2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2025-01-23 04:54:01 +08:00
Commit Graph

27962 Commits

Author SHA1 Message Date
Takashi Iwai
79fb0518fe ALSA: timer: Add missing mutex lock for compat ioctls
The races among ioctl and other operations were protected by the
commit af368027a4 ("ALSA: timer: Fix race among timer ioctls") and
later fixes, but one code path was forgotten in the scenario: the
32bit compat ioctl.  As syzkaller recently spotted, a very similar
use-after-free may happen with the combination of compat ioctls.

The fix is simply to apply the same ioctl_lock to the compat_ioctl
callback, too.

Fixes: af368027a4 ("ALSA: timer: Fix race among timer ioctls")
Reference: http://lkml.kernel.org/r/089e082686ac9b482e055c832617@google.com
Reported-by: syzbot <bot+e5f3c9783e7048a74233054febbe9f1bdf54b6da@syzkaller.appspotmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-31 08:28:16 +01:00
Hui Wang
f265788c33 ALSA: hda - fix headset mic problem for Dell machines with alc236
We have several Dell laptops which use the codec alc236, the headset
mic can't work on these machines. Following the commit 736f20a70, we
add the pin cfg table to make the headset mic work.

Cc: <stable@vger.kernel.org>
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-24 14:32:24 +02:00
Kailang Yang
736f20a706 ALSA: hda/realtek - Add support for ALC236/ALC3204
Add support for ALC236/ALC3204.
Add headset mode support for ALC236/ALC3204.

Signed-off-by: Kailang Yang <kailang@realtek.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-20 10:49:18 +02:00
Takashi Iwai
a91d66129f ALSA: hda - Fix incorrect TLV callback check introduced during set_fs() removal
The commit 99b5c5bb9a ("ALSA: hda - Remove the use of set_fs()")
converted the get_kctl_0dB_offset() call for killing set_fs() usage in
HD-audio codec code.  The conversion assumed that the TLV callback
used in HD-audio code is only snd_hda_mixer_amp() and applies the TLV
calculation locally.

Although this assumption is correct, and all slave kctls are actually
with that callback, the current code is still utterly buggy; it
doesn't hit this condition and falls back to the next check.  It's
because the function gets called after adding slave kctls to vmaster.
By assigning a slave kctl, the slave kctl object is faked inside
vmaster code, and the whole kctl ops are overridden.  Thus the
callback op points to a different value from what we've assumed.

More badly, as reported by the KERNEXEC and UDEREF features of PaX,
the code flow turns into the unexpected pitfall.  The next fallback
check is SNDRV_CTL_ELEM_ACCESS_TLV_READ access bit, and this always
hits for each kctl with TLV.  Then it evaluates the callback function
pointer wrongly as if it were a TLV array.  Although currently its
side-effect is fairly limited, this incorrect reference may lead to an
unpleasant result.

For addressing the regression, this patch introduces a new helper to
vmaster code, snd_ctl_apply_vmaster_slaves().  This works similarly
like the existing map_slaves() in hda_codec.c: it loops over the slave
list of the given master, and applies the given function to each
slave.  Then the initializer function receives the right kctl object
and we can compare the correct pointer instead of the faked one.

Also, for catching the similar breakage in future, give an error
message when the unexpected TLV callback is found and bail out
immediately.

Fixes: 99b5c5bb9a ("ALSA: hda - Remove the use of set_fs()")
Reported-by: PaX Team <pageexec@freemail.hu>
Cc: <stable@vger.kernel.org> # v4.13
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-18 12:27:00 +02:00
Takashi Iwai
6bf88a343d ALSA: hda: Remove superfluous '-' added by printk conversion
While converting the error messages to the standard macros in the
commit 4e76a8833f ("ALSA: hda - Replace with standard printk"), a
superfluous '-' slipped in the code mistakenly.  Its influence is
almost negligible, merely shows a dB value as negative integer instead
of positive integer (or vice versa) in the rare error message.
So let's kill this embarrassing byte to show more correct value.

Fixes: 4e76a8833f ("ALSA: hda - Replace with standard printk")
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-18 12:26:59 +02:00
Takashi Iwai
098a0a62c1 ALSA: hda: Abort capability probe at invalid register read
The loop in snd_hdac_bus_parse_capabilities() may go to nirvana when
it hits an invalid register value read:

 BUG: unable to handle kernel paging request at ffffad5dc41f3fff
 IP: pci_azx_readl+0x5/0x10 [snd_hda_intel]
 Call Trace:
  snd_hdac_bus_parse_capabilities+0x3c/0x1f0 [snd_hda_core]
  azx_probe_continue+0x7d5/0x940 [snd_hda_intel]
  .....

This happened on a new Intel machine, and we need to check the value
and abort the loop accordingly.

[Note: the fixes tag below indicates only the commit where this patch
 can be applied; the original problem was introduced even before that
 commit]

Fixes: 6720b38420 ("ALSA: hda - move bus_parse_capabilities to core")
Cc: <stable@vger.kernel.org>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-18 12:26:44 +02:00
Ben Hutchings
8009d506a1 ALSA: seq: Enable 'use' locking in all configurations
The 'use' locking macros are no-ops if neither SMP or SND_DEBUG is
enabled.  This might once have been OK in non-preemptible
configurations, but even in that case snd_seq_read() may sleep while
relying on a 'use' lock.  So always use the proper implementations.

Cc: stable@vger.kernel.org
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-18 08:01:46 +02:00
Jussi Laako
9bb201a5d5 ALSA: usb-audio: Add native DSD support for Pro-Ject Pre Box S2 Digital
Add native DSD support quirk for Pro-Ject Pre Box S2 Digital USB id
2772:0230.

Signed-off-by: Jussi Laako <jussi@sonarnerd.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-16 13:34:55 +02:00
Takashi Iwai
99fee50824 ALSA: caiaq: Fix stray URB at probe error path
caiaq driver doesn't kill the URB properly at its error path during
the probe, which may lead to a use-after-free error later.  This patch
addresses it.

Reported-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Johan Hovold <johan@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-11 17:01:18 +02:00
Takashi Iwai
7110599884 ALSA: seq: Fix use-after-free at creating a port
There is a potential race window opened at creating and deleting a
port via ioctl, as spotted by fuzzing.  snd_seq_create_port() creates
a port object and returns its pointer, but it doesn't take the
refcount, thus it can be deleted immediately by another thread.
Meanwhile, snd_seq_ioctl_create_port() still calls the function
snd_seq_system_client_ev_port_start() with the created port object
that is being deleted, and this triggers use-after-free like:

 BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
 =============================================================================
 BUG kmalloc-512 (Tainted: G    B          ): kasan: bad access detected
 -----------------------------------------------------------------------------
 INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
 	___slab_alloc+0x425/0x460
 	__slab_alloc+0x20/0x40
  	kmem_cache_alloc_trace+0x150/0x190
	snd_seq_create_port+0x94/0x9b0 [snd_seq]
	snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
 	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
 	snd_seq_ioctl+0x40/0x80 [snd_seq]
 	do_vfs_ioctl+0x54b/0xda0
 	SyS_ioctl+0x79/0x90
 	entry_SYSCALL_64_fastpath+0x16/0x75
 INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
 	__slab_free+0x204/0x310
 	kfree+0x15f/0x180
 	port_delete+0x136/0x1a0 [snd_seq]
 	snd_seq_delete_port+0x235/0x350 [snd_seq]
 	snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
 	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
 	snd_seq_ioctl+0x40/0x80 [snd_seq]
 	do_vfs_ioctl+0x54b/0xda0
 	SyS_ioctl+0x79/0x90
 	entry_SYSCALL_64_fastpath+0x16/0x75
 Call Trace:
  [<ffffffff81b03781>] dump_stack+0x63/0x82
  [<ffffffff81531b3b>] print_trailer+0xfb/0x160
  [<ffffffff81536db4>] object_err+0x34/0x40
  [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
  [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
  [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
  [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
  [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
  [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
  [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
  [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
  [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
  [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
  .....

We may fix this in a few different ways, and in this patch, it's fixed
simply by taking the refcount properly at snd_seq_create_port() and
letting the caller unref the object after use.  Also, there is another
potential use-after-free by sprintf() call in snd_seq_create_port(),
and this is moved inside the lock.

This fix covers CVE-2017-15265.

Reported-and-tested-by: Michael23 Yu <ycqzsy@gmail.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-11 09:58:18 +02:00
Takashi Iwai
124751d5e6 ALSA: usb-audio: Kill stray URB at exiting
USB-audio driver may leave a stray URB for the mixer interrupt when it
exits by some error during probe.  This leads to a use-after-free
error as spotted by syzkaller like:
  ==================================================================
  BUG: KASAN: use-after-free in snd_usb_mixer_interrupt+0x604/0x6f0
  Call Trace:
   <IRQ>
   __dump_stack lib/dump_stack.c:16
   dump_stack+0x292/0x395 lib/dump_stack.c:52
   print_address_description+0x78/0x280 mm/kasan/report.c:252
   kasan_report_error mm/kasan/report.c:351
   kasan_report+0x23d/0x350 mm/kasan/report.c:409
   __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
   snd_usb_mixer_interrupt+0x604/0x6f0 sound/usb/mixer.c:2490
   __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779
   ....

  Allocated by task 1484:
   save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
   save_stack+0x43/0xd0 mm/kasan/kasan.c:447
   set_track mm/kasan/kasan.c:459
   kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
   kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
   kmalloc ./include/linux/slab.h:493
   kzalloc ./include/linux/slab.h:666
   snd_usb_create_mixer+0x145/0x1010 sound/usb/mixer.c:2540
   create_standard_mixer_quirk+0x58/0x80 sound/usb/quirks.c:516
   snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
   create_composite_quirk+0x1c4/0x3e0 sound/usb/quirks.c:59
   snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
   usb_audio_probe+0x1040/0x2c10 sound/usb/card.c:618
   ....

  Freed by task 1484:
   save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
   save_stack+0x43/0xd0 mm/kasan/kasan.c:447
   set_track mm/kasan/kasan.c:459
   kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
   slab_free_hook mm/slub.c:1390
   slab_free_freelist_hook mm/slub.c:1412
   slab_free mm/slub.c:2988
   kfree+0xf6/0x2f0 mm/slub.c:3919
   snd_usb_mixer_free+0x11a/0x160 sound/usb/mixer.c:2244
   snd_usb_mixer_dev_free+0x36/0x50 sound/usb/mixer.c:2250
   __snd_device_free+0x1ff/0x380 sound/core/device.c:91
   snd_device_free_all+0x8f/0xe0 sound/core/device.c:244
   snd_card_do_free sound/core/init.c:461
   release_card_device+0x47/0x170 sound/core/init.c:181
   device_release+0x13f/0x210 drivers/base/core.c:814
   ....

Actually such a URB is killed properly at disconnection when the
device gets probed successfully, and what we need is to apply it for
the error-path, too.

In this patch, we apply snd_usb_mixer_disconnect() at releasing.
Also introduce a new flag, disconnected, to struct usb_mixer_interface
for not performing the disconnection procedure twice.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-10 14:17:09 +02:00
Takashi Iwai
c95072b3d8 ALSA: line6: Fix leftover URB at error-path during probe
While line6_probe() may kick off URB for a control MIDI endpoint, the
function doesn't clean up it properly at its error path.  This results
in a leftover URB action that is eventually triggered later and causes
an Oops like:
  general protection fault: 0000 [#1] PREEMPT SMP KASAN
  CPU: 1 PID: 0 Comm: swapper/1 Not tainted
  RIP: 0010:usb_fill_bulk_urb ./include/linux/usb.h:1619
  RIP: 0010:line6_start_listen+0x3fe/0x9e0 sound/usb/line6/driver.c:76
  Call Trace:
   <IRQ>
   line6_data_received+0x1f7/0x470 sound/usb/line6/driver.c:326
   __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779
   usb_hcd_giveback_urb+0x337/0x420 drivers/usb/core/hcd.c:1845
   dummy_timer+0xba9/0x39f0 drivers/usb/gadget/udc/dummy_hcd.c:1965
   call_timer_fn+0x2a2/0x940 kernel/time/timer.c:1281
   ....

Since the whole clean-up procedure is done in line6_disconnect()
callback, we can simply call it in the error path instead of
open-coding the whole again.  It'll fix such an issue automagically.

The bug was spotted by syzkaller.

Fixes: eedd0e95d3 ("ALSA: line6: Don't forget to call driver's destructor at error path")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-09 16:17:18 +02:00
Takashi Iwai
54a4b2b458 ALSA: line6: Fix NULL dereference at podhd_disconnect()
When podhd_init() failed with the acquiring a ctrl i/f, the line6
helper still calls the disconnect callback that eventually calls again
usb_driver_release_interface() with the NULL intf.

Put the proper NULL check before calling it for avoiding an Oops.

Fixes: fc90172ba2 ("ALSA: line6: Claim pod x3 usb data interface")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-09 16:17:09 +02:00
Takashi Iwai
cb02ffc76a ALSA: line6: Fix missing initialization before error path
The error path in podhd_init() tries to clear the pending timer, while
the timer object is initialized at the end of init sequence, thus it
may hit the uninitialized object, as spotted by syzkaller:

  INFO: trying to register non-static key.
  the code is fine but needs lockdep annotation.
  turning off the locking correctness validator.
  CPU: 1 PID: 1845 Comm: kworker/1:2 Not tainted
  4.14.0-rc2-42613-g1488251d1a98 #238
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  Workqueue: usb_hub_wq hub_event
  Call Trace:
   __dump_stack lib/dump_stack.c:16
   dump_stack+0x292/0x395 lib/dump_stack.c:52
   register_lock_class+0x6c4/0x1a00 kernel/locking/lockdep.c:769
   __lock_acquire+0x27e/0x4550 kernel/locking/lockdep.c:3385
   lock_acquire+0x259/0x620 kernel/locking/lockdep.c:4002
   del_timer_sync+0x12c/0x280 kernel/time/timer.c:1237
   podhd_disconnect+0x8c/0x160 sound/usb/line6/podhd.c:299
   line6_probe+0x844/0x1310 sound/usb/line6/driver.c:783
   podhd_probe+0x64/0x70 sound/usb/line6/podhd.c:474
   ....

For addressing it, assure the initializations of timer and work by
moving them to the beginning of podhd_init().

Fixes: 790869dacc ("ALSA: line6: Add support for POD X3")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-09 16:16:51 +02:00
Takashi Iwai
5803b02388 ALSA: seq: Fix copy_from_user() call inside lock
The event handler in the virmidi sequencer code takes a read-lock for
the linked list traverse, while it's calling snd_seq_dump_var_event()
in the loop.  The latter function may expand the user-space data
depending on the event type.  It eventually invokes copy_from_user(),
which might be a potential dead-lock.

The sequencer core guarantees that the user-space data is passed only
with atomic=0 argument, but snd_virmidi_dev_receive_event() ignores it
and always takes read-lock().  For avoiding the problem above, this
patch introduces rwsem for non-atomic case, while keeping rwlock for
atomic case.

Also while we're at it: the superfluous irq flags is dropped in
snd_virmidi_input_open().

Reported-by: Jia-Ju Bai <baijiaju1990@163.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-09 14:10:13 +02:00
Kai-Heng Feng
c247487c0d ALSA: usb-audio: Add sample rate quirk for Plantronics P610
Like other Plantronics devices, P610 does not support sample
rate reading. Apply sample rate quirk to it.

BugLink: https://bugs.launchpad.net/bugs/1719853

Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-09 14:10:11 +02:00
Linus Torvalds
0f380715e5 sound fixes for 4.14-rc4
A collection of small fixes, mostly with stable ones:
 - X32 ABI fix for PCM;
   likely not so many people suffer from it, but still better to fix
 - Two minor kernel warning fixes on USB audio devices spotted by
   syzkaller
 - Regression fix of echoaudio due to its inconsistent dimension
 - Fix for HBR support on Intel DP audio, on some recent chips
 - USB-audio quirk for yet another Plantronics devices
 - Fix for potential double-fetch in ASIHPI FIFO queue
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABAgAGBQJZ1chwAAoJEGwxgFQ9KSmk6OgP/2otFJK3ToOYKcEa27vMq32Y
 Cnqjxe4kWPDoaVL0EwFCCyk3UHyN+TG+ybmS4ViAIWOr64SjvN1Z51gd35HwWer6
 rrPGT4qhQfnA9D9yg9zSYhMQlM6Epbrje67hEbHMttRBSI3Jxb488beO9ZHRCIaS
 gGHzBxJnkmmsvH1Rm/4QKsm0hFxjU1P00nemFSGi4wGneDUhxe9T3J1ez9XogKiA
 x6mEqJmPwudS3qH2VAqEu/cgrnKPgKF51CrdbqoJ8kql60ejcWa9sizGVyjQ/4BX
 eHFAem4I1uLLOSG8gjPaMAPFqBn7hGr0ONPzwXdEJDDM48jJoYvdmNpk1zPZFs5+
 BSocKq5iX8NrJxVu7FlbFip/9TGM399Ep9JVIm8SZRbJCiu+Y6IVsiPM8Ww+tDIE
 jY4Qeoq4Li3O+BY1LqW8vGyvPrfyKpR/WvnQY7Gg4m7hWOUU9xBlzfbIONlXH9tF
 s5XGA9CLfM3f5zN+YCj/tRtcN8LSfL7XtMsLg99HMWD7Rkjp2GK1zNr7u/Xuz6/J
 RksFOCg/s5YwMYxYR4tE1S/HAgdyv8uZQCl4cpIIgryY+OOi7vYHiDlOaMAAVx5f
 g0X8EUKLmRa7f1EAH6E9lVNxNZtVGbh6cyqE3gggZd3mUSOSzNsNVIVu9USSo0Yh
 lBwdxB1qn+ik98ZNDlYe
 =uVz7
 -----END PGP SIGNATURE-----

Merge tag 'sound-4.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "A collection of small fixes, mostly with stable ones:

 - X32 ABI fix for PCM; likely not so many people suffer from it, but
   still better to fix

 - Two minor kernel warning fixes on USB audio devices spotted by
   syzkaller

 - Regression fix of echoaudio due to its inconsistent dimension

 - Fix for HBR support on Intel DP audio, on some recent chips

 - USB-audio quirk for yet another Plantronics devices

 - Fix for potential double-fetch in ASIHPI FIFO queue"

* tag 'sound-4.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: usx2y: Suppress kernel warning at page allocation failures
  Revert "ALSA: echoaudio: purge contradictions between dimension matrix members and total number of members"
  ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
  ALSA: pcm: Fix structure definition for X32 ABI
  ALSA: usb-audio: Add sample rate quirk for Plantronics C310/C520-M
  ALSA: hda - program ICT bits to support HBR audio
  ALSA: asihpi: fix a potential double-fetch bug when copying puhm
  ALSA: compress: Remove unused variable
2017-10-05 10:39:29 -07:00
Takashi Iwai
7682e39948 ALSA: usx2y: Suppress kernel warning at page allocation failures
The usx2y driver allocates the stream read/write buffers in continuous
pages depending on the stream setup, and this may spew the kernel
warning messages with a stack trace like:
  WARNING: CPU: 1 PID: 1846 at mm/page_alloc.c:3883
  __alloc_pages_slowpath+0x1ef2/0x2d70
  Modules linked in:
  CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted
  ....

It may confuse user as if it were any serious error, although this is
no fatal error and the driver handles the error case gracefully.
Since the driver has already some sanity check of the given size (128
and 256 pages), it can't pass any crazy value.  So it's merely page
fragmentation.

This patch adds __GFP_NOWARN to each caller for suppressing such
kernel warnings.  The original issue was spotted by syzkaller.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-02 18:10:47 +02:00
Takashi Sakamoto
51db452df0 Revert "ALSA: echoaudio: purge contradictions between dimension matrix members and total number of members"
This reverts commit 275353bb68 to fix a regression which can abort
'alsactl' program in alsa-utils due to assertion in alsa-lib.

alsactl: control.c:2513: snd_ctl_elem_value_get_integer: Assertion `idx < sizeof(obj->value.integer.value) / sizeof(obj->value.integer.value[0])' failed.

alsactl: control.c:2976: snd_ctl_elem_value_get_integer: Assertion `idx < ARRAY_SIZE(obj->value.integer.value)' failed.

This commit is a band-aid. In a point of usage of ALSA control interface,
the drivers still bring an issue that they prevent userspace applications
to have a consistent way to parse each levels of the dimension information
via ALSA control interface.

Let me investigate this issue. Current implementation of the drivers
have three control element sets with dimension information:
 * 'Monitor Mixer Volume' (type: integer)
 * 'VMixer Volume' (type: integer)
 * 'VU-meters' (type: boolean)

Although the number of elements named as 'Monitor Mixer Volume' differs
depending on drivers in this group, it can be calculated by macros
defined by each driver (= (BX_NUM - BX_ANALOG_IN) * BX_ANALOG_IN). Each
of the elements has one member for value and has dimension information
with 2 levels (= BX_ANALOG_IN * (BX_NUM - BX_ANALOG_IN)). For these
elements, userspace applications are expected to handle the dimension
information so that all of the elements construct a matrix where the
number of rows and columns are represented by the dimension information.

The same way is applied to elements named as 'VMixer Volume'. The number
of these elements can also be calculated by macros defined by each
drivers (= PX_ANALOG_IN * BX_ANALOG_IN). Each of the element has one
member for value and has dimension information with 2 levels
(= BX_ANALOG_IN * PX_ANALOG_IN). All of the elements construct a matrix
with the dimension information.

An element named as 'VU-meters' gets a different way in a point of
dimension information. The element includes 96 members for value. The
element has dimension information with 3 levels (= 3 or 2 * 16 * 2). For
this element, userspace applications are expected to handle the dimension
information so that all of the members for value construct a matrix
where the number of rows and columns are represented by the dimension
information. This is different from the way for the former.

As a summary, the drivers were not designed to produce a consistent way to
parse the dimension information. This makes it hard for general userspace
applications such as amixer to parse the information by a consistent way,
and actually no userspace applications except for 'echomixer' utilize the
dimension information. Additionally, no drivers excluding this group use
the information.

The reverted commit was written based on the latter way. A commit
860c1994a7 ('ALSA: control: add dimension validator for userspace
elements') is written based on the latter way, too. The patch should be
reconsider too in the same time to re-define a consistent way to parse the
dimension information.

Reported-by: Mark Hills <mark@xwax.org>
Reported-by: S. Christian Collins <s.chriscollins@gmail.com>
Fixes: 275353bb68 ('ALSA: echoaudio: purge contradictions between dimension matrix members and total number of members')
Cc: <stable@vger.kernel.org> # v4.8+
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-02 14:30:43 +02:00
Takashi Iwai
bfc81a8bc1 ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
When a USB-audio device receives a maliciously adjusted or corrupted
buffer descriptor, the USB-audio driver may access an out-of-bounce
value at its parser.  This was detected by syzkaller, something like:

  BUG: KASAN: slab-out-of-bounds in usb_audio_probe+0x27b2/0x2ab0
  Read of size 1 at addr ffff88006b83a9e8 by task kworker/0:1/24
  CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc1-42251-gebb2c2437d80 #224
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  Workqueue: usb_hub_wq hub_event
  Call Trace:
   __dump_stack lib/dump_stack.c:16
   dump_stack+0x292/0x395 lib/dump_stack.c:52
   print_address_description+0x78/0x280 mm/kasan/report.c:252
   kasan_report_error mm/kasan/report.c:351
   kasan_report+0x22f/0x340 mm/kasan/report.c:409
   __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
   snd_usb_create_streams sound/usb/card.c:248
   usb_audio_probe+0x27b2/0x2ab0 sound/usb/card.c:605
   usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
   really_probe drivers/base/dd.c:413
   driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
   __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
   bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
   __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
   device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
   bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
   device_add+0xd0b/0x1660 drivers/base/core.c:1835
   usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
   generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
   usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
   really_probe drivers/base/dd.c:413
   driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
   __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
   bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
   __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
   device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
   bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
   device_add+0xd0b/0x1660 drivers/base/core.c:1835
   usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
   hub_port_connect drivers/usb/core/hub.c:4903
   hub_port_connect_change drivers/usb/core/hub.c:5009
   port_event drivers/usb/core/hub.c:5115
   hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
   process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
   worker_thread+0x221/0x1850 kernel/workqueue.c:2253
   kthread+0x3a1/0x470 kernel/kthread.c:231
   ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

This patch adds the checks of out-of-bounce accesses at appropriate
places and bails out when it goes out of the given buffer.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-09-22 16:21:31 +02:00
Baolin Wang
c9adcdbc65 ALSA: pcm: Fix structure definition for X32 ABI
X32 ABI uses the 64bit timespec in addition to 64bit alignment of 64bit
values. We have added compat ABI for these ioctls, but this patch adds
one missing padding into 'struct snd_pcm_mmap_status_x32' to fix
incompatibilities.

Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-09-22 11:23:48 +02:00
Kai-Heng Feng
0dcd020b7a ALSA: usb-audio: Add sample rate quirk for Plantronics C310/C520-M
Like other Plantronics devices, C310 and C520-M do not support sample
rate reading. Add them to the sample rate quirk accordingly.

BugLink: https://bugs.launchpad.net/bugs/1708499
BugLink: https://bugs.launchpad.net/bugs/1709282
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-09-20 22:14:40 +02:00
Sriram Periyasamy
5a5d718f95 ALSA: hda - program ICT bits to support HBR audio
On recent Intel platforms (Haswell, Broadwell, Skylake, ApolloLake,
KabyLake, ...), the IEC Coding Type (ICT) bitfield in the Digital
Converter Control #3 needs to be set explicitly for HDMI/DisplayPort
High Bit Rate (HBR) audio playback to work. This was not required in
earlier platforms when HBR was first introduced. The ICT bits are
defined in Section 7.3.3.9 of the HDaudio 1.0a specification.

Since the ICT bitfield was not specified for HDAudio 1.0 devices
(before 2009), we only program it on machines more recent than
Haswell.

We tested that this fix is not needed on Baytrail-I (MinnowBoard
Turbot) and believe by extension it also does not apply to Braswell.

[ Moved AC_VERB_SET_DIGI_CONVERT_3 definition to the right place
  by tiwai ]

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=98797

Signed-off-by: Sriram Periyasamy <sriramx.periyasamy@intel.com>
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Signed-off-by: Subhransu S. Prusty <subhransu.s.prusty@intel.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-09-20 12:01:01 +02:00
Meng Xu
e1af344df4 ALSA: asihpi: fix a potential double-fetch bug when copying puhm
The hm->h.size is intended to hold the actual size of the hm struct
that is copied from userspace and should always be <= sizeof(*hm).

However, after copy_from_user(hm, puhm, hm->h.size), since userspace
process has full control over the memory region pointed by puhm, it is
possible that the value of hm->h.size is different from what is fetched-in
previously (get_user(hm->h.size, (u16 __user *)puhm)). In other words,
hm->h.size is overriden and the relation between hm->h.size and the hm
struct is broken.

This patch proposes to use a seperate variable, msg_size, to hold
the value of the first fetch and override hm->h.size to msg_size
after the second fetch to maintain the relation.

Signed-off-by: Meng Xu <mengxu.gatech@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-09-19 22:03:59 +02:00
Guneshwor Singh
a931b9ce93 ALSA: compress: Remove unused variable
Commit 04c5d5a430 ("ALSA: compress: Embed struct device") removed
the statement that used 'str' but didn't remove the variable itself.
So remove it.

[Adding stable to Cc since pr_debug() may refer to the uninitialized
 buffer -- tiwai]

Fixes: 04c5d5a430 ("ALSA: compress: Embed struct device")
Signed-off-by: Guneshwor Singh <guneshwor.o.singh@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-09-18 15:45:01 +02:00
Mimi Zohar
711aab1dbb vfs: constify path argument to kernel_read_file_from_path
This patch constifies the path argument to kernel_read_file_from_path().

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Christoph Hellwig <hch@infradead.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-09-14 20:18:45 -07:00
Christoph Hellwig
6faadbbb7f dmi: Mark all struct dmi_system_id instances const
... and __initconst if applicable.

Based on similar work for an older kernel in the Grsecurity patch.

[JD: fix toshiba-wmi build]
[JD: add htcpen]
[JD: move __initconst where checkscript wants it]

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jean Delvare <jdelvare@suse.de>
2017-09-14 11:59:30 +02:00
Linus Torvalds
f60a2abfdb The diff is dominated by the Allwinner A10/A20 SoCs getting converted to
the sunxi-ng framework. Otherwise, the heavy hitters are various drivers
 for SoCs like AT91, Amlogic, Renesas, and Rockchip. There are some other
 new clk drivers in here too but overall this is just a bunch of clk
 drivers for various different pieces of hardware and a collection of
 non-critical fixes for clk drivers.
 
 New Drivers:
  - Allwinner R40 SoCs
  - Renesas R-Car Gen3 USB 2.0 clock selector PHY
  - Atmel AT91 audio PLL
  - Uniphier PXs3 SoCs
  - ARC HSDK Board PLLs
  - AXS10X Board PLLs
  - STMicroelectronics STM32H743 SoCs
 
 Removed Drivers:
  - Non-compiling mb86s7x support
 
 Updates:
  - Allwinner A10/A20 SoCs converted to sunxi-ng framework
  - Allwinner H3 CPU clk fixes
  - Renesas R-Car D3 SoC
  - Renesas V2H and M3-W modules
  - Samsung Exynos5420/5422/5800 audio fixes
  - Rockchip fractional clk approximation fixes
  - Rockchip rk3126 SoC support within the rk3128 driver
  - Amlogic gxbb CEC32 and sd_emmc clks
  - Amlogic meson8b reset controller support
  - IDT VersaClock 5P49V5925/5P49V6901 support
  - Qualcomm MSM8996 SMMU clks
  - Various 'const' applications for struct clk_ops
  - si5351 PLL reset bugfix
  - Uniphier audio on LD11/LD20 and ethernet support on LD11/LD20/Pro4/PXs2
  - Assorted Tegra clk driver fixes
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABCAAGBQJZuIAQAAoJEK0CiJfG5JUlUMQQAKFwCZRfTzz0m9jJ9s1XZSR/
 vldNAEUGm+Mz0W84xIzFqaT0UI1+SJK4e9Du+EN6phcCD5yVB0JS2EtRa84Bku/i
 Zy6AYSUNbGjx94HPwIq1hKt+UOIfBiNbJKMnkoCbEyYPA/TiWzr8JR5GyLjwYhPq
 IZHSvKqUKM3h2nr+MtpFJIIk8DlkLARRca4CCqa5i2Oqj6B8rjQQAq7TaLAM3ASN
 tSFIW2vdmWD+om2L57WHhwBgaYnUB4jBCRWkFZRsO4ZIRgm4VpePmosy2UTZ7fqb
 kEaW2bPuv65zUHpvjHG6yXo+yh0yk1fBsXG/joXgJ4oOmNzsIgnCZzPnGUC1ccms
 QdK/qhdIXsdgiR2DZtYuzUHji8+TNIPPjfAFyJjUwxDBXpqzXvsvltx2a1hg/rUP
 VDvTL2OnoGtrW2bXPufCkxBsyejJ4RqC5riMJws5xgMkqKKUajiLovPeuL6+8kU+
 ncqWYiIkEvHNKpmW511G/g+ClLk89zgXfxKFWWR+iDjSvA0hgaiRj1V3C2HIyS8f
 CLpalf6ao2+O008rUiaiqJyxWuwLujcdYokay2HXvTYc45rXrVwvlaDajxqs2eer
 lekUA4ZbX2g6qvB0lna6PNlv8JLQ1XPdzhWD2eeQIi7JgVSgwg++kUJqglsuai56
 eg5zNo6891GL9zFW10/A
 =0JbT
 -----END PGP SIGNATURE-----

Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux

Pull clk updates from Stephen Boyd:
 "The diff is dominated by the Allwinner A10/A20 SoCs getting converted
  to the sunxi-ng framework. Otherwise, the heavy hitters are various
  drivers for SoCs like AT91, Amlogic, Renesas, and Rockchip. There are
  some other new clk drivers in here too but overall this is just a
  bunch of clk drivers for various different pieces of hardware and a
  collection of non-critical fixes for clk drivers.

  New Drivers:
   - Allwinner R40 SoCs
   - Renesas R-Car Gen3 USB 2.0 clock selector PHY
   - Atmel AT91 audio PLL
   - Uniphier PXs3 SoCs
   - ARC HSDK Board PLLs
   - AXS10X Board PLLs
   - STMicroelectronics STM32H743 SoCs

  Removed Drivers:
   - Non-compiling mb86s7x support

  Updates:
   - Allwinner A10/A20 SoCs converted to sunxi-ng framework
   - Allwinner H3 CPU clk fixes
   - Renesas R-Car D3 SoC
   - Renesas V2H and M3-W modules
   - Samsung Exynos5420/5422/5800 audio fixes
   - Rockchip fractional clk approximation fixes
   - Rockchip rk3126 SoC support within the rk3128 driver
   - Amlogic gxbb CEC32 and sd_emmc clks
   - Amlogic meson8b reset controller support
   - IDT VersaClock 5P49V5925/5P49V6901 support
   - Qualcomm MSM8996 SMMU clks
   - Various 'const' applications for struct clk_ops
   - si5351 PLL reset bugfix
   - Uniphier audio on LD11/LD20 and ethernet support on LD11/LD20/Pro4/PXs2
   - Assorted Tegra clk driver fixes"

* tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: (120 commits)
  clk: si5351: fix PLL reset
  ASoC: atmel-classd: remove aclk clock
  ASoC: atmel-classd: remove aclk clock from DT binding
  clk: at91: clk-generated: make gclk determine audio_pll rate
  clk: at91: clk-generated: create function to find best_diff
  clk: at91: add audio pll clock drivers
  dt-bindings: clk: at91: add audio plls to the compatible list
  clk: at91: clk-generated: remove useless divisor loop
  clk: mb86s7x: Drop non-building driver
  clk: ti: check for null return in strrchr to avoid null dereferencing
  clk: Don't write error code into divider register
  clk: uniphier: add video input subsystem clock
  clk: uniphier: add audio system clock
  clk: stm32h7: Add stm32h743 clock driver
  clk: gate: expose clk_gate_ops::is_enabled
  clk: nxp: clk-lpc32xx: rename clk_gate_is_enabled()
  clk: uniphier: add PXs3 clock data
  clk: hi6220: change watchdog clock source
  clk: Kconfig: Name RK805 in Kconfig for COMMON_CLK_RK808
  clk: cs2000: Add cs2000_set_saved_rate
  ...
2017-09-13 11:04:14 -07:00
Linus Torvalds
2818d0d759 sound fixes for 4.14-rc1
Most of the commits are trivial cleanup patches, while one commit
 is a significant fix for the race at ALSA sequencer that was spotted
 by syzkaller.
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEECxfAB4MH3rD5mfB6bDGAVD0pKaQFAlm5SVUOHHRpd2FpQHN1
 c2UuZGUACgkQbDGAVD0pKaSZgxAAodFAsdSP1GNPCqf12M7iIFLQpiNI5Yn+goMF
 aT8aYKUxaOd6ov/NuWRGvzwpnVgqN9AGA/cZ4VVDlRbtT5vmbfRjhRyCKUF321bh
 wQTGBBI1/McHOd+Jq5egH+V0xhsnuB6izRys9OboZvNDvaR6GVillGWSEGSHD5RQ
 JdXmCoBIPkeE72sHii1AmsTsDD/2mKAAvV94A8mGI7w6BZJvdpfC5S6XwWRP4+3F
 IKPKHPoMCHuAtB1gMGc7Fbt/o3SPWKPyBub6qmGHwdQFPTLDZNKmWjkTYINMnc7G
 6LXAMQWxDvYziWOFsSUrv+DcDXJup0n+xswDd3qeTL1mRO0PrRM0SlULl2wcZQtO
 depksy2m07ZFU8SelHuy5EiJq7TGiyqG/ensbCpN2Fwf1mhl7oCLRo7+GLOp0uIq
 pZj7zEE3UBCvfAaouAPQADjvr6SjeUyVjcXYw0fDZtNPoBPlU1lPXk9a5zFNBNVg
 ZXwkfPkbXA23OXx9Da7mBi+cb8MYjvBInWsDkS0X4fr2t111dtXAVLX68dfMgzxH
 ydTDQf1ASiuVRmnwQ/vWvl3KIe9BC+kVjLBoQKEV+uIgXF0h1TrrDpKa/Ob0J4vf
 klMeu5iumtQzVpnE6UgeV+yJz5silSYEiVX+Cdn6XPfiFSQm9F9dR15lkyf6SZEe
 Dhun6i4=
 =R41d
 -----END PGP SIGNATURE-----

Merge tag 'sound-fix-4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "Most of the commits are trivial cleanup patches, while one commit is a
  significant fix for the race at ALSA sequencer that was spotted by
  syzkaller"

* tag 'sound-fix-4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: seq: Cancel pending autoload work at unbinding device
  ALSA: firewire: Use common error handling code in snd_motu_stream_start_duplex()
  ALSA: asihpi: Kill BUG_ON() usages
  ALSA: core: Use %pS printk format for direct addresses
  ALSA: ymfpci: Use common error handling code in snd_ymfpci_create()
  ALSA: ymfpci: Use common error handling code in snd_card_ymfpci_probe()
  ALSA: 6fire: Use common error handling code in usb6fire_chip_probe()
  ALSA: usx2y: Use common error handling code in submit_urbs()
  ALSA: us122l: Use common error handling code in us122l_create_card()
  ALSA: hdspm: Use common error handling code in snd_hdspm_probe()
  ALSA: rme9652: Use common code in hdsp_get_iobox_version()
  ALSA: maestro3: Use common error handling code in two functions
2017-09-13 10:50:06 -07:00
Takashi Iwai
fc27fe7e8d ALSA: seq: Cancel pending autoload work at unbinding device
ALSA sequencer core has a mechanism to load the enumerated devices
automatically, and it's performed in an off-load work.  This seems
causing some race when a sequencer is removed while the pending
autoload work is running.  As syzkaller spotted, it may lead to some
use-after-free:
  BUG: KASAN: use-after-free in snd_rawmidi_dev_seq_free+0x69/0x70
  sound/core/rawmidi.c:1617
  Write of size 8 at addr ffff88006c611d90 by task kworker/2:1/567

  CPU: 2 PID: 567 Comm: kworker/2:1 Not tainted 4.13.0+ #29
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  Workqueue: events autoload_drivers
  Call Trace:
   __dump_stack lib/dump_stack.c:16 [inline]
   dump_stack+0x192/0x22c lib/dump_stack.c:52
   print_address_description+0x78/0x280 mm/kasan/report.c:252
   kasan_report_error mm/kasan/report.c:351 [inline]
   kasan_report+0x230/0x340 mm/kasan/report.c:409
   __asan_report_store8_noabort+0x1c/0x20 mm/kasan/report.c:435
   snd_rawmidi_dev_seq_free+0x69/0x70 sound/core/rawmidi.c:1617
   snd_seq_dev_release+0x4f/0x70 sound/core/seq_device.c:192
   device_release+0x13f/0x210 drivers/base/core.c:814
   kobject_cleanup lib/kobject.c:648 [inline]
   kobject_release lib/kobject.c:677 [inline]
   kref_put include/linux/kref.h:70 [inline]
   kobject_put+0x145/0x240 lib/kobject.c:694
   put_device+0x25/0x30 drivers/base/core.c:1799
   klist_devices_put+0x36/0x40 drivers/base/bus.c:827
   klist_next+0x264/0x4a0 lib/klist.c:403
   next_device drivers/base/bus.c:270 [inline]
   bus_for_each_dev+0x17e/0x210 drivers/base/bus.c:312
   autoload_drivers+0x3b/0x50 sound/core/seq_device.c:117
   process_one_work+0x9fb/0x1570 kernel/workqueue.c:2097
   worker_thread+0x1e4/0x1350 kernel/workqueue.c:2231
   kthread+0x324/0x3f0 kernel/kthread.c:231
   ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:425

The fix is simply to assure canceling the autoload work at removing
the device.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-09-12 12:41:20 +02:00
Markus Elfring
f16e666b9b ALSA: firewire: Use common error handling code in snd_motu_stream_start_duplex()
Add a jump target so that a bit of exception handling can be better reused
at the end of this function.

This issue was detected by using the Coccinelle software.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-09-12 09:23:26 +02:00
Masahiro Yamada
604df32236 linux/kernel.h: move DIV_ROUND_DOWN_ULL() macro
This macro is useful to avoid link error on 32-bit systems.

We have the same definition in two drivers, so move it to
include/linux/kernel.h

While we are here, refactor DIV_ROUND_UP_ULL() by using
DIV_ROUND_DOWN_ULL().

Link: http://lkml.kernel.org/r/1500945156-12907-1-git-send-email-yamada.masahiro@socionext.com
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Acked-by: Mark Brown <broonie@kernel.org>
Cc: Cyrille Pitchen <cyrille.pitchen@wedev4u.fr>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: Liam Girdwood <lgirdwood@gmail.com>
Cc: Boris Brezillon <boris.brezillon@free-electrons.com>
Cc: Marek Vasut <marek.vasut@gmail.com>
Cc: Brian Norris <computersforpeace@gmail.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-09-08 18:26:47 -07:00
Linus Torvalds
968c61f7da - New Drivers
- RK805 Power Management IC (PMIC)
    - ROHM BD9571MWV-M MFD Power Management IC (PMIC)
    - Texas Instruments TPS68470 Power Management IC (PMIC) & LEDs
 
  - New Device Support
    - Add support for HiSilicon Hi6421v530 to hi6421-pmic-core
    - Add support for X-Powers AXP806 to axp20x
    - Add support for X-Powers AXP813 to axp20x
    - Add support for Intel Sunrise Point LPSS to intel-lpss-pci
 
  - New Functionality
    - Amend API to provide register layout; atmel-smc
 
 - Fix-ups
    - DT re-work; omap, nokia
    - Header file location change {I2C => MFD}; dm355evm_msp, tps65010
    - Fix chip ID formatting issue(s); rk808
    - Optionally register touchscreen devices; da9052-core
    - Documentation improvements; twl-core
    - Constification; rtsx_pcr, ab8500-core, da9055-i2c, da9052-spi
    - Drop unnecessary static declaration; max8925-i2c
    - Kconfig changes (missing deps and remove module support)
    - Slim down oversized licence statement; hi6421-pmic-core
    - Use managed resources (devm_*); lp87565
    - Supply proper error checking/handling; t7l66xb
 
  - Bug Fixes
    - Fix counter duplication issue; da9052-core
    - Fix potential NULL deference issue; max8998
    - Leave SPI-NOR write-protection bit alone; lpc_ich
    - Ensure device is put into reset during suspend; intel-lpss
    - Correct register offset variable size; omap-usb-tll
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABCAAGBQJZsP0YAAoJEFGvii+H/HdhrJUP/RB6BTCDMf3WCi5e6PN8IFST
 JspCcf4bwKVc5lDvORQglVRfBhKY/uSr7F9xlfXtHx8V60ZNo1VOQcyJBTKIz+IJ
 +FQQgM3lEMKIn3QCcu9lKSRomJx55YDnF5SrZ8FzkC8pGLrCYEru5HfqFqOTfPqq
 OH2wZSqiX4H/jYdfVzp3bgqXkDff/nSEGTeFankFkv4wRvLGRxlpVuqkRJcvEJA3
 d8N9MoBBxkZAtAn2j1H5cHyPx5NrBEM2gkXpDfdd+kJNnFzjL72xsXd6rp+N6rcm
 d20eL+1fyJVyvGhGiDOhFwqRAZEqvjPSI4k5kQdRk8IdioGgbmaI74eUbv+rGAKp
 P9QdR7n1ctYyVgwnawIwKTPMzdZo5+9kdagCtu8IBVT02zQqVSDKZM7dAYo2rJuF
 yw24jONcwHFrKA25n1pLJmMbJGHq83kqqw3q5kl17nyArvOOcyspCTODIL9iskhZ
 L0IoIMwQYEj/pnI+iuXl9bJ30v2FIJxyCzUR2u7OJnrH7G27rsoOL0WDqxbp3Dp9
 7tD+6OzMiyIEDxtcd74kjg7g9p5HCmcY3FiDWirmQuZIR3abSET4ap+cTYPdFqVZ
 widS5Pi4PP40ZFN6+4lbBHLlh6MgpHpig9M03kFAr1SyZnH8nf4TnCsFV+wYPyTb
 LR3cKpFeTY8IyFWaLoSg
 =TKIm
 -----END PGP SIGNATURE-----

Merge tag 'mfd-next-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd

Pull MFD updates from Lee Jones:
 "New Drivers
   - RK805 Power Management IC (PMIC)
   - ROHM BD9571MWV-M MFD Power Management IC (PMIC)
   - Texas Instruments TPS68470 Power Management IC (PMIC) & LEDs

  New Device Support:
   - Add support for HiSilicon Hi6421v530 to hi6421-pmic-core
   - Add support for X-Powers AXP806 to axp20x
   - Add support for X-Powers AXP813 to axp20x
   - Add support for Intel Sunrise Point LPSS to intel-lpss-pci

  New Functionality:
   - Amend API to provide register layout; atmel-smc

  Fix-ups:
   - DT re-work; omap, nokia
   - Header file location change {I2C => MFD}; dm355evm_msp, tps65010
   - Fix chip ID formatting issue(s); rk808
   - Optionally register touchscreen devices; da9052-core
   - Documentation improvements; twl-core
   - Constification; rtsx_pcr, ab8500-core, da9055-i2c, da9052-spi
   - Drop unnecessary static declaration; max8925-i2c
   - Kconfig changes (missing deps and remove module support)
   - Slim down oversized licence statement; hi6421-pmic-core
   - Use managed resources (devm_*); lp87565
   - Supply proper error checking/handling; t7l66xb

  Bug Fixes:
   - Fix counter duplication issue; da9052-core
   - Fix potential NULL deference issue; max8998
   - Leave SPI-NOR write-protection bit alone; lpc_ich
   - Ensure device is put into reset during suspend; intel-lpss
   - Correct register offset variable size; omap-usb-tll"

* tag 'mfd-next-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd: (61 commits)
  mfd: intel_soc_pmic: Differentiate between Bay and Cherry Trail CRC variants
  mfd: intel_soc_pmic: Export separate mfd-cell configs for BYT and CHT
  dt-bindings: mfd: Add bindings for ZII RAVE devices
  mfd: omap-usb-tll: Fix register offsets
  mfd: da9052: Constify spi_device_id
  mfd: intel-lpss: Put I2C and SPI controllers into reset state on suspend
  mfd: da9055: Constify i2c_device_id
  mfd: intel-lpss: Add missing PCI ID for Intel Sunrise Point LPSS devices
  mfd: t7l66xb: Handle return value of clk_prepare_enable
  mfd: Add ROHM BD9571MWV-M PMIC DT bindings
  mfd: intel_soc_pmic_chtwc: Turn Kconfig option into a bool
  mfd: lp87565: Convert to use devm_mfd_add_devices()
  mfd: Add support for TPS68470 device
  mfd: lpc_ich: Do not touch SPI-NOR write protection bit on Haswell/Broadwell
  mfd: syscon: atmel-smc: Add helper to retrieve register layout
  mfd: axp20x: Use correct platform device ID for many PEK
  dt-bindings: mfd: axp20x: Introduce bindings for AXP813
  mfd: axp20x: Add support for AXP813 PMIC
  dt-bindings: mfd: axp20x: Add AXP806 to supported list of chips
  mfd: Add ROHM BD9571MWV-M MFD PMIC driver
  ...
2017-09-07 13:51:13 -07:00
Linus Torvalds
d969443064 sound updates for 4.14-rc1
We have touched quite a lot of files but with fewer changes at this
 cycle; as you can see, most of changes are trivial fixes, especially
 constification patches.  Among the massive attacks by constification
 gangs, we had a few core changes (mostly for ASoC core), as well the
 fixes and the updates by major vendors.  Some highlights are below:
 
 ALSA core:
 - Fix possible races in control API user-TLV codes
 - Small cleanup of PCM core
 
 ASoC:
 - Continued work for componentization; still half-baked, but we're
   certainly progressing
 - Use of devres for jack detection GPIOs, rather as a cleanup
 - Jack detection support for Qualcomm MSM8916
 - Support for Allwinner H3, Cirrus Logic CS43130, Intel Kabylake
   systems with RT5663, Realtek RT274, TI TLV320AIC32x6 and Wolfson
   WM8523
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEECxfAB4MH3rD5mfB6bDGAVD0pKaQFAlmuvBsOHHRpd2FpQHN1
 c2UuZGUACgkQbDGAVD0pKaQl2Q/+I7gcTwlNqjqKL0NZx2cX37nHmfsEcEkWXzx5
 +GFx7LJQf1sLlpxA8YWFThY24/59lH711guC1q8OGwRFdwl9X01+b/vScpvrxnzH
 a0wBTFuvQhr70brc33Y3q3mPhspC5QIUOJtzULG6MiLgzlTBZqLLu2uKV4fSz36I
 pGhi9OB7gMyUL4PFXk7xkcCNxzdOiptWWwFJgh39Yd+9yNP3/U0y3hHz6uzDuQf1
 tUIxDhwl22w8gCiYYNbBn8pcSGH+KT4BMqa5+/+qlV5exNa+Es8DozCQ+lis579+
 dnVc/rpzDJPotmWYdWJsuAmkURvtgzizWSill31bRSoydhfClw6yfl6EoGfZdP50
 3SES87YhTCAPCWfMFSUBtG3PZHgKQcp+QqWCrPaxmVIjqFDS+OxYxtkfVqGRd1u3
 Vv9VCbXhocsdMxA4FlTdyoQPCM9DxcHIdqCmYyjDs55eSy/dO4ND005eunnZawNh
 8kbQcP4873PbDdCssXEeWsbvDSkaeVEa5/taLpalfG7bIO9zHX7ese/0zIgljaF3
 0zK3beWIaIxIeZ473+/gwmzFSpUeIEFJW6YJDkT7CDrRuT1C6fzhaAkz7J+BdzZd
 et0Cqr9tQg0Xk9SsXV1rq1h90e9yQcG0wdalkGrxEVDVtnTRmL5v4AiyX8wzpTAp
 MbuniQo=
 =/Rv6
 -----END PGP SIGNATURE-----

Merge tag 'sound-4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound updates from Takashi Iwai:
 "We have touched quite a lot of files but with fewer changes at this
  cycle; as you can see, most of changes are trivial fixes, especially
  constification patches.

  Among the massive attacks by constification gangs, we had a few core
  changes (mostly for ASoC core), as well the fixes and the updates by
  major vendors.

  Some highlights:

  ALSA core:

   - Fix possible races in control API user-TLV codes

   - Small cleanup of PCM core

  ASoC:

   - Continued work for componentization; still half-baked, but we're
     certainly progressing

   - Use of devres for jack detection GPIOs, rather as a cleanup

   - Jack detection support for Qualcomm MSM8916

   - Support for Allwinner H3, Cirrus Logic CS43130, Intel Kabylake
     systems with RT5663, Realtek RT274, TI TLV320AIC32x6 and Wolfson
     WM8523"

* tag 'sound-4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (512 commits)
  ALSA: hda/ca0132 - Fix memory leak at error path
  ALSA: hda: Fix forget to free resource in error handling code path in hda_codec_driver_probe
  ASoC: cs43130: Fix unused compiler warnings for PM runtime
  ASoC: cs43130: Fix possible Oops with invalid dev_id
  ASoC: cs43130: fix spelling mistake: "irq_occurrance" -> "irq_occurrence"
  ALSA: atmel: Remove leftovers of AVR32 removal
  ALSA: atmel: convert AC97c driver to GPIO descriptor API
  ALSA: hda/realtek - Enable jack detection function for Intel ALC700
  ALSA: hda: Fix regression of hdmi eld control created based on invalid pcm
  ASoC: Intel: Skylake: Add IPC to configure the copier secondary pins
  ASoC: add missing compile rule for max98371
  ASoC: add missing compile rule for sirf-audio-codec
  ASoC: add missing compile rule for max98371
  ASoC: cs43130: Add devicetree bindings for CS43130
  ASoC: cs43130: Add support for CS43130 codec
  ASoC: make clock direction configurable in asoc-simple
  ALSA: ctxfi: Remove null check before kfree
  ASoC: max98927: Changed device property read function
  ASoC: max98927: Modified DAPM widget and map to enable/disable VI sense path
  ASoC: max98927: Added PM suspend and resume function
  ...
2017-09-07 12:44:53 -07:00
Takashi Iwai
2a0d85d9ad ALSA: asihpi: Kill BUG_ON() usages
BUG_ON() is the worst choice for a trivial sanity check.
Either it should be removed or replaced with a softer one like
WARN_ON() if still really needed.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-09-07 10:52:37 +02:00
Helge Deller
c844558945 ALSA: core: Use %pS printk format for direct addresses
The debug functions uses wrongly the %pF instead of the %pS printk format
specifier for printing symbols for the address returned by
_builtin_return_address(0). Fix it for the ia64, ppc64 and parisc64
architectures.

Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-09-07 10:36:02 +02:00
Markus Elfring
ba2186e40c ALSA: ymfpci: Use common error handling code in snd_ymfpci_create()
* Add a jump target so that a bit of exception handling can be better
  reused at the end of this function.

  This issue was detected by using the Coccinelle software.

* The script "checkpatch.pl" pointed information out like the following.

  ERROR: do not use assignment in if condition

  Thus fix a few source code places.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-09-07 10:33:28 +02:00
Markus Elfring
1f5ca8ec58 ALSA: ymfpci: Use common error handling code in snd_card_ymfpci_probe()
* Add a jump target so that a bit of exception handling can be better
  reused at the end of this function.

  This issue was detected by using the Coccinelle software.

* The script "checkpatch.pl" pointed information out like the following.

  ERROR: do not use assignment in if condition

  Thus fix a few source code places.

[ This also fixed a potential use-after-free at error path of
  snd_opl3_hwdep_new(), too -- tiwai ]

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-09-07 10:32:30 +02:00
Markus Elfring
f804fff136 ALSA: 6fire: Use common error handling code in usb6fire_chip_probe()
Add a jump target so that a bit of exception handling can be better reused
at the end of this function.

This issue was detected by using the Coccinelle software.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-09-07 10:29:35 +02:00
Markus Elfring
d2d9770879 ALSA: usx2y: Use common error handling code in submit_urbs()
Add a jump target so that a bit of exception handling can be better reused
at the end of this function.

This issue was detected by using the Coccinelle software.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-09-07 10:28:30 +02:00
Markus Elfring
80753cdfef ALSA: us122l: Use common error handling code in us122l_create_card()
Add a jump target so that a bit of exception handling can be better reused
at the end of this function.

This issue was detected by using the Coccinelle software.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-09-07 10:27:42 +02:00
Markus Elfring
e35e9ddfab ALSA: hdspm: Use common error handling code in snd_hdspm_probe()
Add a jump target so that a bit of exception handling can be better reused
at the end of this function.

This issue was detected by using the Coccinelle software.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-09-07 10:26:19 +02:00
Markus Elfring
99dcad3237 ALSA: rme9652: Use common code in hdsp_get_iobox_version()
Add a jump target so that a bit of common code can be better reused
at the end of this function.

This issue was detected by using the Coccinelle software.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-09-07 10:25:29 +02:00
Markus Elfring
468778a09c ALSA: maestro3: Use common error handling code in two functions
Add jump targets so that a bit of exception handling can be better reused
at the end of these functions.

This issue was detected by using the Coccinelle software.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-09-07 10:23:47 +02:00
Linus Torvalds
f32c9e059e Merge branch 'parisc-4.14-1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux
Pull parisc updates from Helge Deller:
 "Major changes include:

   - Full support of the firmware Page Deallocation Table with
     MADV_HWPOISON and MADV_SOFT_OFFLINE. A kernel thread scans
     regularily for new bad memory pages.

   - Full support for self-extracting kernel.

   - Added UBSAN support.

   - Lots of section mismatch fixes across all parisc drivers.

   - Added examples for %pF and %pS usage in printk-formats.txt"

* 'parisc-4.14-1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux: (28 commits)
  printk-formats.txt: Add examples for %pF and %pS usage
  parisc: Fix up devices below a PCI-PCI MegaRAID controller bridge
  parisc/core: Fix section mismatches
  parisc/ipmi_si_intf: Fix section mismatches on parisc platform
  parisc/input/hilkbd: Fix section mismatches
  parisc/net/lasi_82596: Fix section mismatches
  parisc/serio: Fix section mismatches in gscps2 and hp_sdc drivers
  parisc: Fix section mismatches in parisc core drivers
  parisc/parport_gsc: Fix section mismatches
  parisc/scsi/lasi700: Fix section mismatches
  parisc/scsi/zalon: Fix section mismatches
  parisc/8250_gsc: Fix section mismatches
  parisc/mux: Fix section mismatches
  parisc/sticore: Fix section mismatches
  parisc/harmony: Fix section mismatches
  parisc: Wire up support for self-extracting kernel
  parisc: Make existing core files reuseable for bootloader
  parisc: Add core code for self-extracting kernel
  parisc: Enable UBSAN support
  parisc/random: Add machine specific randomness
  ...
2017-09-05 09:37:11 -07:00
Takashi Iwai
ee5f38a445 ASoC: Fixes for the CS43130 driver
A couple of warning fixes for the newly added CS43130 driver.
 -----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCAAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAlmtesYTHGJyb29uaWVA
 a2VybmVsLm9yZwAKCRAk1otyXVSH0JAOB/9AoBjdVjBNuAm1Wbbx4/HNa+8AbptV
 bEgyg7DAP9Dua0XxZqDikm14LdD1iOUziQRJcMzm0ooqdVgNR3gD3GyMuj5EJhtb
 5ov27XHD5jHkgZaOUtLke2IeK2NuvC0v3ik3iMMcc37Z9p+zTzjemVUpgxYZk6Fe
 jGo/efNFPmHyoD05XIqnRoTeDEQNojRVYKzEcxg2KJhsLi0zCRdxsbWkt+X6fw/Z
 b/UXIfpcRvogc2Qsm+tngmyN+oN05zKItUQKU8WUfexp7gI6BBNfs49un+NDgfp1
 r0YLMWGhKcjwtw3J3Fp1Nq1lfi8Hbl7+EXJCADDlACFA03A1pKeiuX8C
 =4ibF
 -----END PGP SIGNATURE-----

Merge tag 'asoc-v4.14-cs43130' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

ASoC: Fixes for the CS43130 driver

A couple of warning fixes for the newly added CS43130 driver.
2017-09-04 18:13:29 +02:00
Takashi Iwai
cc91ceaf3e ALSA: hda/ca0132 - Fix memory leak at error path
The CA0132 codec driver doesn't call the free function at its error
path of the probe, which leaves the allocated memory.  Call
ca0132_free() properly at the error handling.

Fixes: a73d511c48 ("ALSA: hda/ca0132: Add unsol handler for DSP and jack detection")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-09-04 17:42:27 +02:00
Wang YanQing
284b4c9289 ALSA: hda: Fix forget to free resource in error handling code path in hda_codec_driver_probe
When hda_codec_driver_probe meet error and return failure, we need
to free resource with patch_ops.free, or we will get resource leak.

Signed-off-by: Wang YanQing <udknight@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-09-04 17:33:53 +02:00
Takashi Iwai
7051334672 ASoC: cs43130: Fix unused compiler warnings for PM runtime
Add __maybe_unused prefix for addressing the following warnings:
  sound/soc/codecs/cs43130.c:2615:12: warning: ‘cs43130_runtime_resume’ defined but not used [-Wunused-function]
  sound/soc/codecs/cs43130.c:2596:12: warning: ‘cs43130_runtime_suspend’ defined but not used [-Wunused-function]

Fixes: 8f1e5bf9b4 ("ASoC: cs43130: Add support for CS43130 codec")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Mark Brown <broonie@kernel.org>
2017-09-04 15:45:12 +01:00
Takashi Iwai
f31877a16b ASoC: cs43130: Fix possible Oops with invalid dev_id
As compiler spotted out, there is the potential NULL-dereference in
the code when dc-measure OF is given for other than 43130/43131:
  sound/soc/codecs/cs43130.c:2089:18: warning: ‘hpload_seq’ may be used uninitialized in this function [-Wmaybe-uninitialized]

Warn it and return before triggering Oops.

Fixes: 8f1e5bf9b4 ("ASoC: cs43130: Add support for CS43130 codec")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Mark Brown <broonie@kernel.org>
2017-09-04 15:45:09 +01:00