Currently we have neither proper check nor protection against the
concurrent calls of PCM hw_params and hw_free ioctls, which may result
in a UAF. Since the existing PCM stream lock can't be used for
protecting the whole ioctl operations, we need a new mutex to protect
those racy calls.
This patch introduced a new mutex, runtime->buffer_mutex, and applies
it to both hw_params and hw_free ioctl code paths. Along with it, the
both functions are slightly modified (the mmap_count check is moved
into the state-check block) for code simplicity.
Reported-by: Hu Jiahui <kirin.say@gmail.com>
Cc: <stable@vger.kernel.org>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20220322170720.3529-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ASoC: Updates for v5.18
Quite a quiet release for ASoC, lots of work on drivers and platforms
but nothing too groundbreaking but not much on the core itself:
- Start of moving SoF to support multiple IPC mechanisms.
- Use of NHLT ACPI table to reduce the amount of quirking required for
Intel systems.
- Some building blocks for use in forthcoming Intel AVS driver for
legacy Intel DSP firmwares.
- Support for AMD PDM, Atmel PDMC, Awinic AW8738, i.MX cards with
TLV320AIC31xx, Intel machines with CS35L41 and ESSX8336, Mediatek
MT8181 wideband bluetooth, nVidia Tegra234, Qualcomm SC7280, Renesas
RZ/V2L, Texas Instruments TAS585M
Merge series from Ranjani Sridharan <ranjani.sridharan@linux.intel.com>:
This series is a continuation to the SOF IPC abstraction work to support
the new IPC version introduced in the SOF firmware. It makes the top-level
control IO, PCM and PM code IPC-agnostic. Other than the first patch,
the rest are purely for abstraction and include no changes in
functionality.
Add 3 new topology IPC ops for widget_setup, widget_free and dai_config
in order to make the pipeline management code IPC agnostic and implement
the ops for IPC3.
Use the newly introduced tplg dai_config op to configure the DAI during
BE DAI hw_params and hw_free.
Also, in preparation for IPC4, modify BE hw_params callback to skip
setting up the DAI widget. All widgets will be set up during FW
hw_params and the DAI_CONFIG IPC should be sent only if the widget
use_count is > 0. With setting up/freeing removed from the BE hw_params,
remove the configured flag as it is no longer needed.
Signed-off-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Link: https://lore.kernel.org/r/20220317175044.1752400-3-ranjani.sridharan@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
When the parameter changes fails, we don't need to keep the old
temporary buffers. Release those (and plugin instances) upon errors
for reducing dead memory footprint. Since we always call it at the
exit of snd_pcm_oss_changes_params_locked(), the explicit calls of
snd_pcm_oss_plugin_clear() can be dropped, too.
Along with it, unify the buffer-free calls to a single helper and call
it from the needed places.
Link: https://lore.kernel.org/r/20220318082157.29769-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
We've got syzbot reports hitting INT_MAX overflow at vmalloc()
allocation that is called from snd_pcm_plug_alloc(). Although we
apply the restrictions to input parameters, it's based only on the
hw_params of the underlying PCM device. Since the PCM OSS layer
allocates a temporary buffer for the data conversion, the size may
become unexpectedly large when more channels or higher rates is given;
in the reported case, it went over INT_MAX, hence it hits WARN_ON().
This patch is an attempt to avoid such an overflow and an allocation
for too large buffers. First off, it adds the limit of 1MB as the
upper bound for period bytes. This must be large enough for all use
cases, and we really don't want to handle a larger temporary buffer
than this size. The size check is performed at two places, where the
original period bytes is calculated and where the plugin buffer size
is calculated.
In addition, the driver uses array_size() and array3_size() for
multiplications to catch overflows for the converted period size and
buffer bytes.
Reported-by: syzbot+72732c532ac1454eeee9@syzkaller.appspotmail.com
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/00000000000085b1b305da5a66f3@google.com
Link: https://lore.kernel.org/r/20220318082036.29699-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Commit 07bcab9394 ("ALSA: hda/realtek: Add support for HP Laptops")
breaks mute and micmute LEDs because it changed the LED quirk from
ALC285_FIXUP_HP_GPIO_LED to ALC245_FIXUP_HP_GPIO_LED, so change it back
here.
Also reorder the chain of quirks to ensure LED quirk is the last one
being applied.
Fixes: 07bcab9394 ("ALSA: hda/realtek: Add support for HP Laptops")
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Link: https://lore.kernel.org/r/20220317221134.566358-1-kai.heng.feng@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
There are some new registers added on i.MX8ULP, they are
the SPDIF transmit Professional C channel registers,
192bit SPDIF receive C channel registers, and 192bit SPDIF
transmit C channel registers.
There are two output lines, SPDIF_OUT1 and SPDIF_OUT2, the
original REG_SPDIF_STCSCH and REG_SPDIF_STCSCL are used for
SPDIF_OUT1, the new REG_SPDIF_STCSPH and REG_SPDIF_STCSPL
are used for SPDIF_OUT2, the 192bit SPDIF C channel registers
are used for both.
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://lore.kernel.org/r/1647408538-2982-1-git-send-email-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Merge series from Ranjani Sridharan <ranjani.sridharan@linux.intel.com>:
This patchset makes the topology parsing layer in the SOF driver
IPC-agnostic in preparation for supporting the new IPC version
introduced in the SOF firmware. These patches purely contain abstraction
changes for the current IPC version (IPC3) supported and do not introduce
any functional changes.
PCM buffers might be allocated dynamically when the buffer
preallocation failed or a larger buffer is requested, and it's not
guaranteed that substream->dma_buffer points to the actually used
buffer. The driver needs to refer to substream->runtime->dma_addr
instead for the buffer address.
Fixes: cab396d8b2 ("ASoC: amd: add ACP5x pcm dma driver ops")
Signed-off-by: Meng Tang <tangmeng@uniontech.com>
Link: https://lore.kernel.org/r/20220316091303.9745-1-tangmeng@uniontech.com
Signed-off-by: Mark Brown <broonie@kernel.org>
The device_node pointer is returned by of_parse_phandle() with refcount
incremented. We should use of_node_put() on it when done.
This function only calls of_node_put() in the regular path.
And it will cause refcount leak in error path.
Fixes: 082482a502 ("ASoC: mediatek: mt8195: release device_node after snd_soc_register_card")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Link: https://lore.kernel.org/r/20220316084623.24238-1-linmq006@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
The device_node pointer is returned by of_parse_phandle() with refcount
incremented. We should use of_node_put() on it when done.
This function only calls of_node_put() in the regular path.
And it will cause refcount leak in error paths.
Fix this by calling of_node_put() in error handling too.
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org>
Link: https://lore.kernel.org/r/20220316014059.19292-1-linmq006@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
pm_runtime_get_sync will increment pm usage counter
even it failed. Forgetting to putting operation will
result in reference leak here. We fix it by replacing
it with pm_runtime_resume_and_get to keep usage counter
balanced.
Fixes:081068fd64140 ("ASoC: rockchip: add support for i2s-tdm controller")
Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
Link: https://lore.kernel.org/r/20220315025415.2593762-1-zhangqilong3@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
