2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-29 15:43:59 +08:00
Commit Graph

1555 Commits

Author SHA1 Message Date
Takashi Iwai
99fff44fe3 Merge branch 'for-linus' into for-next
Back-merge the 5.1 devel branch for the further HD-audio development.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-13 10:09:46 +02:00
Takashi Iwai
6b580f5231 ALSA: seq: Protect racy pool manipulation from OSS sequencer
OSS sequencer emulation still allows to queue and issue the events
that manipulate the client pool concurrently in a racy way.  This
patch serializes the access like the normal sequencer write / ioctl
via taking the client ioctl_mutex.  Since the access to the sequencer
client is done indirectly via a client id number, a new helper to
take/release the mutex is introduced.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-12 13:07:25 +02:00
Takashi Iwai
6740ea6776 ALSA: seq: Simplify snd_seq_kernel_client_enqueue() helper
We have two helpers for queuing a sequencer event from the kernel
client, and both are used only from OSS sequencer layer without any
hop and atomic set.  Let's simplify and unify two helpers into one.

No functional change, just a call pattern change.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-12 12:51:22 +02:00
Takashi Iwai
7c32ae35fb ALSA: seq: Cover unsubscribe_port() in list_mutex
The call of unsubscribe_port() which manages the group count and
module refcount from delete_and_unsubscribe_port() looks racy; it's
not covered by the group list lock, and it's likely a cause of the
reported unbalance at port deletion.  Let's move the call inside the
group list_mutex to plug the hole.

Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-12 12:50:10 +02:00
Takashi Iwai
f0654ba94e Revert "ALSA: seq: Protect in-kernel ioctl calls with mutex"
This reverts commit feb689025f.

The fix attempt was incorrect, leading to the mutex deadlock through
the close of OSS sequencer client.  The proper fix needs more
consideration, so let's revert it now.

Fixes: feb689025f ("ALSA: seq: Protect in-kernel ioctl calls with mutex")
Reported-by: syzbot+47ded6c0f23016cde310@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-11 19:58:43 +02:00
Takashi Iwai
5d704b0d3b ALSA: timer: Coding style fixes
Avoid old school C style but do plain and clear way.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-10 08:42:26 +02:00
Takashi Iwai
41672c0c24 ALSA: timer: Simplify error path in snd_timer_open()
Just a minor refactoring to use the standard goto for error paths in
snd_timer_open() instead of open code.  The first mutex_lock() is
moved to the beginning of the function to make the code clearer.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-10 08:42:22 +02:00
Takashi Iwai
2eabc5ec8a ALSA: seq: Fix race of get-subscription call vs port-delete ioctls
The snd_seq_ioctl_get_subscription() retrieves the port subscriber
information as a pointer, while the object isn't protected, hence it
may be deleted before the actual reference.  This race was spotted by
syzkaller and may lead to a UAF.

The fix is simply copying the data in the lookup function that
performs in the rwsem to protect against the deletion.

Reported-by: syzbot+9437020c82413d00222d@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-09 18:54:13 +02:00
Takashi Iwai
feb689025f ALSA: seq: Protect in-kernel ioctl calls with mutex
ALSA OSS sequencer calls the ioctl function indirectly via
snd_seq_kernel_client_ctl().  While we already applied the protection
against races between the normal ioctls and writes via the client's
ioctl_mutex, this code path was left untouched.  And this seems to be
the cause of still remaining some rare UAF as spontaneously triggered
by syzkaller.

For the sake of robustness, wrap the ioctl_mutex also for the call via
snd_seq_kernel_client_ctl(), too.

Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-09 18:54:12 +02:00
Takashi Iwai
f823b8a755 ALSA: seq: Remove superfluous irqsave flags
spin_lock_irqsave() is used unnecessarily in various places in
sequencer core code although it's pretty obvious that the context is
sleepable.  Remove irqsave and use the plain spin_lock_irq() in such
places for simplicity.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-09 17:22:46 +02:00
Takashi Iwai
4b24b960b1 ALSA: seq: Align temporary re-locking with irqsave version
In a few places in sequencer core, we temporarily unlock / re-lock the
pool spin lock while waiting for the allocation in the blocking mode.
There spin_unlock_irq() / spin_lock_irq() pairs are called while
initially spin_lock_irqsave() is used (and spin_lock_irqrestore() at
the end of the function again).  This is likely OK for now, but it's a
bit confusing and error-prone.

This patch replaces these temporary relocking lines with the irqsave
variant to make the lock/unlock sequence more consistently.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-09 17:22:46 +02:00
Takashi Iwai
fd7ae83de1 ALSA: seq: Use kvmalloc() for cell pools
Use kvmalloc() for allocating cell pools since the pool size can be
relatively small that may be covered better by slab.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-09 17:22:46 +02:00
Takashi Iwai
df55531b8b ALSA: timer: Revert active callback sync check at close
This is essentially a revert of the commit a7588c896b ("ALSA: timer:
Check ack_list emptiness instead of bit flag").  The intended change
by the commit turns out to be insufficient, as snd_timer_close*()
always calls snd_timer_stop() that deletes the ack_list beforehand.

In theory, we can change the behavior of snd_timer_stop() to sync the
pending ack_list, but this will become a deadlock for the callback
like sequencer that calls again snd_timer_stop() from itself.  So,
reverting the change is a more straightforward solution.

Fixes: a7588c896b ("ALSA: timer: Check ack_list emptiness instead of bit flag")
Reported-by: syzbot+58813d77154713f4de15@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-09 12:29:34 +02:00
Zubin Mithra
212ac181c1 ALSA: seq: Fix OOB-reads from strlcpy
When ioctl calls are made with non-null-terminated userspace strings,
strlcpy causes an OOB-read from within strlen. Fix by changing to use
strscpy instead.

Signed-off-by: Zubin Mithra <zsm@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-04-05 14:33:01 +02:00
Takashi Iwai
3a23fd0415 Merge branch 'topic/timer-fixes' into for-next
Pull yet another ALSA core timer fixes and cleanups.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-28 08:33:50 +01:00
Takashi Iwai
734b5a0bbd ALSA: Replace snd_malloc_pages() and snd_free_pages() with standard helpers, take#2
snd_malloc_pages() and snd_free_pages() are merely thin wrappers of
the standard page allocator / free functions.  Even the arguments are
compatible with some standard helpers, so there is little merit of
keeping these wrappers.

This patch replaces the all existing callers of snd_malloc_pages() and
snd_free_pages() with the direct calls of the standard helper
functions.  In this version, we use a recently introduced one,
alloc_pages_exact(), which suits better than the old
snd_malloc_pages() implementation for our purposes.  Then we can avoid
the waste of pages by alignment to power-of-two.

Since alloc_pages_exact() does split pages, we need no longer
__GFP_COMP flag; or better to say, we must not pass __GFP_COMP to
alloc_pages_exact().  So the former unconditional addition of
__GFP_COMP flag in snd_malloc_pages() is dropped, as well as in most
other places.

Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-27 17:15:01 +01:00
Takashi Iwai
fe1b26c93d ALSA: timer: Make snd_timer_close() really kill pending actions
snd_timer_close() is supposed to close the timer instance and sync
with the deactivation of pending actions.  However, there are still
some overlooked cases:

- It calls snd_timer_stop() at the beginning, but some other might
  re-trigger the timer right after that.

- snd_timer_stop() calls del_timer_sync() only when all belonging
  instances are closed.  If multiple instances were assigned to a
  timer object and one is closed, the timer is still running.  Then
  the pending action assigned to this timer might be left.

Actually either of the above is the likely cause of the reported
syzkaller UAF.

This patch plug these holes by introducing SNDRV_TIMER_IFLG_DEAD
flag.  This is set at the beginning of snd_timer_close(), and the flag
is checked at snd_timer_start*() and else, so that no longer new
action is left after snd_timer_close().

Reported-by: syzbot+d5136d4d3240cbe45a2a@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-27 17:02:40 +01:00
Takashi Iwai
a7588c896b ALSA: timer: Check ack_list emptiness instead of bit flag
For checking the pending timer instance that is still left on the
timer object that is being closed, we set/clear a bit flag
SNDRV_TIMER_IFLG_CALLBACK around the call of callbacks.  This can be
simplified by replace with the list_empty() call for ti->ack_list.
This covers the existence more comprehensively and safely.

A gratis bonus is that we can get rid of SNDRV_TIMER_IFLG_CALLBACK bit
flag definition as well.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-27 16:56:08 +01:00
Takashi Iwai
7bb4a8a2cc ALSA: timer: Make sure to clear pending ack list
When a card is under disconnection, we bail out immediately at each
timer interrupt or tasklet.  This might leave some items left in ack
list.  For a better integration of the upcoming change to check
ack_list emptiness, clear out the whole list upon the emergency exit
route.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-27 16:51:58 +01:00
Takashi Iwai
8748b850be ALSA: timer: Unify timer callback process code
The timer core has two almost identical code for processing callbacks:
once in snd_timer_interrupt() for fast callbacks and another in
snd_timer_tasklet() for delayed callbacks.  Let's unify them.

In the new version, the resolution is read from ti->resolution at each
call, and this must be fine; ti->resolution is set in the preparation
step in snd_timer_interrupt().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-27 16:42:51 +01:00
Takashi Iwai
113ce08109 ALSA: pcm: Don't suspend stream in unrecoverable PCM state
Currently PCM core sets each opened stream forcibly to SUSPENDED state
via snd_pcm_suspend_all() call, and the user-space is responsible for
re-triggering the resume manually either via snd_pcm_resume() or
prepare call.  The scheme works fine usually, but there are corner
cases where the stream can't be resumed by that call: the streams
still in OPEN state before finishing hw_params.  When they are
suspended, user-space cannot perform resume or prepare because they
haven't been set up yet.  The only possible recovery is to re-open the
device, which isn't nice at all.  Similarly, when a stream is in
DISCONNECTED state, it makes no sense to change it to SUSPENDED
state.  Ditto for in SETUP state; which you can re-prepare directly.

So, this patch addresses these issues by filtering the PCM streams to
be suspended by checking the PCM state.  When a stream is in either
OPEN, SETUP or DISCONNECTED as well as already SUSPENDED, the suspend
action is skipped.

To be noted, this problem was originally reported for the PCM runtime
PM on HD-audio.  And, the runtime PM problem itself was already
addressed (although not intended) by the code refactoring commits
3d21ef0b49 ("ALSA: pcm: Suspend streams globally via device type PM
ops") and 17bc4815de ("ALSA: pci: Remove superfluous
snd_pcm_suspend*() calls").  These commits eliminated the
snd_pcm_suspend*() calls from the runtime PM suspend callback code
path, hence the racy OPEN state won't appear while runtime PM.
(FWIW, the race window is between snd_pcm_open_substream() and the
first power up in azx_pcm_open().)

Although the runtime PM issue was already "fixed", the same problem is
still present for the system PM, hence this patch is still needed.
And for stable trees, this patch alone should suffice for fixing the
runtime PM problem, too.

Reported-and-tested-by: Jon Hunter <jonathanh@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-25 16:36:30 +01:00
Takashi Iwai
ca0214ee28 ALSA: pcm: Fix possible OOB access in PCM oss plugins
The PCM OSS emulation converts and transfers the data on the fly via
"plugins".  The data is converted over the dynamically allocated
buffer for each plugin, and recently syzkaller caught OOB in this
flow.

Although the bisection by syzbot pointed out to the commit
65766ee0bf ("ALSA: oss: Use kvzalloc() for local buffer
allocations"), this is merely a commit to replace vmalloc() with
kvmalloc(), hence it can't be the cause.  The further debug action
revealed that this happens in the case where a slave PCM doesn't
support only the stereo channels while the OSS stream is set up for a
mono channel.  Below is a brief explanation:

At each OSS parameter change, the driver sets up the PCM hw_params
again in snd_pcm_oss_change_params_lock().  This is also the place
where plugins are created and local buffers are allocated.  The
problem is that the plugins are created before the final hw_params is
determined.  Namely, two snd_pcm_hw_param_near() calls for setting the
period size and periods may influence on the final result of channels,
rates, etc, too, while the current code has already created plugins
beforehand with the premature values.  So, the plugin believes that
channels=1, while the actual I/O is with channels=2, which makes the
driver reading/writing over the allocated buffer size.

The fix is simply to move the plugin allocation code after the final
hw_params call.

Reported-by: syzbot+d4503ae45b65c5bc1194@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-22 16:27:03 +01:00
Gustavo A. R. Silva
c709f14f06 ALSA: seq: oss: Fix Spectre v1 vulnerability
dev is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

sound/core/seq/oss/seq_oss_synth.c:626 snd_seq_oss_synth_make_info() warn: potential spectre issue 'dp->synths' [w] (local cap)

Fix this by sanitizing dev before using it to index dp->synths.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/

Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-21 13:23:51 +01:00
Gustavo A. R. Silva
2b1d9c8f87 ALSA: rawmidi: Fix potential Spectre v1 vulnerability
info->stream is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

sound/core/rawmidi.c:604 __snd_rawmidi_info_select() warn: potential spectre issue 'rmidi->streams' [r] (local cap)

Fix this by sanitizing info->stream before using it to index
rmidi->streams.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/

Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-03-21 13:21:15 +01:00
Ricardo Biehl Pasquali
932a815195 ALSA: pcm: Comment why read blocks when PCM is not running
This avoids bringing back the problem introduced by
62ba568f7a ("ALSA: pcm: Return 0 when size <
start_threshold in capture") and fixed in 00a399cad1
("ALSA: pcm: Revert capture stream behavior change in
blocking mode"), which prevented the user from starting
capture from another thread.

Signed-off-by: Ricardo Biehl Pasquali <pasqualirb@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-13 08:01:05 +01:00
Takashi Iwai
5a23f38568 Merge branch 'for-linus' into for-next
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-13 08:00:54 +01:00
Ranjani Sridharan
d9c0b2afe8 ALSA: PCM: check if ops are defined before suspending PCM
BE dai links only have internal PCM's and their substream ops may
not be set. Suspending these PCM's will result in their
 ops->trigger() being invoked and cause a kernel oops.
So skip suspending PCM's if their ops are NULL.

[ NOTE: this change is required now for following the recent PCM core
  change to get rid of snd_pcm_suspend() call.  Since DPCM BE takes
  the runtime carried from FE while keeping NULL ops, it can hit this
  bug.  See details at:
     https://github.com/thesofproject/linux/pull/582
  -- tiwai ]

Signed-off-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-11 17:04:25 +01:00
Takashi Iwai
00a399cad1 ALSA: pcm: Revert capture stream behavior change in blocking mode
In the commit 62ba568f7a ("ALSA: pcm: Return 0 when size <
start_threshold in capture"), we changed the behavior of
__snd_pcm_lib_xfer() to return immediately with 0 when a capture
stream has a high start_threshold.  This was intended to be a
correction of the behavior consistency and looked harmless, but this
was the culprit of the recent breakage reported by syzkaller, which
was fixed by the commit e190161f96 ("ALSA: pcm: Fix tight loop of
OSS capture stream").

At the time for the OSS fix, I didn't touch the behavior for ALSA
native API, as assuming that this behavior actually is good.  But this
turned out to be also broken actually for a similar deployment,
e.g. one thread goes to a write loop in blocking mode while another
thread controls the start/stop of the stream manually.

Overall, the original commit is harmful, and it brings less merit to
keep that behavior.  Let's revert it.

Fixes: 62ba568f7a ("ALSA: pcm: Return 0 when size < start_threshold in capture")
Fixes: e190161f96 ("ALSA: pcm: Fix tight loop of OSS capture stream")
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-08 16:54:31 +01:00
Takashi Iwai
bb580602f3 ALSA: pcm: Define snd_pcm_lib_preallocate_*() as returning void
Now all callers no longer check the return value from
snd_pcm_lib_preallocate_pages() and co, let's make them to return
void, so that any new code won't fall into the same pitfall.

Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-08 14:24:12 +01:00
Takashi Iwai
29b2625ff6 ALSA: info: Move card id proc creation into info.c
The creation of card's id proc file can be moved gracefully into
info.c.  Also, the assignment of card->proc_id is superfluous and can
be dropped.  So let's do it.

Basically this is no functional change but code refactoring, but one
potential behavior change is that now it returns properly the error
code from snd_info_card_register(), which is a good thing (tm).

Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-06 18:11:58 +01:00
Takashi Iwai
a858ee6655 ALSA: info: Minor optimization
Just a minor code optimization to reduce the source code size
slightly.  No functional changes.

Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-06 18:11:58 +01:00
Takashi Iwai
9725752867 ALSA: info: Drop unused snd_info_entry.card field
It's referred only in snd_card_id_read() which can receive the card
object via private_data.

Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-06 18:11:58 +01:00
Takashi Iwai
7453e1dafd ALSA: info: Add standard helpers for card proc file entries
Two new helper functions are added here for cleaning up the existing
lengthy calls.

Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-06 18:11:55 +01:00
Takashi Iwai
4a471d7cc9 ALSA: compress: Remove superfluous snd_info_register() calls
The calls of snd_info_register() are superfluous and should be avoided
at the procfs creation time.  They are called at the end of the whole
initialization via snd_card_register().  This patch drops such
superfluous calls.

Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-06 18:11:54 +01:00
Takashi Iwai
a8d149813b ALSA: pcm: Remove superfluous snd_info_register() calls
The calls of snd_info_register() are superfluous and should be avoided
at the procfs creation time.  They are called at the end of the whole
initialization via snd_card_register().  This patch drops such
superfluous calls, as well as cleaning up the calls of substream proc
entries with a common helper.

Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-06 18:11:54 +01:00
Takashi Iwai
348c5ad5d6 ALSA: info: Always register entries recursively
Make sure that all children entries are registered by a single call of
snd_info_register().  OTOH, don't register if a parent isn't
registered yet.

This allows us to create the whole procfs tree in a shot at the last
stage of card registration phase in a later patch.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-05 13:58:03 +01:00
Takashi Iwai
6ce1d63ed7 ALSA: core: Don't allow NULL device for memory allocation
Since we covered all callers with NULL device pointer, let's catch the
remaining calls with NULL and warn explicitly.

Acked-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-02-05 11:05:26 +01:00
Guennadi Liakhovetski
515548fdd8 ALSA: pcm: remove a superfluous function declaration
Declaration of snd_pcm_drop() in sound/core/pcm_native.c is superfluous
since the function isn't called before being defined. Remove the
declaration.

Signed-off-by: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-31 12:23:39 +01:00
Takashi Iwai
286406c2e1 Merge branch 'for-linus' into for-next
Pull 5.0 branch for further development of USB-audio quirks

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-29 11:07:48 +01:00
Takashi Iwai
e190161f96 ALSA: pcm: Fix tight loop of OSS capture stream
When the trigger=off is passed for a PCM OSS stream, it sets the
start_threshold of the given substream to the boundary size, so that
it won't be automatically started.  This can be problematic for a
capture stream, unfortunately, as detected by syzkaller.  The scenario
is like the following:

- In __snd_pcm_lib_xfer() that is invoked from snd_pcm_oss_read()
  loop, we have a check whether the stream was already started or the
  stream can be auto-started.
- The function at this check returns 0 with trigger=off since we
  explicitly disable the auto-start.
- The loop continues and repeats calling __snd_pcm_lib_xfer() tightly,
  which may lead to an RCU stall.

This patch fixes the bug by simply allowing the wait for non-started
stream in the case of OSS capture.  For native usages, it's supposed
to be done by the caller side (which is user-space), hence it returns
zero like before.

(In theory, __snd_pcm_lib_xfer() could wait even for the native API
 usage cases, too; but I'd like to stay in a safer side for not
 breaking the existing stuff for now.)

Reported-by: syzbot+fbe0496f92a0ce7b786c@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-25 19:45:46 +01:00
Takashi Iwai
315d9f1bee ALSA: pcm: Use the common error path in __snd_pcm_lib_xfer()
An open-coded error path in __snd_pcm_lib_xfer() can be replaced with
the simple goto to the common error path.  This also makes the error
handling more consistent, i.e. when some samples have been already
processed, return that size instead of the error code.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-25 17:31:59 +01:00
Takashi Iwai
205d6bcf9b Merge branch 'topic/pcm-lock-refactor' into for-next
Pull PCM lock refactoring.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-24 14:46:21 +01:00
Takashi Iwai
3a55437141 ALSA: proc: Avoid possible leaks of snd_info_entry objects
This patch changes the parent pointer assignment of snd_info_entry
object to be always non-NULL.  More specifically,check the parent
argument in snd_info_create_module_entry() & co, and assign
snd_proc_root if NULL is passed there.

This assures that the proc object is always freed when the root is
freed, so avoid possible memory leaks.  For example, some error paths
(e.g. snd_info_register() error at snd_minor_info_init()) may leave
snd_info_entry object although the proc file itself is freed.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-24 14:40:26 +01:00
Takashi Iwai
480e32ebd5 ALSA: pcm: Simplify proc file destruction
The proc files are recursively freed by calling with the root
snd_info_entry object, so we don't have to keep each object for
releasing one by one.  Move the release of the PCM stream proc root at
the beginning, so that we can remove the redundant code and resource.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-24 14:40:25 +01:00
Takashi Iwai
de89750c56 ALSA: pcm: Drop unused snd_pcm_substream.file field
It's assigned but nowhere used.  Let's remove it.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-24 14:40:25 +01:00
Takashi Iwai
ef2056b8f3 ALSA: pcm: Cleanup snd_pcm_stream_lock() & co
After the previous code refactoring, the PCM stream locking code
became nothing but the PCM group lock with self_group object.  Use the
existing helper function for simplifying the code.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-23 07:40:49 +01:00
Takashi Iwai
ecb41f0f44 ALSA: pcm: Remove down_write() hack for snd_pcm_link_rwsem
Remove the hackish down_write_nonfifo() that was introduced as a
workaround of rwsem deadlock.

It used to be a problem for non-atomic PCM streams that take the rwsem
for the locking and hit the high lock contention.  Since the current
PCM locking refactoring, we'll no longer hit it as the hot code-paths
don't take global locks.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-23 07:40:49 +01:00
Takashi Iwai
f57f3df03a ALSA: pcm: More fine-grained PCM link locking
We have currently two global locks, a rwlock and a rwsem, that are
used for managing linking the PCM streams.  Due to these global locks,
once when a linked stream is used, the lock granularity suffers a
lot.

This patch attempts to eliminate the former global lock for atomic
ops.  The latter rwsem needs remaining because of the loosy way of the
loop calls in snd_pcm_action_nonatomic(), as well as for avoiding the
deadlock at linking.  However, these are used far rarely, actually
only by two actions (prepare and  reset), where both are no timing
critical ones.  So this can be still seen as a good improvement.

The basic strategy to eliminate the rwlock is to assure group->lock at
adding or removing a stream to / from the group.  Since we already
takes the group lock whenever taking the all substream locks under the
group, this shouldn't be a big problem.  The reference to group
pointer in snd_pcm_substream object is protected by the stream lock
itself.

However, there are still pitfalls: a race window at re-locking and the
lifecycle of group object.  The former is a small race window for
dereferencing the substream group object opened while snd_pcm_action()
performs re-locking to avoid ABBA deadlocks.  This includes the unlink
of group during that window, too.  And the latter is the kfree
performed after all streams are removed from the group while it's
still dereferenced.

For addressing these corner cases, two new tricks are introduced:
- After re-locking, the group assigned to the stream is checked again;
  if the group is changed, we retry the whole procedure.
- Introduce a refcount to snd_pcm_group object, so that it's freed
  only when it's empty and really no one refers to it.

(Some readers might wonder why not RCU for the latter.  RCU in this
case would cost more than refcounting, unfortunately.  We take the
group lock sooner or later, hence the performance improvement by RCU
would be negligible.  Meanwhile, because we need to deal with
schedulable context depending on the pcm->nonatomic flag, it'll become
dynamic RCU/SRCU switch, and the grace period may become too long.)

Along with these changes, there are a significant amount of code
refactoring.  The complex group re-lock & ref code is factored out to
snd_pcm_stream_group_ref() function, for example.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-23 07:25:08 +01:00
Takashi Iwai
7df5a5f66b ALSA: pcm: Avoid confusing loop in snd_pcm_unlink()
The snd_pcm_group_for_each_entry() loop found in snd_pcm_unlink() is
only for taking the first list entry.  Use list_first_entry() to make
clearer.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-21 16:40:19 +01:00
Takashi Iwai
a41c4cb913 ALSA: pcm: Make PCM linked list consistent while re-grouping
Make a common helper to re-assign the PCM link using list_move() instead
of open code with manual list_del() and list_add_tail().  This assures
the consistency and we can get rid of snd_pcm_group.count field -- its
purpose is only to check whether the list is singular, and we can know
it by list_is_singular() call now.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2019-01-21 16:39:54 +01:00