1. 14 Jun, 2018 3 commits
  2. 12 Jun, 2018 1 commit
    • Kees Cook's avatar
      treewide: kmalloc() -> kmalloc_array() · 6da2ec56
      Kees Cook authored
      
      
      The kmalloc() function has a 2-factor argument form, kmalloc_array(). This
      patch replaces cases of:
      
              kmalloc(a * b, gfp)
      
      with:
              kmalloc_array(a * b, gfp)
      
      as well as handling cases of:
      
              kmalloc(a * b * c, gfp)
      
      with:
      
              kmalloc(array3_size(a, b, c), gfp)
      
      as it's slightly less ugly than:
      
              kmalloc_array(array_size(a, b), c, gfp)
      
      This does, however, attempt to ignore constant size factors like:
      
              kmalloc(4 * 1024, gfp)
      
      though any constants defined via macros get caught up in the conversion.
      
      Any factors with a sizeof() of "unsigned char", "char", and "u8" were
      dropped, since they're redundant.
      
      The tools/ directory was manually excluded, since it has its own
      implementation of kmalloc().
      
      The Coccinelle script used for this was:
      
      // Fix redundant parens around sizeof().
      @@
      type TYPE;
      expression THING, E;
      @@
      
      (
        kmalloc(
      -	(sizeof(TYPE)) * E
      +	sizeof(TYPE) * E
        , ...)
      |
        kmalloc(
      -	(sizeof(THING)) * E
      +	sizeof(THING) * E
        , ...)
      )
      
      // Drop single-byte sizes and redundant parens.
      @@
      expression COUNT;
      typedef u8;
      typedef __u8;
      @@
      
      (
        kmalloc(
      -	sizeof(u8) * (COUNT)
      +	COUNT
        , ...)
      |
        kmalloc(
      -	sizeof(__u8) * (COUNT)
      +	COUNT
        , ...)
      |
        kmalloc(
      -	sizeof(char) * (COUNT)
      +	COUNT
        , ...)
      |
        kmalloc(
      -	sizeof(unsigned char) * (COUNT)
      +	COUNT
        , ...)
      |
        kmalloc(
      -	sizeof(u8) * COUNT
      +	COUNT
        , ...)
      |
        kmalloc(
      -	sizeof(__u8) * COUNT
      +	COUNT
        , ...)
      |
        kmalloc(
      -	sizeof(char) * COUNT
      +	COUNT
        , ...)
      |
        kmalloc(
      -	sizeof(unsigned char) * COUNT
      +	COUNT
        , ...)
      )
      
      // 2-factor product with sizeof(type/expression) and identifier or constant.
      @@
      type TYPE;
      expression THING;
      identifier COUNT_ID;
      constant COUNT_CONST;
      @@
      
      (
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(TYPE) * (COUNT_ID)
      +	COUNT_ID, sizeof(TYPE)
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(TYPE) * COUNT_ID
      +	COUNT_ID, sizeof(TYPE)
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(TYPE) * (COUNT_CONST)
      +	COUNT_CONST, sizeof(TYPE)
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(TYPE) * COUNT_CONST
      +	COUNT_CONST, sizeof(TYPE)
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(THING) * (COUNT_ID)
      +	COUNT_ID, sizeof(THING)
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(THING) * COUNT_ID
      +	COUNT_ID, sizeof(THING)
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(THING) * (COUNT_CONST)
      +	COUNT_CONST, sizeof(THING)
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(THING) * COUNT_CONST
      +	COUNT_CONST, sizeof(THING)
        , ...)
      )
      
      // 2-factor product, only identifiers.
      @@
      identifier SIZE, COUNT;
      @@
      
      - kmalloc
      + kmalloc_array
        (
      -	SIZE * COUNT
      +	COUNT, SIZE
        , ...)
      
      // 3-factor product with 1 sizeof(type) or sizeof(expression), with
      // redundant parens removed.
      @@
      expression THING;
      identifier STRIDE, COUNT;
      type TYPE;
      @@
      
      (
        kmalloc(
      -	sizeof(TYPE) * (COUNT) * (STRIDE)
      +	array3_size(COUNT, STRIDE, sizeof(TYPE))
        , ...)
      |
        kmalloc(
      -	sizeof(TYPE) * (COUNT) * STRIDE
      +	array3_size(COUNT, STRIDE, sizeof(TYPE))
        , ...)
      |
        kmalloc(
      -	sizeof(TYPE) * COUNT * (STRIDE)
      +	array3_size(COUNT, STRIDE, sizeof(TYPE))
        , ...)
      |
        kmalloc(
      -	sizeof(TYPE) * COUNT * STRIDE
      +	array3_size(COUNT, STRIDE, sizeof(TYPE))
        , ...)
      |
        kmalloc(
      -	sizeof(THING) * (COUNT) * (STRIDE)
      +	array3_size(COUNT, STRIDE, sizeof(THING))
        , ...)
      |
        kmalloc(
      -	sizeof(THING) * (COUNT) * STRIDE
      +	array3_size(COUNT, STRIDE, sizeof(THING))
        , ...)
      |
        kmalloc(
      -	sizeof(THING) * COUNT * (STRIDE)
      +	array3_size(COUNT, STRIDE, sizeof(THING))
        , ...)
      |
        kmalloc(
      -	sizeof(THING) * COUNT * STRIDE
      +	array3_size(COUNT, STRIDE, sizeof(THING))
        , ...)
      )
      
      // 3-factor product with 2 sizeof(variable), with redundant parens removed.
      @@
      expression THING1, THING2;
      identifier COUNT;
      type TYPE1, TYPE2;
      @@
      
      (
        kmalloc(
      -	sizeof(TYPE1) * sizeof(TYPE2) * COUNT
      +	array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
        , ...)
      |
        kmalloc(
      -	sizeof(TYPE1) * sizeof(THING2) * (COUNT)
      +	array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
        , ...)
      |
        kmalloc(
      -	sizeof(THING1) * sizeof(THING2) * COUNT
      +	array3_size(COUNT, sizeof(THING1), sizeof(THING2))
        , ...)
      |
        kmalloc(
      -	sizeof(THING1) * sizeof(THING2) * (COUNT)
      +	array3_size(COUNT, sizeof(THING1), sizeof(THING2))
        , ...)
      |
        kmalloc(
      -	sizeof(TYPE1) * sizeof(THING2) * COUNT
      +	array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
        , ...)
      |
        kmalloc(
      -	sizeof(TYPE1) * sizeof(THING2) * (COUNT)
      +	array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
        , ...)
      )
      
      // 3-factor product, only identifiers, with redundant parens removed.
      @@
      identifier STRIDE, SIZE, COUNT;
      @@
      
      (
        kmalloc(
      -	(COUNT) * STRIDE * SIZE
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        kmalloc(
      -	COUNT * (STRIDE) * SIZE
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        kmalloc(
      -	COUNT * STRIDE * (SIZE)
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        kmalloc(
      -	(COUNT) * (STRIDE) * SIZE
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        kmalloc(
      -	COUNT * (STRIDE) * (SIZE)
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        kmalloc(
      -	(COUNT) * STRIDE * (SIZE)
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        kmalloc(
      -	(COUNT) * (STRIDE) * (SIZE)
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        kmalloc(
      -	COUNT * STRIDE * SIZE
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      )
      
      // Any remaining multi-factor products, first at least 3-factor products,
      // when they're not all constants...
      @@
      expression E1, E2, E3;
      constant C1, C2, C3;
      @@
      
      (
        kmalloc(C1 * C2 * C3, ...)
      |
        kmalloc(
      -	(E1) * E2 * E3
      +	array3_size(E1, E2, E3)
        , ...)
      |
        kmalloc(
      -	(E1) * (E2) * E3
      +	array3_size(E1, E2, E3)
        , ...)
      |
        kmalloc(
      -	(E1) * (E2) * (E3)
      +	array3_size(E1, E2, E3)
        , ...)
      |
        kmalloc(
      -	E1 * E2 * E3
      +	array3_size(E1, E2, E3)
        , ...)
      )
      
      // And then all remaining 2 factors products when they're not all constants,
      // keeping sizeof() as the second factor argument.
      @@
      expression THING, E1, E2;
      type TYPE;
      constant C1, C2, C3;
      @@
      
      (
        kmalloc(sizeof(THING) * C2, ...)
      |
        kmalloc(sizeof(TYPE) * C2, ...)
      |
        kmalloc(C1 * C2 * C3, ...)
      |
        kmalloc(C1 * C2, ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(TYPE) * (E2)
      +	E2, sizeof(TYPE)
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(TYPE) * E2
      +	E2, sizeof(TYPE)
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(THING) * (E2)
      +	E2, sizeof(THING)
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(THING) * E2
      +	E2, sizeof(THING)
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	(E1) * E2
      +	E1, E2
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	(E1) * (E2)
      +	E1, E2
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	E1 * E2
      +	E1, E2
        , ...)
      )
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      6da2ec56
  3. 28 May, 2018 1 commit
  4. 15 May, 2018 3 commits
  5. 13 May, 2018 2 commits
  6. 04 May, 2018 1 commit
  7. 03 May, 2018 1 commit
  8. 02 May, 2018 2 commits
    • Takashi Iwai's avatar
      ALSA: usb-audio: Add "Keep Interface" control · 4120fbed
      Takashi Iwai authored
      
      
      This patch adds "Keep Interface" control for each USB-audio device.
      The control element is with SND_CTL_IFACE_CARD, so that it won't
      appear on any sane mixer applications.  For a device that is confirmed
      to work well with "keep-interface" mode, user can flip the control via
      amixer, e.g.
        % amixer -c1 cset iface=CARD,name='Keep Interface' on
      
      and save/restore the state via alsactl.
      
      The reason to provide this via control API is that the behavior must
      be pretty depending on the device (and the firmware in it), so it's
      not ideal to apply via module option.
      
      For a device that certainly works, we may set it statically via a
      quirk table entry.  But a device like Dell WD15 dock behaves so
      differently depending on the firmware, and we can't set it
      statically.  So leave this as a dynamic switch each user can adjust
      freely.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      4120fbed
    • Takashi Iwai's avatar
      ALSA: usb-audio: Initialize Dell Dock playback volumes · 964af639
      Takashi Iwai authored
      In the early commit adcdd0d5 ("ALSA: usb-audio: Skip volume
      controls triggers hangup on Dell USB Dock"), we add the mixer quirks
      for Dell dock to skip two mixer FU's for playback.  This supposed that
      the device has always the proper initial volume, but it doesn't seem
      always correct.
      
      This patch adds the explicit initialization of the volumes to the
      fixed 0dB at the device probe time.  Also, such a fixup is needed
      after the resume, so a new function is hooked to the resume callback
      as well.
      
      Bugzilla: http://bugzilla.suse.com/show_bug.cgi?id=1089467
      
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      964af639
  9. 24 Apr, 2018 1 commit
  10. 23 Apr, 2018 1 commit
  11. 27 Mar, 2018 1 commit
  12. 24 Mar, 2018 2 commits
    • Andrew Chant's avatar
      ALSA: usb-audio: update clock valid control · 568fa7e0
      Andrew Chant authored
      
      
      Make the "clock valid" control a global control instead of a mixer
      so that it doesn't appear in mixer applications.
      
      Additionally, remove the check for writeability prohibited by spec, and
      Use common code to read the control value.
      
      Tested with a UAC2 Audio device that presents a clock validity
      control.  The control still shows up in /proc usbmixer but not
      in alsamixer.
      Signed-off-by: default avatarAndrew Chant <achant@google.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      568fa7e0
    • Andrew Chant's avatar
      ALSA: usb-audio: UAC2 jack detection · 5a222e84
      Andrew Chant authored
      
      
      This implements UAC2 jack detection support, presenting
      jack status as a boolean read-only mono mixer.
      
      The presence of any channel in the UAC2_TE_CONNECTOR
      control for a terminal will result in the mixer saying
      the jack is connected.
      
      Mixer naming follows the convention in sound/core/ctljack.c,
      terminating the mixer with " Jack".
      For additional clues as to which jack is being presented,
      the name is prefixed with " - Input Jack" or " - Output Jack"
      depending on if it's an input or output terminal.
      
      This is required because terminal names are ambiguous
      between inputs and outputs and often duplicated -
      Bidirectional terminal types (0x400 -> 0x4FF)
      "... may be used separately for input only or output only.
      These types require two Terminal descriptors. Both have the same type."
      (quote from "USB Device Class Definition for Terminal Types")
      
      Since bidirectional terminal types are common for headphone adapters,
      this distinguishes between two otherwise identically-named
      jack controls.
      
      Tested with a UAC2 audio device with connector control capability.
      Signed-off-by: default avatarAndrew Chant <achant@google.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      5a222e84
  13. 23 Mar, 2018 1 commit
    • Andrew Chant's avatar
      ALSA: usb-audio: fix uac control query argument · 21e9b3e9
      Andrew Chant authored
      
      
      This patch fixes code readability and should have no functional change.
      
      Correct uac control query functions to account for the 1-based indexing
      of USB Audio Class control identifiers.
      
      The function parameter, u8 control, should be the
      constant defined in audio-v2.h to identify the control to be checked for
      readability or writeability.
      
      This patch fixes all callers that had adjusted, and makes explicit
      the mapping between audio_feature_info[] array index and the associated
      control identifier.
      Signed-off-by: default avatarAndrew Chant <achant@google.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      21e9b3e9
  14. 21 Mar, 2018 1 commit
    • Ruslan Bilovol's avatar
      ALSA: usb: initial USB Audio Device Class 3.0 support · 9a2fe9b8
      Ruslan Bilovol authored
      
      
      Recently released USB Audio Class 3.0 specification
      introduces many significant changes comparing to
      previous versions, like
       - new Power Domains, support for LPM/L1
       - new Cluster descriptor
       - changed layout of all class-specific descriptors
       - new High Capability descriptors
       - New class-specific String descriptors
       - new and removed units
       - additional sources for interrupts
       - removed Type II Audio Data Formats
       - ... and many other things (check spec)
      
      It also provides backward compatibility through
      multiple configurations, as well as requires
      mandatory support for BADD (Basic Audio Device
      Definition) on each ADC3.0 compliant device
      
      This patch adds initial support of UAC3 specification
      that is enough for Generic I/O Profile (BAOF, BAIF)
      device support from BADD document.
      Signed-off-by: default avatarRuslan Bilovol <ruslan.bilovol@gmail.com>
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      9a2fe9b8
  15. 12 Feb, 2018 1 commit
    • Kirill Marinushkin's avatar
      ALSA: usb-audio: Fix UAC2 get_ctl request with a RANGE attribute · 447cae58
      Kirill Marinushkin authored
      The layout of the UAC2 Control request and response varies depending on
      the request type. With the current implementation, only the Layout 2
      Parameter Block (with the 2-byte sized RANGE attribute) is handled
      properly. For the Control requests with the 1-byte sized RANGE attribute
      (Bass Control, Mid Control, Tremble Control), the response is parsed
      incorrectly.
      
      This commit:
      * fixes the wLength field value in the request
      * fixes parsing the range values from the response
      
      Fixes: 23caaf19
      
       ("ALSA: usb-mixer: Add support for Audio Class v2.0")
      Signed-off-by: default avatarKirill Marinushkin <k.marinushkin@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      447cae58
  16. 19 Dec, 2017 2 commits
    • Takashi Iwai's avatar
      ALSA: usb-audio: Proper fallback at get_term_name() · 56a23ee5
      Takashi Iwai authored
      
      
      get_term_name() calls snd_usb_copy_string_desc() for retrieving the
      name when a specific ID (name field) is given.  When this returns an
      error (zero), however, it simply returns as is.  This will end up in a
      fixed name string in the caller side, which often is meaningless.
      
      For giving a bit more useful name string depending on the terminal
      type, change the get_term_name() function to go through the fallback
      mode.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      56a23ee5
    • Takashi Iwai's avatar
      ALSA: usb-audio: Fix the missing ctl name suffix at parsing SU · 5a15f289
      Takashi Iwai authored
      The commit 89b89d12 ("ALSA: usb-audio: Add check return value for
      usb_string()") added the check of the return value from
      snd_usb_copy_string_desc(), which is correct per se, but it introduced
      a regression.  In the original code, either the "Clock Source",
      "Playback Source" or "Capture Source" suffix is added after the
      terminal string, while the commit changed it to add the suffix only
      when get_term_name() is failing.  It ended up with an incorrect ctl
      name like "PCM" instead of "PCM Capture Source".
      
      Also, even the original code has a similar bug: when the ctl name is
      generated from snd_usb_copy_string_desc() for the given iSelector, it
      also doesn't put the suffix.
      
      This patch addresses these issues: the suffix is added always when no
      static mapping is found.  Also the patch tries to put more comments
      and cleans up the if/else block for better readability in order to
      avoid the same pitfall again.
      
      Fixes: 89b89d12
      
       ("ALSA: usb-audio: Add check return value for usb_string()")
      Reported-and-tested-by: default avatarMauro Santos <registo.mailling@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      5a15f289
  17. 04 Dec, 2017 2 commits
    • Jaejoong Kim's avatar
      ALSA: usb-audio: Add check return value for usb_string() · 89b89d12
      Jaejoong Kim authored
      
      
      snd_usb_copy_string_desc() returns zero if usb_string() fails.
      In case of failure, we need to check the snd_usb_copy_string_desc()'s
      return value and add an exception case
      Signed-off-by: default avatarJaejoong Kim <climbbb.kim@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      89b89d12
    • Jaejoong Kim's avatar
      ALSA: usb-audio: Fix out-of-bound error · 251552a2
      Jaejoong Kim authored
      
      
      The snd_usb_copy_string_desc() retrieves the usb string corresponding to
      the index number through the usb_string(). The problem is that the
      usb_string() returns the length of the string (>= 0) when successful, but
      it can also return a negative value about the error case or status of
      usb_control_msg().
      
      If iClockSource is '0' as shown below, usb_string() will returns -EINVAL.
      This will result in '0' being inserted into buf[-22], and the following
      KASAN out-of-bound error message will be output.
      
      AudioControl Interface Descriptor:
        bLength                 8
        bDescriptorType        36
        bDescriptorSubtype     10 (CLOCK_SOURCE)
        bClockID                1
        bmAttributes         0x07 Internal programmable Clock (synced to SOF)
        bmControls           0x07
        Clock Frequency Control (read/write)
        Clock Validity Control (read-only)
        bAssocTerminal          0
        iClockSource            0
      
      To fix it, check usb_string()'return value and bail out.
      
      ==================================================================
      BUG: KASAN: stack-out-of-bounds in parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
      Write of size 1 at addr ffff88007e66735a by task systemd-udevd/18376
      
      CPU: 0 PID: 18376 Comm: systemd-udevd Not tainted 4.13.0+ #3
      Hardware name: LG Electronics                   15N540-RFLGL/White Tip Mountain, BIOS 15N5
      Call Trace:
      dump_stack+0x63/0x8d
      print_address_description+0x70/0x290
      ? parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
      kasan_report+0x265/0x350
      __asan_store1+0x4a/0x50
      parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
      ? save_stack+0xb5/0xd0
      ? save_stack_trace+0x1b/0x20
      ? save_stack+0x46/0xd0
      ? kasan_kmalloc+0xad/0xe0
      ? kmem_cache_alloc_trace+0xff/0x230
      ? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
      ? usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
      ? usb_probe_interface+0x1f5/0x440
      ? driver_probe_device+0x3ed/0x660
      ? build_feature_ctl+0xb10/0xb10 [snd_usb_audio]
      ? save_stack_trace+0x1b/0x20
      ? init_object+0x69/0xa0
      ? snd_usb_find_csint_desc+0xa8/0xf0 [snd_usb_audio]
      snd_usb_mixer_controls+0x1dc/0x370 [snd_usb_audio]
      ? build_audio_procunit+0x890/0x890 [snd_usb_audio]
      ? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
      ? kmem_cache_alloc_trace+0xff/0x230
      ? usb_ifnum_to_if+0xbd/0xf0
      snd_usb_create_mixer+0x25b/0x4b0 [snd_usb_audio]
      ? snd_usb_create_stream+0x255/0x2c0 [snd_usb_audio]
      usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
      ? snd_usb_autosuspend.part.7+0x30/0x30 [snd_usb_audio]
      ? __pm_runtime_idle+0x90/0x90
      ? kernfs_activate+0xa6/0xc0
      ? usb_match_one_id_intf+0xdc/0x130
      ? __pm_runtime_set_status+0x2d4/0x450
      usb_probe_interface+0x1f5/0x440
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarJaejoong Kim <climbbb.kim@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      251552a2
  18. 28 Nov, 2017 1 commit
  19. 21 Nov, 2017 3 commits
  20. 17 Nov, 2017 1 commit
  21. 10 Oct, 2017 1 commit
    • Takashi Iwai's avatar
      ALSA: usb-audio: Kill stray URB at exiting · 124751d5
      Takashi Iwai authored
      
      
      USB-audio driver may leave a stray URB for the mixer interrupt when it
      exits by some error during probe.  This leads to a use-after-free
      error as spotted by syzkaller like:
        ==================================================================
        BUG: KASAN: use-after-free in snd_usb_mixer_interrupt+0x604/0x6f0
        Call Trace:
         <IRQ>
         __dump_stack lib/dump_stack.c:16
         dump_stack+0x292/0x395 lib/dump_stack.c:52
         print_address_description+0x78/0x280 mm/kasan/report.c:252
         kasan_report_error mm/kasan/report.c:351
         kasan_report+0x23d/0x350 mm/kasan/report.c:409
         __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
         snd_usb_mixer_interrupt+0x604/0x6f0 sound/usb/mixer.c:2490
         __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779
         ....
      
        Allocated by task 1484:
         save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
         save_stack+0x43/0xd0 mm/kasan/kasan.c:447
         set_track mm/kasan/kasan.c:459
         kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
         kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
         kmalloc ./include/linux/slab.h:493
         kzalloc ./include/linux/slab.h:666
         snd_usb_create_mixer+0x145/0x1010 sound/usb/mixer.c:2540
         create_standard_mixer_quirk+0x58/0x80 sound/usb/quirks.c:516
         snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
         create_composite_quirk+0x1c4/0x3e0 sound/usb/quirks.c:59
         snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
         usb_audio_probe+0x1040/0x2c10 sound/usb/card.c:618
         ....
      
        Freed by task 1484:
         save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
         save_stack+0x43/0xd0 mm/kasan/kasan.c:447
         set_track mm/kasan/kasan.c:459
         kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
         slab_free_hook mm/slub.c:1390
         slab_free_freelist_hook mm/slub.c:1412
         slab_free mm/slub.c:2988
         kfree+0xf6/0x2f0 mm/slub.c:3919
         snd_usb_mixer_free+0x11a/0x160 sound/usb/mixer.c:2244
         snd_usb_mixer_dev_free+0x36/0x50 sound/usb/mixer.c:2250
         __snd_device_free+0x1ff/0x380 sound/core/device.c:91
         snd_device_free_all+0x8f/0xe0 sound/core/device.c:244
         snd_card_do_free sound/core/init.c:461
         release_card_device+0x47/0x170 sound/core/init.c:181
         device_release+0x13f/0x210 drivers/base/core.c:814
         ....
      
      Actually such a URB is killed properly at disconnection when the
      device gets probed successfully, and what we need is to apply it for
      the error-path, too.
      
      In this patch, we apply snd_usb_mixer_disconnect() at releasing.
      Also introduce a new flag, disconnected, to struct usb_mixer_interface
      for not performing the disconnection procedure twice.
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      124751d5
  22. 18 Aug, 2017 1 commit
    • Stephen Barber's avatar
      ALSA: usb-audio: don't retry snd_usb_ctl_msg after timeout · 5a9a8eca
      Stephen Barber authored
      
      
      A few calls to snd_usb_ctl_msg wrap the function in a retry loop. In
      the worst case, the timeout for snd_usb_ctl_msg is 5 seconds, which when
      retried 10 times (for example, if a device is removed) could cause a
      probe to hang for ~50 seconds.
      
      Example stack trace from 3.14 which triggered a hung task timeout:
      Call Trace:
       [<ffffffffa2c1f720>] ? inet6_set_link_af.part.35+0x12/0x12
       [<ffffffffa2c20309>] schedule+0x6e/0x70
       [<ffffffffa2c1f81c>] schedule_timeout+0xfc/0x13c
       [<ffffffffa2667bbc>] ? rcu_read_unlock_sched_notrace+0x17/0x17
       [<ffffffffa2c20d68>] __wait_for_common+0x153/0x190
       [<ffffffffa2c20d68>] ? __wait_for_common+0x153/0x190
       [<ffffffffa26890e5>] ? wake_up_state+0x12/0x12
       [<ffffffffa2c20e0e>] wait_for_completion_timeout+0x1d/0x1f
       [<ffffffffa2a07c70>] usb_start_wait_urb+0x93/0xf1
       [<ffffffffa2a07daf>] usb_control_msg+0xe1/0x11d
       [<ffffffffc02cd254>] snd_usb_ctl_msg+0x9c/0xf1 [snd_usb_audio]
       [<ffffffffc02ce191>] snd_usb_mixer_set_ctl_value+0x124/0xab1 [snd_usb_audio]
       [<ffffffffc02ce230>] snd_usb_mixer_set_ctl_value+0x1c3/0xab1 [snd_usb_audio]
       [<ffffffffc02ce58e>] snd_usb_mixer_set_ctl_value+0x521/0xab1 [snd_usb_audio]
       [<ffffffffc02cee88>] snd_usb_mixer_add_control+0x36a/0x1264 [snd_usb_audio]
       [<ffffffffc02cf323>] snd_usb_mixer_add_control+0x805/0x1264 [snd_usb_audio]
       [<ffffffffa2a06e11>] ? usb_free_urb+0x1a/0x1c
       [<ffffffffc02cfcf7>] snd_usb_mixer_add_control+0x11d9/0x1264 [snd_usb_audio]
       [<ffffffffc02d000f>] snd_usb_create_mixer+0xbc/0x286 [snd_usb_audio]
       [<ffffffffc02cac18>] 0xffffffffc02cac17
       [<ffffffffa2a0aaf1>] usb_probe_interface+0x17c/0x21c
       [<ffffffffa29a65bc>] driver_probe_device+0xae/0x1fa
       [<ffffffffa29a6767>] __device_attach_driver+0x5f/0x66
       [<ffffffffa29a6708>] ? driver_probe_device+0x1fa/0x1fa
       [<ffffffffa29a4a60>] bus_for_each_drv+0x87/0xaa
       [<ffffffffa29a688a>] __device_attach+0x9d/0x101
       [<ffffffffa29a6913>] device_initial_probe+0x13/0x15
       [<ffffffffa29a5ae6>] bus_probe_device+0x33/0x96
       [<ffffffffa29a3d19>] device_add+0x328/0x547
       [<ffffffffa2a09355>] usb_set_configuration+0x624/0x674
       [<ffffffffa2a11949>] generic_probe+0x45/0x77
       [<ffffffffa2a0a962>] usb_probe_device+0x2d/0x40
       [<ffffffffa29a65bc>] driver_probe_device+0xae/0x1fa
       [<ffffffffa29a6767>] __device_attach_driver+0x5f/0x66
       [<ffffffffa29a6708>] ? driver_probe_device+0x1fa/0x1fa
       [<ffffffffa29a4a60>] bus_for_each_drv+0x87/0xaa
       [<ffffffffa29a688a>] __device_attach+0x9d/0x101
       [<ffffffffa29a6913>] device_initial_probe+0x13/0x15
       [<ffffffffa29a5ae6>] bus_probe_device+0x33/0x96
       [<ffffffffa29a3d19>] device_add+0x328/0x547
       [<ffffffffa29030bc>] ? add_device_randomness+0x111/0x130
       [<ffffffffa2a00967>] usb_new_device+0x2a2/0x3c0
       [<ffffffffa2a02ddc>] hub_thread+0xa3d/0xeed
       [<ffffffffa2c2010d>] ? __schedule+0x41e/0x5ac
       [<ffffffffa26957ce>] ? finish_wait+0x62/0x62
       [<ffffffffa2a0239f>] ? usb_reset_device+0x16a/0x16a
       [<ffffffffa267b255>] kthread+0x108/0x110
       [<ffffffffa267b14d>] ? __kthread_parkme+0x67/0x67
       [<ffffffffa2c23b2c>] ret_from_fork+0x7c/0xb0
       [<ffffffffa267b14d>] ? __kthread_parkme+0x67/0x67
      Signed-off-by: default avatarStephen Barber <smbarber@chromium.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      5a9a8eca
  23. 17 Aug, 2017 1 commit
  24. 12 Apr, 2017 1 commit
    • Bhumika Goyal's avatar
      ALSA: usb-audio: constify snd_kcontrol_new structures · 8fdaebbb
      Bhumika Goyal authored
      
      
      Declare snd_kcontrol_new strcutures as const as they are only passed as
      an argument to the function snd_ctl_new1. This argument is of type const,
      so snd_kcontrol_new structures having this property can be made const too.
      Done using Coccinelle:
      
      @r disable optional_qualifier@
      identifier x;
      position p;
      @@
      static struct snd_kcontrol_new x@p={...};
      
      @ok@
      identifier r.x;
      position p;
      @@
      snd_ctl_new1(&x@p,...)
      
      @bad@
      position p != {r.p,ok.p};
      identifier r.x;
      @@
      x@p
      
      @depends on !bad disable optional_qualifier@
      identifier r.x;
      @@
      +const
      struct snd_kcontrol_new x;
      Signed-off-by: default avatarBhumika Goyal <bhumirks@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      8fdaebbb
  25. 09 Dec, 2016 1 commit
  26. 09 Apr, 2016 2 commits
    • Daniel Mack's avatar
      ALSA: usb-audio: allow clock source validity interrupts · 191227d9
      Daniel Mack authored
      
      
      miniDSP USBStreamer UAC2 devices send clock validity changes with the
      control field set to zero. The current interrupt handler ignores all
      packets if the control field does not match the mixer element's, but
      it really should only do that in case that field is needed to
      distinguish multiple elements with the same ID.
      
      This patch implements a logic that lets notifications packets pass
      if the element ID is unique for a given device.
      Signed-off-by: default avatarDaniel Mack <daniel@zonque.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      191227d9
    • Daniel Mack's avatar
      ALSA: usb-audio: add UAC2 clock sources as mixer controls · cddaafb9
      Daniel Mack authored
      
      
      UAC2 specifies clock sources that optionally have validity controls.
      This patch exposes them as mixer controls, so they can be read (and
      at least in theory even be written) by userspace applications in order
      to make clock selection policy decisions.
      
      This implementation does nothing if the device is not UAC2 compliant,
      or if the clock source does not define said validity control bits.
      
      Tested with a miniDSP USBStreamer (0x2752/0x0016).
      Signed-off-by: default avatarDaniel Mack <daniel@zonque.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      cddaafb9
  27. 14 Dec, 2015 1 commit
    • Anssi Hannula's avatar
      ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly · 42e3121d
      Anssi Hannula authored
      AudioQuest DragonFly DAC reports a volume control range of 0..50
      (0x0000..0x0032) which in USB Audio means a range of 0 .. 0.2dB, which
      is obviously incorrect and would cause software using the dB information
      in e.g. volume sliders to have a massive volume difference in 100..102%
      range.
      
      Commit 2d1cb7f6
      
       ("ALSA: usb-audio: add dB range mapping for some
      devices") added a dB range mapping for it with range 0..50 dB.
      
      However, the actual volume mapping seems to be neither linear volume nor
      linear dB scale, but instead quite close to the cubic mapping e.g.
      alsamixer uses, with a range of approx. -53...0 dB.
      
      Replace the previous quirk with a custom dB mapping based on some basic
      output measurements, using a 10-item range TLV (which will still fit in
      alsa-lib MAX_TLV_RANGE_SIZE).
      
      Tested on AudioQuest DragonFly HW v1.2. The quirk is only applied if the
      range is 0..50, so if this gets fixed/changed in later HW revisions it
      will no longer be applied.
      
      v2: incorporated Takashi Iwai's suggestion for the quirk application
      method
      Signed-off-by: default avatarAnssi Hannula <anssi.hannula@iki.fi>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      42e3121d
  28. 28 Aug, 2015 1 commit