| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently kill_fasync() is called outside the stream lock in
snd_pcm_period_elapsed(). This is potentially racy, since the stream
may get released even during the irq handler is running. Although
snd_pcm_release_substream() calls snd_pcm_drop(), this doesn't
guarantee that the irq handler finishes, thus the kill_fasync() call
outside the stream spin lock may be invoked after the substream is
detached, as recently reported by KASAN.
As a quick workaround, move kill_fasync() call inside the stream
lock. The fasync is rarely used interface, so this shouldn't have a
big impact from the performance POV.
Ideally, we should implement some sync mechanism for the proper finish
of stream and irq handler. But this oneliner should suffice for most
cases, so far.
Change-Id: Iaebf87120a34e16bd0b259b2cf661aad6b2cc388
Reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
snd_usb_add_audio_stream() call
commit 836b34a935abc91e13e63053d0a83b24dfb5ea78 upstream.
create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and
create_uaxx_quirk() functions allocate the audioformat object by themselves
and free it upon error before returning. However, once the object is linked
to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be
double-freed, eventually resulting in a memory corruption.
This patch fixes these failures in the error paths by unlinking the audioformat
object before freeing it.
Based on a patch by Takashi Iwai <tiwai@suse.de>
[Note for stable backports:
this patch requires the commit 902eb7fd1e4a ('ALSA: usb-audio: Minor
code cleanup in create_fixed_stream_quirk()')]
Change-Id: Ia332409f06bbd20c0abf9cf915f4a041200e4736
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
|
|
|
|
|
|
|
|
|
| |
commit 902eb7fd1e4af3ac69b9b30f8373f118c92b9729 upstream.
Just a minor code cleanup: unify the error paths.
Change-Id: Idbac50c4d1602ea3b075c747a716cc6eab905b52
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit 0f886ca12765d20124bd06291c82951fd49a33be upstream.
create_fixed_stream_quirk() may cause a NULL-pointer dereference by
accessing the non-existing endpoint when a USB device with a malformed
USB descriptor is used.
This patch avoids it simply by adding a sanity check of bNumEndpoints
before the accesses.
Change-Id: I94025f3eec256347b50805b388940774e559dae2
Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.2:
- There's no altsd variable
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(cherry pick from commit 82262a46627bebb0febcc26664746c25cef08563)
There are two issues with the current implementation for replacing user
controls. The first is that the code does not check if the control is actually a
user control and neither does it check if the control is owned by the process
that tries to remove it. That allows userspace applications to remove arbitrary
controls, which can cause a user after free if a for example a driver does not
expect a control to be removed from under its feed.
The second issue is that on one hand when a control is replaced the
user_ctl_count limit is not checked and on the other hand the user_ctl_count is
increased (even though the number of user controls does not change). This allows
userspace, once the user_ctl_count limit as been reached, to repeatedly replace
a control until user_ctl_count overflows. Once that happens new controls can be
added effectively bypassing the user_ctl_count limit.
Both issues can be fixed by instead of open-coding the removal of the control
that is to be replaced to use snd_ctl_remove_user_ctl(). This function does
proper permission checks as well as decrements user_ctl_count after the control
has been removed.
Note that by using snd_ctl_remove_user_ctl() the check which returns -EBUSY at
beginning of the function if the control already exists is removed. This is not
a problem though since the check is quite useless, because the lock that is
protecting the control list is released between the check and before adding the
new control to the list, which means that it is possible that a different
control with the same settings is added to the list after the check. Luckily
there is another check that is done while holding the lock in snd_ctl_add(), so
we'll rely on that to make sure that the same control is not added twice.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Jaroslav Kysela <perex@perex.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Change-Id: I0b183e2d52afe8e747f59e1ecca6f6fbbac2d016
Bug: 29916012
|
|
|
|
|
|
|
|
|
|
| |
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Change-Id: Ie3dcdee7da8ad292712814e8402c571a717ab8d1
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
|
|
|
|
|
|
|
|
| |
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Change-Id: I5ece63432f6ca6251fa31c046c211c8c03313a59
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
|
|
|
|
|
|
|
|
| |
The stack object “tread” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Change-Id: Ibf2868136a538eed0f2e75395a5f14a8608dd86d
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
hrtimer_cancel() waits for the completion from the callback, thus it
must not be called inside the callback itself. This was already a
problem in the past with ALSA hrtimer driver, and the early commit
[fcfdebe70759: ALSA: hrtimer - Fix lock-up] tried to address it.
However, the previous fix is still insufficient: it may still cause a
lockup when the ALSA timer instance reprograms itself in its callback.
Then it invokes the start function even in snd_timer_interrupt() that
is called in hrtimer callback itself, results in a CPU stall. This is
no hypothetical problem but actually triggered by syzkaller fuzzer.
This patch tries to fix the issue again. Now we call
hrtimer_try_to_cancel() at both start and stop functions so that it
won't fall into a deadlock, yet giving some chance to cancel the queue
if the functions have been called outside the callback. The proper
hrtimer_cancel() is called in anyway at closing, so this should be
enough.
Change-Id: Id6224b2a3ade0d217e891e6af09744df4d0b2e5c
Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A slave timer instance might be still accessible in a racy way while
operating the master instance as it lacks of locking. Since the
master operation is mostly protected with timer->lock, we should cope
with it while changing the slave instance, too. Also, some linked
lists (active_list and ack_list) of slave instances aren't unlinked
immediately at stopping or closing, and this may lead to unexpected
accesses.
This patch tries to address these issues. It adds spin lock of
timer->lock (either from master or slave, which is equivalent) in a
few places. For avoiding a deadlock, we ensure that the global
slave_active_lock is always locked at first before each timer lock.
Also, ack and active_list of slave instances are properly unlinked at
snd_timer_stop() and snd_timer_close().
Last but not least, remove the superfluous call of _snd_timer_stop()
at removing slave links. This is a noop, and calling it may confuse
readers wrt locking. Further cleanup will follow in a later patch.
Actually we've got reports of use-after-free by syzkaller fuzzer, and
this hopefully fixes these issues.
Change-Id: I572878b909dda522dbedc84633414185802bc974
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ALSA timer ioctls have an open race and this may lead to a
use-after-free of timer instance object. A simplistic fix is to make
each ioctl exclusive. We have already tread_sem for controlling the
tread, and extend this as a global mutex to be applied to each ioctl.
The downside is, of course, the worse concurrency. But these ioctls
aren't to be parallel accessible, in anyway, so it should be fine to
serialize there.
Change-Id: Iaa21b00f62e02cc58e346a29846e0fce6536e860
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ALSA timer instance object has a couple of linked lists and they are
unlinked unconditionally at snd_timer_stop(). Meanwhile
snd_timer_interrupt() unlinks it, but it calls list_del() which leaves
the element list itself unchanged. This ends up with unlinking twice,
and it was caught by syzkaller fuzzer.
The fix is to use list_del_init() variant properly there, too.
Change-Id: I95e2ab06180dfe43fb6b7c2875a866b53ca245ce
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
when tearing down the rawmidi interface. So we shouldn't try to free it
in snd_usbmidi_create() after having registered the rawmidi interface.
Found by KASAN.
Change-Id: I8534867beeac111370017ef246adc17e23e1a3b1
Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
Acked-by: Clemens Ladisch <clemens@ladisch.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
| |
|
| |
|
|
|
|
|
|
| |
channels" for espresso
This reverts commit 3b6ae1807d29f8cacd63fddf513110f9308b4c8e.
|
| |
|
|
|
|
|
|
|
|
| |
Add a bunch of definitions for wm8994 registers that are not currently
used by software.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Acked-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
|
|
|
|
|
|
| |
Since AIF3 shares clock signals with other audio interfaces in order to
ensure it doesn't drive undesirable clocks we need to tristate it. Rather
than forcing the machine driver to do so have the driver do this.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rather than trying to work around machine drivers which try to reprogram
the FLL while it is providing SYSCLK just return an error if they try.
This will avoid audio glitches during FLL reconfiguration, or at least
move the introduction of the glitches to the machine driver.
Since disabling the source for an active SYSCLK is not supported in the
first place systems shouldn't be doing this in the first place.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
|
|
|
|
| |
Rather than invalidating the cached DCS value every time the headphone
gain changes store multiple values, indexed by gain. This allows the
optimisation we get from the cache to take effect more often.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Class W can be used for any path where only data from the DAC is routed
to the headphones. Currently we only enable it when the direct DAC to
headphone path is used but it can also be enabled for paths that go via
the output mixer providing the DAC is the only input to the output mixer.
Implement support for this, including updates to the class W status when
the output mixer configuration is changed. This also allows us to enable
the DC servo optimisations for DAC to headphone paths where the output
mixer is used.
In general the direct DAC path is still preferred as this will offer
better performance on most wm_hubs devices but these additional paths
can simplify use case management.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since the analogue portions of the checks for class W are the same over
all the devices factor out these checks into wm_hubs and while we're at
it also use wm_hubs_dac_hp_direct() to enable class W optimisations on
more paths.
Change-Id: If7ec8c909e6608fcc58563b6607efb77f6a6ab68
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Conflicts:
sound/soc/codecs/wm8993.c
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The optimisations which we can do with caching the headphone DCS result in
wm_hubs have only been enabled in cases where class W is enabled. However,
there are more use cases which can benefit from the cache, especially with
WM8994 series devices with their more advanced digital routing.
Rather than keying off the class W information from the CODECs have a
check in wm_hubs for a suitable path and use that to determine if we can
deploy our headphone optimisations.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
|
|
|
| |
Later WM8994 class devices can bypass the FLL from BCLK. Do this
automatically when the FLL input and output frequencies match up.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
|
|
|
| |
The WM1811 DC servo is able to run much faster than previous devices so
the benefit of skipping calibration is not useful.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
|
|
| |
It can just be enabled all the time with no impact.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit bfd37bb5f681961e255fd2f346c20fdae2ef3f27 upstream.
Volume updates may not be acted upon if there is no clock applied when
the volume update is written. Ensure this doesn't happen by writing out
registers with volume updates after we enable each of the clocks.
There are more registers updated than before as previously we were
relying on wm_hubs to set those for controls it manages.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
commit c8fdc1b56611faa7b38eab6b99da5e20113661ff upstream.
Ensure that all the actions get taken at appropriate times by calling the
_PRE and _POST events for the aifNclk_ev functions explicitly.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
|
|
|
| |
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Cc: stable@vger.kernel.org
|
|
|
|
|
|
|
|
| |
This ensures a clean startup of the channels, without this change some
use cases could result in issues in a small proportion of cases.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Cc: stable@vger.kernel.org
|
|
|
|
|
|
|
| |
Based on latest production information.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Cc: stable@vger.kernel.org
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The optimal management of VMID depends on a number of factors which vary
dynamically at runtime, for example the connection to a system docking
station. In some circumstances it is desirable to keep VMID enabled all
the time, in others it is desirable to aggressively power it up and down.
Provide a callback allowing machine driver to configure either the normal
power up/down mode (WM8994_VMID_MODE_NORMAL) or to maintain VMID even
when idle (WM8994_VMID_MODE_FORCE). This callback, wm8994_vmid_mode(),
should be called with the CODEC lock.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
| |
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we can the accdet mutex from within DAPM when updating the device
state which means we take accdet then the CODEC mutex but we also do the
locking the other way around when responding to the jackdet IRQ. Move all
the jackdet use of the CODEC mutex out of the accdet lock to avoid this.
Since all the DAPM interactions depend only on a single threaded IRQ this
is still serialised.
The locking improvements in 3.5 allow a better solution there.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
|
|
|
| |
When we are out of system sleep always use audio mode for jack detection
in order to avoid potential performance issues handing off between modes.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
|
|
|
| |
Push everything through one function for active use cases, should be
no practical effect.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
|
|
| |
If we're not doing jackdet it's not needed.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
| |
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
|
|
|
|
| |
Normally this will have no effect as we set detection up at system startup
before DAPM syncs take effect, this will only be useful if the system
enables and disables detection at runtime.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
|
|
|
| |
Using snd_soc_write() means we always write to the register even if it
already contains the newly calculated value.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
|
|
|
| |
Don't debounce jack detection for inserted jacks, giving improved
responsiveness.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
| |
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
|
|
| |
Allows the generic code to set up for that.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
|
|
|
|
|
|
|
| |
When an external capacitor is connected to MICBIAS2 on devices with
jack detection (which is not required but may be done in some systems)
then the loading may mean that better performance is obtained when
the microphone bias is enabled normally rather than using the low power
mode. Provide platform data allowing systems to indicate if they require
this.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
|
|
|
| |
This minimises the chance of any external capacitors that are fitted
being discharged into headphones as they insert.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
|
|
| |
The latest recommendation for optimal performance.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
|
|
| |
Should have no practical impact but it's safer than trying to soldier on.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
|
|
|
| |
Mostly for neatness, though it may help with sequencing in some
situations.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|
|
|
|
|
|
| |
Reduces the amount of time taken to stabilise them.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
|