1. 09 May, 2018 2 commits
  2. 28 Mar, 2018 2 commits
    • Takashi Iwai's avatar
      ALSA: aloop: Fix access to not-yet-ready substream via cable · 88079d33
      Takashi Iwai authored
      commit 8e6b1a72 upstream.
      
      In loopback_open() and loopback_close(), we assign and release the
      substream object to the corresponding cable in a racy way.  It's
      neither locked nor done in the right position.  The open callback
      assigns the substream before its preparation finishes, hence the other
      side of the cable may pick it up, which may lead to the invalid memory
      access.
      
      This patch addresses these: move the assignment to the end of the open
      callback, and wrap with cable->lock for avoiding concurrent accesses.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      88079d33
    • Takashi Iwai's avatar
      ALSA: aloop: Sync stale timer before release · 1fcbcfff
      Takashi Iwai authored
      commit 67a01afa upstream.
      
      The aloop driver tries to stop the pending timer via timer_del() in
      the trigger callback and in the close callback.  The former is
      correct, as it's an atomic operation, while the latter expects that
      the timer gets really removed and proceeds the resource releases after
      that.  But timer_del() doesn't synchronize, hence the running timer
      may still access the released resources.
      
      A similar situation can be also seen in the prepare callback after
      trigger(STOP) where the prepare tries to re-initialize the things
      while a timer is still running.
      
      The problems like the above are seen indirectly in some syzkaller
      reports (although it's not 100% clear whether this is the only cause,
      as the race condition is quite narrow and not always easy to
      trigger).
      
      For addressing these issues, this patch adds the explicit alls of
      timer_del_sync() in some places, so that the pending timer is properly
      killed / synced.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1fcbcfff
  3. 17 Jan, 2018 3 commits
    • Takashi Iwai's avatar
      ALSA: aloop: Fix racy hw constraints adjustment · d2363bb2
      Takashi Iwai authored
      commit 898dfe46 upstream.
      
      The aloop driver tries to update the hw constraints of the connected
      target on the cable of the opened PCM substream.  This is done by
      adding the extra hw constraints rules referring to the substream
      runtime->hw fields, while the other substream may update the runtime
      hw of another side on the fly.
      
      This is, however, racy and may result in the inconsistent values when
      both PCM streams perform the prepare concurrently.  One of the reason
      is that it overwrites the other's runtime->hw field; which is not only
      racy but also broken when it's called before the open of another side
      finishes.  And, since the reference to runtime->hw isn't protected,
      the concurrent write may give the partial value update and become
      inconsistent.
      
      This patch is an attempt to fix and clean up:
      - The prepare doesn't change the runtime->hw of other side any longer,
        but only update the cable->hw that is referred commonly.
      - The extra rules refer to the loopback_pcm object instead of the
        runtime->hw.  The actual hw is deduced from cable->hw.
      - The extra rules take the cable_lock to protect against the race.
      
      Fixes: b1c73fc8 ("ALSA: snd-aloop: Fix hw_params restrictions and checking")
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d2363bb2
    • Takashi Iwai's avatar
      ALSA: aloop: Fix inconsistent format due to incomplete rule · 7ea0bfaa
      Takashi Iwai authored
      commit b088b53e upstream.
      
      The extra hw constraint rule for the formats the aloop driver
      introduced has a slight flaw, where it doesn't return a positive value
      when the mask got changed.  It came from the fact that it's basically
      a copy&paste from snd_hw_constraint_mask64().  The original code is
      supposed to be a single-shot and it modifies the mask bits only once
      and never after, while what we need for aloop is the dynamic hw rule
      that limits the mask bits.
      
      This difference results in the inconsistent state, as the hw_refine
      doesn't apply the dependencies fully.  The worse and surprisingly
      result is that it causes a crash in OSS emulation when multiple
      full-duplex reads/writes are performed concurrently (I leave why it
      triggers Oops to readers as a homework).
      
      For fixing this, replace a few open-codes with the standard
      snd_mask_*() macros.
      
      Reported-by: syzbot+3902b5220e8ca27889ca@syzkaller.appspotmail.com
      Fixes: b1c73fc8 ("ALSA: snd-aloop: Fix hw_params restrictions and checking")
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7ea0bfaa
    • Takashi Iwai's avatar
      ALSA: aloop: Release cable upon open error path · cd32d7c4
      Takashi Iwai authored
      commit 9685347a upstream.
      
      The aloop runtime object and its assignment in the cable are left even
      when opening a substream fails.  This doesn't mean any memory leak,
      but it still keeps the invalid pointer that may be referred by the
      another side of the cable spontaneously, which is a potential Oops
      cause.
      
      Clean up the cable assignment and the empty cable upon the error path
      properly.
      
      Fixes: 597603d6 ("ALSA: introduce the snd-aloop module for the PCM loopback")
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cd32d7c4
  4. 19 Aug, 2017 1 commit
  5. 17 Aug, 2017 1 commit
  6. 29 May, 2015 1 commit
  7. 19 Jan, 2015 1 commit
  8. 20 Oct, 2014 1 commit
  9. 12 Feb, 2014 1 commit
  10. 23 May, 2013 1 commit
  11. 29 Apr, 2013 1 commit
  12. 04 Feb, 2013 1 commit
  13. 07 Dec, 2012 1 commit
  14. 21 Oct, 2012 1 commit
  15. 06 Oct, 2012 1 commit
  16. 09 Aug, 2012 1 commit
  17. 03 Jul, 2012 1 commit
  18. 02 Jul, 2012 1 commit
  19. 15 May, 2012 1 commit
  20. 19 Dec, 2011 1 commit
  21. 31 Oct, 2011 1 commit
  22. 24 Sep, 2011 1 commit
  23. 18 Mar, 2011 1 commit
  24. 20 Oct, 2010 2 commits
  25. 18 Oct, 2010 1 commit
  26. 14 Oct, 2010 1 commit
  27. 11 Oct, 2010 1 commit
  28. 02 Oct, 2010 1 commit
  29. 29 Sep, 2010 1 commit
  30. 15 Sep, 2010 1 commit
  31. 09 Aug, 2010 1 commit