| Age | Commit message (Collapse) | Author |
|---|
|
commit 1f8763c59c4ec6254d629fe77c0a52220bd907aa upstream.
John Keeping reported and posted a patch for a potential UAF in
rawmidi sequencer destruction: the snd_rawmidi_dev_seq_free() may be
called after the associated rawmidi object got already freed.
After a deeper look, it turned out that the bug is rather the
incorrect private_free call order for a snd_seq_device. The
snd_seq_device private_free gets called at the release callback of the
sequencer device object, while this was rather expected to be executed
at the snd_device call chains that runs at the beginning of the whole
card-free procedure. It's been broken since the rewrite of
sequencer-device binding (although it hasn't surfaced because the
sequencer device release happens usually right along with the card
device release).
This patch corrects the private_free call to be done in the right
place, at snd_seq_device_dev_free().
Fixes: 7c37ae5c625a ("ALSA: seq: Rewrite sequencer device binding with standard bus")
Reported-and-tested-by: John Keeping <john@metanate.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210930114114.8645-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit fc27fe7e8deef2f37cba3f2be2d52b6ca5eb9d57 upstream.
ALSA sequencer core has a mechanism to load the enumerated devices
automatically, and it's performed in an off-load work. This seems
causing some race when a sequencer is removed while the pending
autoload work is running. As syzkaller spotted, it may lead to some
use-after-free:
BUG: KASAN: use-after-free in snd_rawmidi_dev_seq_free+0x69/0x70
sound/core/rawmidi.c:1617
Write of size 8 at addr ffff88006c611d90 by task kworker/2:1/567
CPU: 2 PID: 567 Comm: kworker/2:1 Not tainted 4.13.0+ #29
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: events autoload_drivers
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x192/0x22c lib/dump_stack.c:52
print_address_description+0x78/0x280 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x230/0x340 mm/kasan/report.c:409
__asan_report_store8_noabort+0x1c/0x20 mm/kasan/report.c:435
snd_rawmidi_dev_seq_free+0x69/0x70 sound/core/rawmidi.c:1617
snd_seq_dev_release+0x4f/0x70 sound/core/seq_device.c:192
device_release+0x13f/0x210 drivers/base/core.c:814
kobject_cleanup lib/kobject.c:648 [inline]
kobject_release lib/kobject.c:677 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put+0x145/0x240 lib/kobject.c:694
put_device+0x25/0x30 drivers/base/core.c:1799
klist_devices_put+0x36/0x40 drivers/base/bus.c:827
klist_next+0x264/0x4a0 lib/klist.c:403
next_device drivers/base/bus.c:270 [inline]
bus_for_each_dev+0x17e/0x210 drivers/base/bus.c:312
autoload_drivers+0x3b/0x50 sound/core/seq_device.c:117
process_one_work+0x9fb/0x1570 kernel/workqueue.c:2097
worker_thread+0x1e4/0x1350 kernel/workqueue.c:2231
kthread+0x324/0x3f0 kernel/kthread.c:231
ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:425
The fix is simply to assure canceling the autoload work at removing
the device.
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
There are a few leftover CONFIG_PROC_FS forgotten to replace with
CONFIG_SND_PROC_FS.
Fixes: cd6a65036f0e ('ALSA: replace CONFIG_PROC_FS with CONFIG_SND_PROC_FS')
Reported-by: Jim Davis <jim.epost@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
We may disable proc fs only for sound part, to reduce ALSA
memory footprint. So add CONFIG_SND_PROC_FS and replace the
old CONFIG_PROC_FSs in alsa code.
With sound proc fs disabled, we can save about 9KB memory
size on X86_64 platform.
Signed-off-by: Jie Yang <yang.jie@intel.com>
Reviewed-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
When the sequencer driver is built in kernel, it may panic at boot
because of the uninitialized snd_seq_bus_type. Initialize it properly
via subsys_initcall() instead of module_init() to assure that the bus
is registered beforehand.
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Fixes: 7c37ae5c625a ('ALSA: seq: Rewrite sequencer device binding with standard bus')
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
The autoload lock became already superfluous due to the recent rework
of autoload code. Let's drop them now. This allows us to simplify a
few codes nicely.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
This patch moves the driver object initialization and allocation to
each driver's module init/exit code like other normal drivers. The
snd_seq_driver struct is now published in seq_device.h, and each
driver is responsible to define it with proper driver attributes
(name, probe and remove) with snd_seq_driver specific attributes as id
and argsize fields. The helper functions snd_seq_driver_register(),
snd_seq_driver_unregister() and module_snd_seq_driver() are used for
simplifying codes.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Use const string pointer instead of copying the id string to each
object. Also drop the status and list fields of snd_seq_device struct
that are no longer used.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
We've used the old house-made code for binding the sequencer device
and driver. This can be far better implemented with the standard
bus nowadays.
This patch refactors the whole sequencer binding code with the bus
/sys/bus/snd_seq. The devices appear as id-card-device on this bus
and are bound with the drivers corresponding to the given id like the
former implementation. The module autoload is also kept like before.
There is no change in API functions by this patch, and almost all
transitions are kept inside seq_device.c. The proc file output will
change slightly but kept compatible as much as possible.
Further integration works will follow in later patches.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
... to follow the standard coding style.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Since we're calling request_module() asynchronously now, we can get
rid of the autoload lock in snd_seq_device_register_driver(), as well
as in the snd-seq driver registration itself. This enables the
automatic loading of dependent sequencer modules, such as
snd-seq-virmidi from snd-emu10k1-synth.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Currently the sequencer module binding is performed independently from
the card module itself. The reason behind it is to keep the sequencer
stuff optional and allow the system running without it (e.g. for using
PCM or rawmidi only). This works in most cases, but a remaining
problem is that the binding isn't done automatically when a new driver
module is probed. Typically this becomes visible when a hotplug
driver like usb audio is used.
This patch tries to address this and other potential issues. First,
the seq-binder (seq_device.c) tries to load a missing driver module at
creating a new device object. This is done asynchronously in a workq
for avoiding the deadlock (modprobe call in module init path).
This action, however, should be enabled only when the sequencer stuff
was already initialized, i.e. snd-seq module was already loaded. For
that, a new function, snd_seq_autoload_init() is introduced here; this
clears the blocking of autoloading, and also tries to load all pending
driver modules.
Reported-by: Adam Goode <agoode@chromium.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
... just to robustify for races.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Use the standard pr_xxx() helpers instead of home-baked snd_print*().
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Use dev_err() & co as much as possible. If not available (no device
assigned at the calling point), use pr_xxx() helpers instead.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Some comments misspell "registered"; this fixes them. No code changes.
Signed-off-by: Adam Buchbinder <adam.buchbinder@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
The new LTO EXPORT_SYMBOL references symbols even without CONFIG_MODULES.
Since these functions are macros in this case this doesn't work.
Add a ifdef to fix the build.
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Lots of sound drivers were getting module.h via the implicit presence
of it in <linux/device.h> but we are going to clean that up. So
fix up those users now.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
|
|
Kill snd_assert() in sound/core/*, either removed or replaced with
if () with snd_BUG_ON().
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
|
|
A bunch of things in alsa depend on CONFIG_KMOD,
use CONFIG_MODULES instead where the dependency
is needed at all.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
|
|
The sound drivers and the pnpbios core test for current->root != NULL. This
test seems to be unnecessary since we always have rootfs mounted before
initializing the drivers.
Signed-off-by: Jan Blunck <jblunck@suse.de>
Acked-by: Christoph Hellwig <hch@lst.de>
Cc: Bjorn Helgaas <bjorn.helgaas@hp.com>
Cc: Jaroslav Kysela <perex@suse.cz>
Acked-by: Takashi Iwai <tiwai@suse.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
This header file exists only for some hacks to adapt alsa-driver
tree. It's useless for building in the kernel. Let's move a few
lines in it to sound/core.h and remove it.
With this patch, sound/driver.h isn't removed but has just a single
compile warning to include it. This should be really killed in
future.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
|
|
This patch converts most uses of list_for_each to list_for_each_entry all
across alsa. In some place apparently an item can be on a list with
different pointers so of course that isn't compatible with list_for_each, I
therefore didn't touch those places.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
Orignally proposed by Sam Revitch <sam.revitch@gmail.com>.
Unregister device files at disconnection to avoid the futher accesses.
Also, the dev_unregister callback is removed and replaced with the
combination of disconnect + free.
A new function snd_card_free_when_closed() is introduced, which is
used in USB disconnect callback.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
- Add the linked list to each proc entry to enable a single-shot
disconnection (unregister)
- Deprecate snd_info_unregister(), use snd_info_free_entry()
- Removed NULL checks of snd_info_free_entry()
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
sound: Conversions from kmalloc+memset to k(c|z)alloc.
Signed-off-by: Panagiotis Issaris <takis@issaris.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
The ops structure has complex locking rules, where not all ops are equal, some
are subordinate on others for some complex sound cards. This requires for
lockdep checking that each individual reg_mutex is considered in separation
for its locking rules.
Has no effect on non-lockdep kernels.
Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Jaroslav Kysela <perex@suse.cz>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
Removed zero-initializations of static variables.
A tiny optimization.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Remove unneeded read/write_size fields in proc text ops.
snd_info_set_text_ops() is fixed, too.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Semaphore to mutex conversion.
The conversion was generated via scripts, and the result was validated
automatically via a script as well.
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Modules: ALSA<-OSS emulation,ALSA sequencer,ALSA<-OSS sequencer
Optimize the code when compiled without CONFIG_PROC_FS (in seq and oss
emulation parts).
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Modules: ALSA sequencer
Remove xxx_t typedefs from the core sequencer codes.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
ALSA sequencer,Instrument layer,ALSA<-OSS sequencer
Replace kcalloc(1,..) with kzalloc().
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Initial git repository build. I'm not bothering with the full history,
even though we have it. We can create a separate "historical" git
archive of that later if we want to, and in the meantime it's about
3.2GB when imported into git - space that would just make the early
git days unnecessarily complicated, when we don't have a lot of good
infrastructure for it.
Let it rip!
|
