelhdmi - add dependency on SND_DYNAMIC_MINORS
ALSA: asihpi: incorrect range check
ALSA: asihpi: testing the wrong variable
ALSA: es1688: add pedantic range checks
ARM: McBSP: Add support for omap4 in McBSP driver
ARM: McBSP: Fix request for irq in OMAP4
OMAP: McBSP: Add 32-bit mode support
...
MIPS non-coherent archs need the noncached pgprot in mmap of PCM buffers.
But, since the coherency needs to be checked dynamically via
plat_device_is_coherent(), we need an ugly check dependent on MIPS
in ALSA core code.
This should be cleaned up in MIPS arch side (e.g. creating
dma_mmap_coherent()) in near future.
Tested-by: Wu Zhangjin <wuzhangjin@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
This patch changes the string based list management to a handle base
implementation to help with the hot path use of pm-qos, it also renames
much of the API to use "request" as opposed to "requirement" that was
used in the initial implementation. I did this because request more
accurately represents what it actually does.
Also, I added a string based ABI for users wanting to use a string
interface. So if the user writes 0xDDDDDDDD formatted hex it will be
accepted by the interface. (someone asked me for it and I don't think
it hurts anything.)
This patch updates some documentation input I got from Randy.
Signed-off-by: markgross <mgross@linux.intel.com>
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
We should disable irqs when we take the tu->qlock because it is used in
the irq handler. The only place that doesn't is
snd_timer_user_ccallback(). Most of the time snd_timer_user_ccallback()
is called with interrupts disabled but the the first ti->ccallback()
call in snd_timer_notify1() has interrupts enabled.
This was caught by lockdep which generates the following message:
> =================================
> [ INFO: inconsistent lock state ]
> 2.6.34-rc5 #5
> ---------------------------------
> inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
> dolphin/4003 [HC1[1]:SC0[0]:HE0:SE1] takes:
> (&(&tu->qlock)->rlock){?.+...}, at: [<f84ec472>] snd_timer_user_tinterrupt+0x28/0x132 [snd_timer]
> {HARDIRQ-ON-W} state was registered at:
> [<c1048de9>] __lock_acquire+0x654/0x1482
> [<c1049c73>] lock_acquire+0x5c/0x73
> [<c125ac3e>] _raw_spin_lock+0x25/0x34
> [<f84ec370>] snd_timer_user_ccallback+0x55/0x95 [snd_timer]
> [<f84ecc4b>] snd_timer_notify1+0x53/0xca [snd_timer]
Reported-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Set no_llseek to llseek file ops of each sound component (but for hwdep).
This avoids the implicit BKL invocation via generic_file_llseek() used
as default when fops.llseek is NULL.
Also call nonseekable_open() at each open ops to ensure the file flags
have no seek bit.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The llseek implementation is identical for existing driver implementations,
so let's merge to the common layer. The same code for the text proc file
can be used even for the binary proc file.
The driver can provide its own llseek method if needed. Then the common
code will be skipped.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Check the validity of the file position in the common info layer before
calling read or write callbacks in assumption that entry->size is set up
properly to indicate the max file size.
Removed the redundant checks from the callbacks as well.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Use a local mutex instead of BKL. This should suffice since each device
type has also its open_mutex.
Also, a bit of clean-up of the legacy device auto-loading code.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
The commit 4d96eb255c broke the interrupt
time xrun functionality (stream stop etc.) if the CONFIG_SND_PCM_XRUN_DEBUG
is not set. This is because the xrun() is null defined without it.
Fix this by letting the function xrun() to be always defined as it was
before.
Signed-off-by: Jarkko Nikula <jhnikula@gmail.com>
Cc: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Some devices provide support for detection of a small number of
buttons on their jacks. One common implementation provides a single
button, implemented by shorting the microphone to ground and detected
along with microphone presence detection by detecting varying current
draws on the microphone bias signal.
Provide support for up to three buttons via the jack interface. These
default to reporting BTN_n but an API is provided to allow these to
be remapped to other keys by the machine driver where it knows what
the keys are. More keys can be added with ease if required.
This is only intended to support simple accessory button designs. If
the interface is limiting then either creating a child device for the
accessory or accessing the input device in the jack directly is
recommended.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Shared memory mappings on nommu machines require a get_unmapped_area
file operation that suggests an address for the mapping. The current
implementation returns 0 and thus forces the driver to implement an
mmap handler that fixes up the start and end address of the vma.
This patch returns the address of the dma buffer, so it should work
out of the box for all drivers that use the snd_pcm_runtime->dma_area
pointer.
Addresses for mapping the status and control pages are returned as
well, but to make those work the conditional compilation of
snd_pcm_mmap_{status,control} would need to be revised.
URL: http://thread.gmane.org/gmane.linux.alsa.devel/61230
Signed-off-by: Daniel Glöckner <dg@emlix.com>
Signed-off-by: Cliff Cai <cliff.cai@analog.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Instead of padding with blanks and printing "number=0x a", print
"number=0x0a".
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@holoscopio.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Allow TLV blocks that do not have any values; the smallest possible TLV
is an empty container or one where the information is only in the tag.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>