linux-dev/sound/core/oss, branch masterLinux kernel development work - see feature brancheshttps://git.zx2c4.com/linux-dev/atom/sound/core/oss?h=master2022-09-27T06:44:05ZALSA: pcm: Avoid reference to status->state2022-09-27T06:44:05ZTakashi Iwaitiwai@suse.de2022-09-26T13:55:48Zurn:sha1:f0061c18c169f0c32d96b59485c3edee85e343ed
In the PCM core and driver code, there are lots place referring to the
current PCM state via runtime->status->state. This patch introduced a
local PCM state in runtime itself and replaces those references with
runtime->state. It has improvements in two aspects:
- The reduction of a indirect access leads to more code optimization
- It avoids a possible (unexpected) modification of the state via mmap
of the status record
The status->state is updated together with runtime->state, so that
user-space can still read the current state via mmap like before,
too.
This patch touches only the ALSA core code. The changes in each
driver will follow in later patches.
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20220926135558.26580-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC2022-09-05T13:01:22ZTakashi Iwaitiwai@suse.de2022-09-05T06:07:14Zurn:sha1:8423f0b6d513b259fdab9c9bf4aaa6188d054c2d
There is a small race window at snd_pcm_oss_sync() that is called from
OSS PCM SNDCTL_DSP_SYNC ioctl; namely the function calls
snd_pcm_oss_make_ready() at first, then takes the params_lock mutex
for the rest. When the stream is set up again by another thread
between them, it leads to inconsistency, and may result in unexpected
results such as NULL dereference of OSS buffer as a fuzzer spotted
recently.
The fix is simply to cover snd_pcm_oss_make_ready() call into the same
params_lock mutex with snd_pcm_oss_make_ready_locked() variant.
Reported-and-tested-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA@mail.gmail.com
Link: https://lore.kernel.org/r/20220905060714.22549-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Merge branch 'for-next' into for-linus2022-03-21T15:18:34ZTakashi Iwaitiwai@suse.de2022-03-21T15:18:26Zurn:sha1:a6d4b685026cfe9837b07532db5d1e1681b5d129
Pull 5.18 development branch
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: oss: Release temporary buffers upon errors2022-03-18T13:01:28ZTakashi Iwaitiwai@suse.de2022-03-18T08:21:57Zurn:sha1:8a580a26760cb14535c160613fe9cd0e4dc6f5c6
When the parameter changes fails, we don't need to keep the old
temporary buffers. Release those (and plugin instances) upon errors
for reducing dead memory footprint. Since we always call it at the
exit of snd_pcm_oss_changes_params_locked(), the explicit calls of
snd_pcm_oss_plugin_clear() can be dropped, too.
Along with it, unify the buffer-free calls to a single helper and call
it from the needed places.
Link: https://lore.kernel.org/r/20220318082157.29769-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: oss: Fix PCM OSS buffer allocation overflow2022-03-18T13:01:07ZTakashi Iwaitiwai@suse.de2022-03-18T08:20:36Zurn:sha1:efb6402c3c4a7c26d97c92d70186424097b6e366
We've got syzbot reports hitting INT_MAX overflow at vmalloc()
allocation that is called from snd_pcm_plug_alloc(). Although we
apply the restrictions to input parameters, it's based only on the
hw_params of the underlying PCM device. Since the PCM OSS layer
allocates a temporary buffer for the data conversion, the size may
become unexpectedly large when more channels or higher rates is given;
in the reported case, it went over INT_MAX, hence it hits WARN_ON().
This patch is an attempt to avoid such an overflow and an allocation
for too large buffers. First off, it adds the limit of 1MB as the
upper bound for period bytes. This must be large enough for all use
cases, and we really don't want to handle a larger temporary buffer
than this size. The size check is performed at two places, where the
original period bytes is calculated and where the plugin buffer size
is calculated.
In addition, the driver uses array_size() and array3_size() for
multiplications to catch overflows for the converted period size and
buffer bytes.
Reported-by: syzbot+72732c532ac1454eeee9@syzkaller.appspotmail.com
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/00000000000085b1b305da5a66f3@google.com
Link: https://lore.kernel.org/r/20220318082036.29699-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Merge branch 'for-next' into for-linus2022-01-05T14:38:34ZTakashi Iwaitiwai@suse.de2022-01-05T14:38:11Zurn:sha1:f81483aaeb59da530b286fe5d081e1705eb5c886
Pull 5.17 materials.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*()2021-12-02T08:02:22ZTakashi Iwaitiwai@suse.de2021-12-01T07:36:06Zurn:sha1:6665bb30a6b1a4a853d52557c05482ee50e71391
A couple of calls in snd_pcm_oss_change_params_locked() ignore the
possible errors. Catch those errors and abort the operation for
avoiding further problems.
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211201073606.11660-4-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: pcm: oss: Limit the period size to 16MB2021-12-02T08:01:58ZTakashi Iwaitiwai@suse.de2021-12-01T07:36:05Zurn:sha1:8839c8c0f77ab8fc0463f4ab8b37fca3f70677c2
Set the practical limit to the period size (the fragment shift in OSS)
instead of a full 31bit; a too large value could lead to the exhaust
of memory as we allocate temporary buffers of the period size, too.
As of this patch, we set to 16MB limit, which should cover all use
cases.
Reported-by: syzbot+bb348e9f9a954d42746f@syzkaller.appspotmail.com
Reported-by: Bixuan Cui <cuibixuan@linux.alibaba.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/1638270978-42412-1-git-send-email-cuibixuan@linux.alibaba.com
Link: https://lore.kernel.org/r/20211201073606.11660-3-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: pcm: oss: Fix negative period/buffer sizes2021-12-02T08:01:46ZTakashi Iwaitiwai@suse.de2021-12-01T07:36:04Zurn:sha1:9d2479c960875ca1239bcb899f386970c13d9cfe
The period size calculation in OSS layer may receive a negative value
as an error, but the code there assumes only the positive values and
handle them with size_t. Due to that, a too big value may be passed
to the lower layers.
This patch changes the code to handle with ssize_t and adds the proper
error checks appropriately.
Reported-by: syzbot+bb348e9f9a954d42746f@syzkaller.appspotmail.com
Reported-by: Bixuan Cui <cuibixuan@linux.alibaba.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/1638270978-42412-1-git-send-email-cuibixuan@linux.alibaba.com
Link: https://lore.kernel.org/r/20211201073606.11660-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: oss: fix compile error when OSS_DEBUG is enabled2021-12-01T09:31:04ZBixuan Cuicuibixuan@linux.alibaba.com2021-12-01T08:58:54Zurn:sha1:8e7daf318d97f25e18b2fc7eb5909e34cd903575
Fix compile error when OSS_DEBUG is enabled:
sound/core/oss/pcm_oss.c: In function 'snd_pcm_oss_set_trigger':
sound/core/oss/pcm_oss.c:2055:10: error: 'substream' undeclared (first
use in this function); did you mean 'csubstream'?
pcm_dbg(substream->pcm, "pcm_oss: trigger = 0x%x\n", trigger);
^
Fixes: 61efcee8608c ("ALSA: oss: Use standard printk helpers")
Signed-off-by: Bixuan Cui <cuibixuan@linux.alibaba.com>
Link: https://lore.kernel.org/r/1638349134-110369-1-git-send-email-cuibixuan@linux.alibaba.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>