| Age | Commit message (Collapse) | Author |
|---|
|
commit 66efdc71d95887b652a742a5dae51fa834d71465 upstream.
snd_seq_timer_open() didn't catch the whole error path but let through
if the timer id is a slave. This may lead to Oops by accessing the
uninitialized pointer.
BUG: unable to handle kernel NULL pointer dereference at 00000000000002ae
IP: [<ffffffff819b3477>] snd_seq_timer_open+0xe7/0x130
PGD 785cd067 PUD 76964067 PMD 0
Oops: 0002 [#4] SMP
CPU 0
Pid: 4288, comm: trinity-child7 Tainted: G D W 3.9.0-rc1+ #100 Bochs Bochs
RIP: 0010:[<ffffffff819b3477>] [<ffffffff819b3477>] snd_seq_timer_open+0xe7/0x130
RSP: 0018:ffff88006ece7d38 EFLAGS: 00010246
RAX: 0000000000000286 RBX: ffff88007851b400 RCX: 0000000000000000
RDX: 000000000000ffff RSI: ffff88006ece7d58 RDI: ffff88006ece7d38
RBP: ffff88006ece7d98 R08: 000000000000000a R09: 000000000000fffe
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8800792c5400 R14: 0000000000e8f000 R15: 0000000000000007
FS: 00007f7aaa650700(0000) GS:ffff88007f800000(0000) GS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000002ae CR3: 000000006efec000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process trinity-child7 (pid: 4288, threadinfo ffff88006ece6000, task ffff880076a8a290)
Stack:
0000000000000286 ffffffff828f2be0 ffff88006ece7d58 ffffffff810f354d
65636e6575716573 2065756575712072 ffff8800792c0030 0000000000000000
ffff88006ece7d98 ffff8800792c5400 ffff88007851b400 ffff8800792c5520
Call Trace:
[<ffffffff810f354d>] ? trace_hardirqs_on+0xd/0x10
[<ffffffff819b17e9>] snd_seq_queue_timer_open+0x29/0x70
[<ffffffff819ae01a>] snd_seq_ioctl_set_queue_timer+0xda/0x120
[<ffffffff819acb9b>] snd_seq_do_ioctl+0x9b/0xd0
[<ffffffff819acbe0>] snd_seq_ioctl+0x10/0x20
[<ffffffff811b9542>] do_vfs_ioctl+0x522/0x570
[<ffffffff8130a4b3>] ? file_has_perm+0x83/0xa0
[<ffffffff810f354d>] ? trace_hardirqs_on+0xd/0x10
[<ffffffff811b95ed>] sys_ioctl+0x5d/0xa0
[<ffffffff813663fe>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[<ffffffff81faed69>] system_call_fastpath+0x16/0x1b
Reported-and-tested-by: Tommi Rantala <tt.rantala@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
commit 27f7ad53829f79e799a253285318bff79ece15bd upstream.
The error handling in snd_seq_oss_open() has several bad codes that
do dereferecing released pointers and double-free of kmalloc'ed data.
The object dp is release in free_devinfo() that is called via
private_free callback. The rest shouldn't touch this object any more.
The patch changes delete_port() to call kfree() in any case, and gets
rid of unnecessary calls of destructors in snd_seq_oss_open().
Fixes CVE-2010-3080.
Reported-and-tested-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
* topic/midi:
sound: rawmidi: disable active-sensing-on-close by default
sound: seq_oss_midi: remove magic numbers
sound: seq_midi: do not send MIDI reset when closing
seq-midi: always log message on output overrun
|
|
When build SND_SEQUENCER in kernel then OSS sequencer(alsa_seq_oss_init)
is initialized before System (snd_seq_system_client_init) which leads to
memory leak :
unreferenced object 0xf6b0e680 (size 256):
comm "swapper", pid 1, jiffies 4294670753
backtrace:
[<c108ac5c>] create_object+0x135/0x204
[<c108adfe>] kmemleak_alloc+0x26/0x4c
[<c1087de2>] kmem_cache_alloc+0x72/0xff
[<c126d2ac>] seq_create_client1+0x22/0x160
[<c126e3b6>] snd_seq_create_kernel_client+0x72/0xef
[<c1485a05>] snd_seq_oss_create_client+0x86/0x142
[<c1485920>] alsa_seq_oss_init+0xf6/0x155
[<c1001059>] do_one_initcall+0x4f/0x111
[<c14655be>] kernel_init+0x115/0x166
[<c10032af>] kernel_thread_helper+0x7/0x10
[<ffffffff>] 0xffffffff
unreferenced object 0xf688a580 (size 64):
comm "swapper", pid 1, jiffies 4294670753
backtrace:
[<c108ac5c>] create_object+0x135/0x204
[<c108adfe>] kmemleak_alloc+0x26/0x4c
[<c1087de2>] kmem_cache_alloc+0x72/0xff
[<c126f964>] snd_seq_pool_new+0x1c/0xb8
[<c126d311>] seq_create_client1+0x87/0x160
[<c126e3b6>] snd_seq_create_kernel_client+0x72/0xef
[<c1485a05>] snd_seq_oss_create_client+0x86/0x142
[<c1485920>] alsa_seq_oss_init+0xf6/0x155
[<c1001059>] do_one_initcall+0x4f/0x111
[<c14655be>] kernel_init+0x115/0x166
[<c10032af>] kernel_thread_helper+0x7/0x10
[<ffffffff>] 0xffffffff
unreferenced object 0xf6b0e480 (size 256):
comm "swapper", pid 1, jiffies 4294670754
backtrace:
[<c108ac5c>] create_object+0x135/0x204
[<c108adfe>] kmemleak_alloc+0x26/0x4c
[<c1087de2>] kmem_cache_alloc+0x72/0xff
[<c12725a0>] snd_seq_create_port+0x51/0x21c
[<c126de50>] snd_seq_ioctl_create_port+0x57/0x13c
[<c126d07a>] snd_seq_do_ioctl+0x4a/0x69
[<c126d0de>] snd_seq_kernel_client_ctl+0x33/0x49
[<c1485a74>] snd_seq_oss_create_client+0xf5/0x142
[<c1485920>] alsa_seq_oss_init+0xf6/0x155
[<c1001059>] do_one_initcall+0x4f/0x111
[<c14655be>] kernel_init+0x115/0x166
[<c10032af>] kernel_thread_helper+0x7/0x10
[<ffffffff>] 0xffffffff
The correct order should be :
System (snd_seq_system_client_init) should be initialized before
OSS sequencer(alsa_seq_oss_init) which is equivalent to :
1. insmod sound/core/seq/snd-seq-device.ko
2. insmod sound/core/seq/snd-seq.ko
3. insmod sound/core/seq/snd-seq-midi-event.ko
4. insmod sound/core/seq/oss/snd-seq-oss.ko
Including sound/core/seq/oss/Makefile after other seq modules
fixes the ordering and memory leak.
Signed-off-by: Jaswinder Singh Rajput <jaswinderrajput@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Sending an Active Sensing message when closing a port can interfere with
the following data if the port is reopened and a note-on is sent before
the device's timeout has elapsed. Therefore, it is better to disable
this setting by default.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Instead of using magic numbers for the controlles sent when resetting
a port, use the symbols from asoundef.h.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Sending a MIDI reset message when closing a port is wrong because we
only want to shut the device up, not to reset all settings.
Furthermore, many devices ignore this message.
Fortunately, the RawMIDI layer already shuts the device up, so we can
ignore this matter here.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
It turns out that the main cause of output buffer overruns is not slow
drivers but applications that generate too many messages. Therefore, it
makes more sense to make that error message always visible, and to
rate-limit it.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
* topic/seq-midi-fix:
sound: seq_midi_event: fix decoding of (N)RPN events
|
|
When decoding (N)RPN sequencer events into raw MIDI commands, the
extra_decode_xrpn() function had accidentally swapped the MSB and LSB
controller values of both the parameter number and the data value.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Instead of mangling the CONFIG_* variables in the makefiles over and
over, set a few helper variables in Kconfig.
Signed-off-by: Michal Marek <mmarek@suse.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Remove open-coded memdup_user().
Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Added the hrtimer backend for ALSA timer interface.
It can be used for the sequencer timer source.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Kill snd_assert() in sound/core/*, either removed or replaced with
if () with snd_BUG_ON().
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
|
|
snd_seq_oss_synth_make_info() incorrectly reports information
to userspace without first checking for the validity of the
device number, leading to possible information leak (CVE-2008-3272).
Reported-By: Tobias Klein <tk@trapkit.de>
Acked-and-tested-by: Takashi Iwai <tiwai@suse.de>
Cc: stable@kernel.org
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
A bunch of things in alsa depend on CONFIG_KMOD,
use CONFIG_MODULES instead where the dependency
is needed at all.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
|
|
Removed invalid BUG() - the driver should handle the error case properly
rather than issuing BUG().
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
The sound drivers and the pnpbios core test for current->root != NULL. This
test seems to be unnecessary since we always have rootfs mounted before
initializing the drivers.
Signed-off-by: Jan Blunck <jblunck@suse.de>
Acked-by: Christoph Hellwig <hch@lst.de>
Cc: Bjorn Helgaas <bjorn.helgaas@hp.com>
Cc: Jaroslav Kysela <perex@suse.cz>
Acked-by: Takashi Iwai <tiwai@suse.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
This header file exists only for some hacks to adapt alsa-driver
tree. It's useless for building in the kernel. Let's move a few
lines in it to sound/core.h and remove it.
With this patch, sound/driver.h isn't removed but has just a single
compile warning to include it. This should be really killed in
future.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
|
|
proper headers
sound/core/seq: move declarations of globally visible variables to proper headers
Signed-off-by: Marcin Ślusarz <marcin.slusarz@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
|
|
Remove sequencer instrument layer from the tree.
This mechanism hasn't been used much with the actual devices. The only
reasonable user was OPL3 loader, and now it was rewritten to use hwdep
instead. So, let's remove the rest of rotten codes.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
|
|
Fix the various misspellings of "system", controller", "interrupt" and
"[un]necessary".
Signed-off-by: Robert P. J. Day <rpjday@mindspring.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
|
|
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
|
|
Replace schedule_timeout() with schedule_timeout_uninterruptible()
to avoid signals in loop.
Signed-off-by: Rene Herman <rene.herman@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
Check for a valid event type when encoding a system real-time message to
prevent the bytes F9 or FD resulting in an empty sequencer message.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
Reorganize the encoder logic to prevent status bytes that appear where
data bytes are expected from being interpreted as data bytes.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
Reset the event type after encoding a system message to prevent any
following data bytes from being interpreted as data for a running status
system message, which is not allowed in MIDI.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
Create a new state ST_INVALID for the encoder to prevent data bytes at
the beginning of a stream or after a sysex message being interpreted as
note-off parameters.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
This patch fixes:
1) a resource leak (CID: 1817)
2) various code cleanups
Signed-off-by: Eugene Teo <eugeneteo@kernel.sg>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
Fixed the invalid use of schedule_timeout_interruptible() without
checking pending signals. Simply replaced with schedule_timeout().
Suggestions thanks to Jeff Garzik.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
Transform some calls to kmalloc/memset to a single kzalloc (or kcalloc).
Here is a short excerpt of the semantic patch performing
this transformation:
@@
type T2;
expression x;
identifier f,fld;
expression E;
expression E1,E2;
expression e1,e2,e3,y;
statement S;
@@
x =
- kmalloc
+ kzalloc
(E1,E2)
... when != \(x->fld=E;\|y=f(...,x,...);\|f(...,x,...);\|x=E;\|while(...) S\|for(e1;e2;e3) S\)
- memset((T2)x,0,E1);
@@
expression E1,E2,E3;
@@
- kzalloc(E1 * E2,E3)
+ kcalloc(E1,E2,E3)
[akpm@linux-foundation.org: get kcalloc args the right way around]
Signed-off-by: Yoann Padioleau <padator@wanadoo.fr>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Acked-by: Russell King <rmk@arm.linux.org.uk>
Cc: Bryan Wu <bryan.wu@analog.com>
Acked-by: Jiri Slaby <jirislaby@gmail.com>
Cc: Dave Airlie <airlied@linux.ie>
Acked-by: Roland Dreier <rolandd@cisco.com>
Cc: Jiri Kosina <jkosina@suse.cz>
Acked-by: Dmitry Torokhov <dtor@mail.ru>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Acked-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Acked-by: Pierre Ossman <drzeus-list@drzeus.cx>
Cc: Jeff Garzik <jeff@garzik.org>
Cc: "David S. Miller" <davem@davemloft.net>
Acked-by: Greg KH <greg@kroah.com>
Cc: James Bottomley <James.Bottomley@steeleye.com>
Cc: "Antonino A. Daplas" <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Remove includes of <linux/smp_lock.h> where it is not used/needed.
Suggested by Al Viro.
Builds cleanly on x86_64, i386, alpha, ia64, powerpc, sparc,
sparc64, and arm (all 59 defconfigs).
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
After Al Viro (finally) succeeded in removing the sched.h #include in module.h
recently, it makes sense again to remove other superfluous sched.h includes.
There are quite a lot of files which include it but don't actually need
anything defined in there. Presumably these includes were once needed for
macros that used to live in sched.h, but moved to other header files in the
course of cleaning it up.
To ease the pain, this time I did not fiddle with any header files and only
removed #includes from .c-files, which tend to cause less trouble.
Compile tested against 2.6.20-rc2 and 2.6.20-rc2-mm2 (with offsets) on alpha,
arm, i386, ia64, mips, powerpc, and x86_64 with allnoconfig, defconfig,
allmodconfig, and allyesconfig as well as a few randconfigs on x86_64 and all
configs in arch/arm/configs on arm. I also checked that no new warnings were
introduced by the patch (actually, some warnings are removed that were emitted
by unnecessarily included header files).
Signed-off-by: Tim Schmielau <tim@physik3.uni-rostock.de>
Acked-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Many struct file_operations in the kernel can be "const". Marking them const
moves these to the .rodata section, which avoids false sharing with potential
dirty data. In addition it'll catch accidental writes at compile time to
these shared resources.
Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Fix possible rwsem deadlocks in sequencer code at removal of
sequencer ports. The list_lock of port group can be double
locked.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
This patch converts most uses of list_for_each to list_for_each_entry all
across alsa. In some place apparently an item can be on a list with
different pointers so of course that isn't compatible with list_for_each, I
therefore didn't touch those places.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
Use the roundup macro instead of manual calculations.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
Orignally proposed by Sam Revitch <sam.revitch@gmail.com>.
Unregister device files at disconnection to avoid the futher accesses.
Also, the dev_unregister callback is removed and replaced with the
combination of disconnect + free.
A new function snd_card_free_when_closed() is introduced, which is
used in USB disconnect callback.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
- Add the linked list to each proc entry to enable a single-shot
disconnection (unregister)
- Deprecate snd_info_unregister(), use snd_info_free_entry()
- Removed NULL checks of snd_info_free_entry()
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
sound: Conversions from kmalloc+memset to k(c|z)alloc.
Signed-off-by: Panagiotis Issaris <takis@issaris.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
The ops structure has complex locking rules, where not all ops are equal, some
are subordinate on others for some complex sound cards. This requires for
lockdep checking that each individual reg_mutex is considered in separation
for its locking rules.
Has no effect on non-lockdep kernels.
Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Jaroslav Kysela <perex@suse.cz>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
Teach special (recursive) locking code to the lock validator. Has no effect
on non-lockdep kernels.
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Jaroslav Kysela <perex@suse.cz>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
seq_ports.c::snd_seq_delete_all_ports() uses __list_add() to replace the
whole list entries. This results in BUG() with recent FC5 kernel due to
a sanity check in __list_add().
The patch fixes this misue of __list_add() by using standard macros
instead (although a bit more code is needed).
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
|
|
acquired (aquired)
contiguous (contigious)
successful (succesful, succesfull)
surprise (suprise)
whether (weather)
some other misspellings
Signed-off-by: Andreas Mohr <andi@lisas.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
|
|
Removed nested mutexes in the removal routine of port connections.
The port is guaranteed to be offline before calling it, so no mutex
is needed.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Removed zero-initializations of static variables.
A tiny optimization.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Add a get_port_info callback to the snd_rawmidi_global_ops structure to
allow the USB MIDI driver to supply information flags for the sequencer
ports created by seq_midi.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
|
|
Add four new information flags SNDRV_SEQ_PORT_TYPE_HARDWARE, _SOFTWARE,
_SYNTHESIZER, _PORT for sequencer ports. This makes it easier for apps
like Rosegarden to make policy decisions based on the port type.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
|
|
Remove unneeded read/write_size fields in proc text ops.
snd_info_set_text_ops() is fixed, too.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
