linux-toradex.git/sound/core/seq/seq_fifo.c, branch v4.4.73 Linux kernel for Apalis and Colibri modules ALSA: seq: Fix race during FIFO resize 2017-04-08T07:53:31+00:00 Takashi Iwai tiwai@suse.de 2017-03-24T16:07:57+00:00 a90d7447e4a154ad26e3b9e09a0878680be49339 commit 2d7d54002e396c180db0c800c1046f0a3c471597 upstream. When a new event is queued while processing to resize the FIFO in snd_seq_fifo_clear(), it may lead to a use-after-free, as the old pool that is being queued gets removed. For avoiding this race, we need to close the pool to be deleted and sync its usage before actually deleting it. The issue was spotted by syzkaller. Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 2d7d54002e396c180db0c800c1046f0a3c471597 upstream.

When a new event is queued while processing to resize the FIFO in
snd_seq_fifo_clear(), it may lead to a use-after-free, as the old pool
that is being queued gets removed.  For avoiding this race, we need to
close the pool to be deleted and sync its usage before actually
deleting it.

The issue was spotted by syzkaller.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ALSA: seq: Fix racy cell insertions during snd_seq_pool_done() 2017-03-30T07:35:15+00:00 Takashi Iwai tiwai@suse.de 2017-03-21T12:56:04+00:00 b55ffcb1bc8a9c40db928f568ef61016ac681c29 commit c520ff3d03f0b5db7146d9beed6373ad5d2a5e0e upstream. When snd_seq_pool_done() is called, it marks the closing flag to refuse the further cell insertions. But snd_seq_pool_done() itself doesn't clear the cells but just waits until all cells are cleared by the caller side. That is, it's racy, and this leads to the endless stall as syzkaller spotted. This patch addresses the racy by splitting the setup of pool->closing flag out of snd_seq_pool_done(), and calling it properly before snd_seq_pool_done(). BugLink: http://lkml.kernel.org/r/CACT4Y+aqqy8bZA1fFieifNxR2fAfFQQABcBHj801+u5ePV0URw@mail.gmail.com Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit c520ff3d03f0b5db7146d9beed6373ad5d2a5e0e upstream.

When snd_seq_pool_done() is called, it marks the closing flag to
refuse the further cell insertions.  But snd_seq_pool_done() itself
doesn't clear the cells but just waits until all cells are cleared by
the caller side.  That is, it's racy, and this leads to the endless
stall as syzkaller spotted.

This patch addresses the racy by splitting the setup of pool->closing
flag out of snd_seq_pool_done(), and calling it properly before
snd_seq_pool_done().

BugLink: http://lkml.kernel.org/r/CACT4Y+aqqy8bZA1fFieifNxR2fAfFQQABcBHj801+u5ePV0URw@mail.gmail.com
Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ALSA: seq: Fix link corruption by event error handling 2017-03-12T05:37:25+00:00 Takashi Iwai tiwai@suse.de 2017-02-28T21:15:51+00:00 003aa343724f29f8cc6a6ea3b3df5fbf2c13616a commit f3ac9f737603da80c2da3e84b89e74429836bb6d upstream. The sequencer FIFO management has a bug that may lead to a corruption (shortage) of the cell linked list. When a sequencer client faces an error at the event delivery, it tries to put back the dequeued cell. When the first queue was put back, this forgot the tail pointer tracking, and the link will be screwed up. Although there is no memory corruption, the sequencer client may stall forever at exit while flushing the pending FIFO cells in snd_seq_pool_done(), as spotted by syzkaller. This patch addresses the missing tail pointer tracking at snd_seq_fifo_cell_putback(). Also the patch makes sure to clear the cell->enxt pointer at snd_seq_fifo_event_in() for avoiding a similar mess-up of the FIFO linked list. Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit f3ac9f737603da80c2da3e84b89e74429836bb6d upstream.

The sequencer FIFO management has a bug that may lead to a corruption
(shortage) of the cell linked list.  When a sequencer client faces an
error at the event delivery, it tries to put back the dequeued cell.
When the first queue was put back, this forgot the tail pointer
tracking, and the link will be screwed up.

Although there is no memory corruption, the sequencer client may stall
forever at exit while flushing the pending FIFO cells in
snd_seq_pool_done(), as spotted by syzkaller.

This patch addresses the missing tail pointer tracking at
snd_seq_fifo_cell_putback().  Also the patch makes sure to clear the
cell->enxt pointer at snd_seq_fifo_event_in() for avoiding a similar
mess-up of the FIFO linked list.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ALSA: seq: Drop superfluous error/debug messages after malloc failures 2015-03-10T14:41:18+00:00 Takashi Iwai tiwai@suse.de 2015-03-10T14:41:18+00:00 24db8bbaa3fcfaf0c2faccbff5864b58088ac1f6 The kernel memory allocators already report the errors when the requested allocation fails, thus we don't need to warn it again in each caller side. Signed-off-by: Takashi Iwai <tiwai@suse.de> 
The kernel memory allocators already report the errors when the
requested allocation fails, thus we don't need to warn it again in
each caller side.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: seq: correctly detect input buffer overflow 2014-06-04T05:12:12+00:00 Adam Goode agoode@google.com 2014-06-04T05:02:51+00:00 21fd3e956ee8a307a06bc6e095f5767a00eb2a7e snd_seq_event_dup returns -ENOMEM in some buffer-full conditions, but usually returns -EAGAIN. Make -EAGAIN trigger the overflow condition in snd_seq_fifo_event_in so that the fifo is cleared and -ENOSPC is returned to userspace as stated in the alsa-lib docs. Signed-off-by: Adam Goode <agoode@google.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> 
snd_seq_event_dup returns -ENOMEM in some buffer-full conditions,
but usually returns -EAGAIN. Make -EAGAIN trigger the overflow
condition in snd_seq_fifo_event_in so that the fifo is cleared
and -ENOSPC is returned to userspace as stated in the alsa-lib docs.

Signed-off-by: Adam Goode <agoode@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: seq: Use standard printk helpers 2014-02-14T07:14:18+00:00 Takashi Iwai tiwai@suse.de 2014-02-04T17:24:34+00:00 04cc79a048ee215ec39af05d61f1fc8a4ab3d8c1 Use the standard pr_xxx() helpers instead of home-baked snd_print*(). Signed-off-by: Takashi Iwai <tiwai@suse.de> 
Use the standard pr_xxx() helpers instead of home-baked snd_print*().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: Kill snd_assert() in sound/core/* 2008-08-13T09:46:35+00:00 Takashi Iwai tiwai@suse.de 2008-08-08T15:09:09+00:00 7eaa943c8ed8e91e05d0f5d0dc7a18e3319b45cf Kill snd_assert() in sound/core/*, either removed or replaced with if () with snd_BUG_ON(). Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Jaroslav Kysela <perex@perex.cz> 
Kill snd_assert() in sound/core/*, either removed or replaced with
if () with snd_BUG_ON().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
[ALSA] Remove sound/driver.h 2008-01-31T16:29:48+00:00 Takashi Iwai tiwai@suse.de 2008-01-08T17:13:27+00:00 9004acc70e8c49c50c4c7b652f906f1e0ed5709d This header file exists only for some hacks to adapt alsa-driver tree. It's useless for building in the kernel. Let's move a few lines in it to sound/core.h and remove it. With this patch, sound/driver.h isn't removed but has just a single compile warning to include it. This should be really killed in future. Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Jaroslav Kysela <perex@perex.cz> 
This header file exists only for some hacks to adapt alsa-driver
tree.  It's useless for building in the kernel.  Let's move a few
lines in it to sound/core.h and remove it.
With this patch, sound/driver.h isn't removed but has just a single
compile warning to include it.  This should be really killed in
future.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
[ALSA] Remove xxx_t typedefs: Sequencer 2006-01-03T11:17:52+00:00 Takashi Iwai tiwai@suse.de 2005-11-17T13:04:02+00:00 c7e0b5bf9fff1b726495081447c107a2333fb82c Modules: ALSA sequencer Remove xxx_t typedefs from the core sequencer codes. Signed-off-by: Takashi Iwai <tiwai@suse.de> 
Modules: ALSA sequencer

Remove xxx_t typedefs from the core sequencer codes.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
[ALSA] Replace with kzalloc() - seq stuff 2005-09-12T08:48:06+00:00 Takashi Iwai tiwai@suse.de 2005-09-09T12:20:49+00:00 ecca82b4b447f8df73c807a018dac3e2863912d9 ALSA sequencer,Instrument layer,ALSA<-OSS sequencer Replace kcalloc(1,..) with kzalloc(). Signed-off-by: Takashi Iwai <tiwai@suse.de> 
ALSA sequencer,Instrument layer,ALSA<-OSS sequencer
Replace kcalloc(1,..) with kzalloc().

Signed-off-by: Takashi Iwai <tiwai@suse.de>