- Feb 15, 2018
-
-
Insun Song authored
completely replaced to wl_cfgvendor_get_feature_set_matrix and it's not used anymore. Signed-off-by:
Insun Song <insun.song@broadcom.com> Signed-off-by:
Siqi Lin <siqilin@google.com> Bug: 71359108 Change-Id: Iaf6f99842e2925202a800f96330a182f3481f114
-
Erik Staats authored
Merge "net: wireless: bcmdhd: fix integer overflow in wl_get_assoc_ies" into android-chromeos-dragon-3.18
-
Erik Staats authored
-
Erik Staats authored
-
Erik Staats authored
Merge "UPSTREAM: KEYS: encrypted: fix buffer overread in valid_master_desc()" into android-chromeos-dragon-3.18
-
- Feb 14, 2018
-
-
Insun Song authored
integer overflow case found where signed integer variable converted to unsigned one without proper bounds checking. Then this would result in kernel memory corruption by OOB write. Signed-off-by:
-
- Feb 13, 2018
-
-
Jonathan Solnit authored
[ Upstream commit 8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 ] inet->hdrincl is racy, and could lead to uninitialized stack pointer usage, so its value should be read only once. Bug: 71500434 Change-Id: I4a8394725f3ef893311121b18a0e5b2f44124b1f Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt") Signed-off-by:Mohamed Ghannam <simo.ghannam@gmail.com> Reviewed-by:
Eric Dumazet <edumazet@google.com> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by:
Jonathan Solnit <jsolnit@google.com>
-
Marissa Wall authored
Andrey Konovalov reported a possible out-of-bounds problem for the cdc_parse_cdc_header function. He writes: It looks like cdc_parse_cdc_header() doesn't validate buflen before accessing buffer[1], buffer[2] and so on. The only check present is while (buflen > 0). So fix this issue up by properly validating the buffer length matches what the descriptor says it is. (cherry picked from commit 2e1c42391ff2556387b3cb6308b24f6f65619feb) (The original patch fixed the generic cdc_parser_cdc_header function. That generic function did not exist in 3.18 but there are a couple cdc parsers that suffer from the same underlying problem.) Bug: 69052594 Change-Id: Iae9859f5071c6d4638dfd44e106baeb22bf338a1 Reported-by:
Andrey Konovalov <andreyknvl@google.com> Tested-by:
Marissa Wall <marissaw@google.com>
-
Nicolai Stange authored
commit 9561475db680f7144d2223a409dd3d7e322aca03 upstream. The driver_override implementation is susceptible to a race condition when different threads are reading vs. storing a different driver override. Add locking to avoid the race condition. This is in close analogy to commit 6265539776a0 ("driver core: platform: fix race condition with driver_override") from Adrian Salido. Fixes: 782a985d ("PCI: Introduce new device binding path using pci_dev.driver_override") Bug: 69128924 Signed-off-by:Nicolai Stange <nstange@suse.de> Signed-off-by:
Bjorn Helgaas <bhelgaas@google.com> Signed-off-by:
-
Eric Biggers authored
With the 'encrypted' key type it was possible for userspace to provide a data blob ending with a master key description shorter than expected, e.g. 'keyctl add encrypted desc "new x" @s'. When validating such a master key description, validate_master_desc() could read beyond the end of the buffer. Fix this by using strncmp() instead of memcmp(). [Also clean up the code to deduplicate some logic.] Cc: linux-stable <stable@vger.kernel.org> # 3.18.y Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> Bug: 70526974 Signed-off-by:
Eric Biggers <ebiggers@google.com> Signed-off-by:
David Howells <dhowells@redhat.com> Signed-off-by:
James Morris <james.l.morris@oracle.com> Signed-off-by:
Jin Qian <jinqian@google.com> Signed-off-by:
Steve Pfetsch <spfetsch@google.com> Change-Id: I2cc3af94f855e66f2014dd1dced4425ed8a41f29 (cherry picked from commit 794b4bc292f5d31739d89c0202c54e7dc9bc3add)
-
- Jan 11, 2018
-
-
Wei Wang authored
-
Erik Staats authored
Merge "UPSTREAM: ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor" into android-chromeos-dragon-3.18
-
- Jan 10, 2018
-
-
Takashi Iwai authored
commit bfc81a8bc18e3c4ba0cbaa7666ff76be2f998991 When a USB-audio device receives a maliciously adjusted or corrupted buffer descriptor, the USB-audio driver may access an out-of-bounce value at its parser. This was detected by syzkaller, something like: BUG: KASAN: slab-out-of-bounds in usb_audio_probe+0x27b2/0x2ab0 Read of size 1 at addr ffff88006b83a9e8 by task kworker/0:1/24 CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc1-42251-gebb2c2437d80 #224 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:16 dump_stack+0x292/0x395 lib/dump_stack.c:52 print_address_description+0x78/0x280 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 kasan_report+0x22f/0x340 mm/kasan/report.c:409 __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427 snd_usb_create_streams sound/usb/card.c:248 usb_audio_probe+0x27b2/0x2ab0 sound/usb/card.c:605 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361 really_probe drivers/base/dd.c:413 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 device_add+0xd0b/0x1660 drivers/base/core.c:1835 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266 really_probe drivers/base/dd.c:413 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 device_add+0xd0b/0x1660 drivers/base/core.c:1835 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457 hub_port_connect drivers/usb/core/hub.c:4903 hub_port_connect_change drivers/usb/core/hub.c:5009 port_event drivers/usb/core/hub.c:5115 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119 worker_thread+0x221/0x1850 kernel/workqueue.c:2253 kthread+0x3a1/0x470 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 This patch adds the checks of out-of-bounce accesses at appropriate places and bails out when it goes out of the given buffer. Bug: 69051731 Change-Id: If4bed53e824123f7dc2df2cf0ec9ce98560cf259 Reported-by:
Takashi Iwai <tiwai@suse.de>
-
- Jan 09, 2018
-
-
Jonathan Solnit authored
commit bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb Andrey Konovalov reported a possible out-of-bounds problem for a USB interface association descriptor. He writes: It seems there's no proper size check of a USB_DT_INTERFACE_ASSOCIATION descriptor. It's only checked that the size is >= 2 in usb_parse_configuration(), so find_iad() might do out-of-bounds access to intf_assoc->bInterfaceCount. And he's right, we don't check for crazy descriptors of this type very well, so resolve this problem. Yet another issue found by syzkaller... Bug: 69052055 Change-Id: I2cc3b5a66d16abd0fc567d69457fc90a45eb12d8 Reported-by:
-
- Jan 08, 2018
-
-
Takashi Iwai authored
commit 124751d5e63c823092060074bd0abaae61aaa9c4 upstream. USB-audio driver may leave a stray URB for the mixer interrupt when it exits by some error during probe. This leads to a use-after-free error as spotted by syzkaller like: ================================================================== BUG: KASAN: use-after-free in snd_usb_mixer_interrupt+0x604/0x6f0 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:16 dump_stack+0x292/0x395 lib/dump_stack.c:52 print_address_description+0x78/0x280 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 kasan_report+0x23d/0x350 mm/kasan/report.c:409 __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430 snd_usb_mixer_interrupt+0x604/0x6f0 sound/usb/mixer.c:2490 __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779 .... Allocated by task 1484: save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772 kmalloc ./include/linux/slab.h:493 kzalloc ./include/linux/slab.h:666 snd_usb_create_mixer+0x145/0x1010 sound/usb/mixer.c:2540 create_standard_mixer_quirk+0x58/0x80 sound/usb/quirks.c:516 snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560 create_composite_quirk+0x1c4/0x3e0 sound/usb/quirks.c:59 snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560 usb_audio_probe+0x1040/0x2c10 sound/usb/card.c:618 .... Freed by task 1484: save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524 slab_free_hook mm/slub.c:1390 slab_free_freelist_hook mm/slub.c:1412 slab_free mm/slub.c:2988 kfree+0xf6/0x2f0 mm/slub.c:3919 snd_usb_mixer_free+0x11a/0x160 sound/usb/mixer.c:2244 snd_usb_mixer_dev_free+0x36/0x50 sound/usb/mixer.c:2250 __snd_device_free+0x1ff/0x380 sound/core/device.c:91 snd_device_free_all+0x8f/0xe0 sound/core/device.c:244 snd_card_do_free sound/core/init.c:461 release_card_device+0x47/0x170 sound/core/init.c:181 device_release+0x13f/0x210 drivers/base/core.c:814 .... Actually such a URB is killed properly at disconnection when the device gets probed successfully, and what we need is to apply it for the error-path, too. In this patch, we apply snd_usb_mixer_disconnect() at releasing. Also introduce a new flag, disconnected, to struct usb_mixer_interface for not performing the disconnection procedure twice. Bug: 69051382 Change-Id: Ibe5b1f714cd304cfefcd736d0bcfc168c54f8a48 Reported-by:
-
- Jan 04, 2018
-
-
Daniel Rosenberg authored
The default_normal option causes mounts with the gid set to AID_SDCARD_RW to have user specific gids, as in the normal case. Signed-off-by:Daniel Rosenberg <drosen@google.com> Change-Id: I9619b8ac55f41415df943484dc8db1ea986cef6f Bug: 64672411
-
Daniel Rosenberg authored
fsnotify_open is not called within dentry_open, so we need to call it ourselves. Change-Id: Ia7f323b3d615e6ca5574e114e8a5d7973fb4c119 Signed-off-by:
-
- Dec 06, 2017
-
-
Chenbo Feng authored
When multiple threads is trying to tag/delete the same socket at the same time, there is a chance the tag_ref_entry of the target socket to be null before the uid_tag_data entry is freed. It is caused by the ctrl_cmd_tag function where it doesn't correctly grab the spinlocks when tagging a socket. Signed-off-by:Chenbo Feng <fengc@google.com> Bug: 65853158 Change-Id: I5d89885918054cf835370a52bff2d693362ac5f0
-
Takashi Iwai authored
commit 71105998845fb012937332fe2e806d443c09e026 upstream. There is a potential race window opened at creating and deleting a port via ioctl, as spotted by fuzzing. snd_seq_create_port() creates a port object and returns its pointer, but it doesn't take the refcount, thus it can be deleted immediately by another thread. Meanwhile, snd_seq_ioctl_create_port() still calls the function snd_seq_system_client_ev_port_start() with the created port object that is being deleted, and this triggers use-after-free like: BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1 ============================================================================= BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511 ___slab_alloc+0x425/0x460 __slab_alloc+0x20/0x40 kmem_cache_alloc_trace+0x150/0x190 snd_seq_create_port+0x94/0x9b0 [snd_seq] snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq] snd_seq_do_ioctl+0x11c/0x190 [snd_seq] snd_seq_ioctl+0x40/0x80 [snd_seq] do_vfs_ioctl+0x54b/0xda0 SyS_ioctl+0x79/0x90 entry_SYSCALL_64_fastpath+0x16/0x75 INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717 __slab_free+0x204/0x310 kfree+0x15f/0x180 port_delete+0x136/0x1a0 [snd_seq] snd_seq_delete_port+0x235/0x350 [snd_seq] snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq] snd_seq_do_ioctl+0x11c/0x190 [snd_seq] snd_seq_ioctl+0x40/0x80 [snd_seq] do_vfs_ioctl+0x54b/0xda0 SyS_ioctl+0x79/0x90 entry_SYSCALL_64_fastpath+0x16/0x75 Call Trace: [<ffffffff81b03781>] dump_stack+0x63/0x82 [<ffffffff81531b3b>] print_trailer+0xfb/0x160 [<ffffffff81536db4>] object_err+0x34/0x40 [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520 [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30 [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq] [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0 [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq] [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq] [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80 [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0 ..... We may fix this in a few different ways, and in this patch, it's fixed simply by taking the refcount properly at snd_seq_create_port() and letting the caller unref the object after use. Also, there is another potential use-after-free by sprintf() call in snd_seq_create_port(), and this is moved inside the lock. This fix covers CVE-2017-15265. Reported-and-tested-by:
Michael23 Yu <ycqzsy@gmail.com> Suggested-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
-
- Nov 30, 2017
-
-
Paul Lawrence authored
Based on upstream change 06ebb06d One more instance when the caller requests 0 bytes instead of running off and dereferencing potentially invalid iovecs. Signed-off-by:
Paul Lawrence <paullawrence@google.com> Bug: 36279469 Change-Id: Ib8d529e17c07c77357ab70bd6a2d7e305d6b27f0
-
- Nov 09, 2017
-
-
Greg Hackmann authored
Bug: 68266545 Change-Id: Ibdb1fd768b748002b90bfc165612c12c8311f8a2
-
Greg Hackmann authored
Bug: 68266545 Change-Id: I6005a6e944494257bfc2243fde2f7a09c3fd76c6
-
Marc Zyngier authored
We now trap accesses to CNTVCT_EL0 when the counter is broken enough to require the kernel to mediate the access. But it turns out that some existing userspace (such as OpenMPI) do probe for the counter frequency, leading to an UNDEF exception as CNTVCT_EL0 and CNTFRQ_EL0 share the same control bit. The fix is to handle the exception the same way we do for CNTVCT_EL0. Bug: 68266545 Fixes: a86bd139f2ae ("arm64: arch_timer: Enable CNTVCT_EL0 trap if workaround is enabled") Reported-by:Hanjun Guo <guohanjun@huawei.com> Tested-by:
Marc Zyngier <marc.zyngier@arm.com> Signed-off-by:
Catalin Marinas <catalin.marinas@arm.com> (cherry picked from commit 9842119a238bfb92cbab63258dabb54f0e7b111b) Change-Id: I1bde5dc8f2fbdc94f66bc6606b88ad1817788080
-
Marc Zyngier authored
Since people seem to make a point in breaking the userspace visible counter, we have no choice but to trap the access. Add the required handler. Bug: 68266545 Acked-by:
Thomas Gleixner <tglx@linutronix.de> Acked-by:
Mark Rutland <mark.rutland@arm.com> Signed-off-by:
-
Mark Rutland authored
Rather than crafting custom macros for reading/writing each system register provide generics accessors, read_sysreg and write_sysreg, for this purpose. Signed-off-by:
Sami Tolvanen <samitolvanen@google.com>
-
- Oct 31, 2017
-
-
Herbert Xu authored
commit 4f0414e54e4d1893c6f08260693f8ef84c929293 upstream. We need to load the TX SG list in sendmsg(2) after waiting for incoming data, not before. Bug: 64386293 Change-Id: Ibb0b7969ee1df314b49462ecd65ce381118d915d Cc: stable@vger.kernel.org Reported-by:
Dmitry Vyukov <dvyukov@google.com> Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Tested-by:
Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by:
Willy Tarreau <w@1wt.eu> Signed-off-by:
-
- Oct 30, 2017
-
-
Insun Song authored
The issue triggered by maliciously crafted user Net-Link input which injecting multiple BSSID count attributes within one loop. Eventually, it let exceed the boundary of local buffer previous allocated. Fix is adding the check not to change BSSID count while unlooping. Bug: 63374465 Change-Id: I8d2409e3c5435f325ed8dc230d11db4db455f722 Signed-off-by: -
TreeHugger Robot authored
Merge "CHROMIUM: nouveau: adjust gem reference count for ioctl map/unmap" into android-chromeos-dragon-3.18
-
- Oct 24, 2017
-
-
Vinay Kalia authored
Avoid potential write of 51 bytes into a 50-byte buffer. BUG: 64709938 Change-Id: I06e6dbe8cde3dadae1e3856b0df5b020a9ed31f7 Signed-off-by:Jianqiang Zhao <zhaojianqiang1@gmail.com>
-
- Oct 13, 2017
-
-
Al Viro authored
commit: 49d31c2f389acfe83417083e1208422b4091cd9e upstream. take_dentry_name_snapshot() takes a safe snapshot of dentry name; if the name is a short one, it gets copied into caller-supplied structure, otherwise an extra reference to external name is grabbed (those are never modified). In either case the pointer to stable string is stored into the same structure. dentry must be held by the caller of take_dentry_name_snapshot(), but may be freely dropped afterwards - the snapshot will stay until destroyed by release_dentry_name_snapshot(). Intended use: struct name_snapshot s; take_dentry_name_snapshot(&s, dentry); ... access s.name ... release_dentry_name_snapshot(&s); Replaces fsnotify_oldname_...(), gets used in fsnotify to obtain the name to pass down with event. Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk> Signed-off-by:
-
David Howells authored
[ Upstream commit: 155e35d4daa804582f75acaa2c74ec797a89c615 ] Introduce some function for getting the inode (and also the dentry) in an environment where layered/unioned filesystems are in operation. The problem is that we have places where we need *both* the union dentry and the lower source or workspace inode or dentry available, but we can only have a handle on one of them. Therefore we need to derive the handle to the other from that. The idea is to introduce an extra field in struct dentry that allows the union dentry to refer to and pin the lower dentry. Signed-off-by:
Sasha Levin <sasha.levin@oracle.com> Bug: 63689921 Change-Id: I5cc015a7e3238dcd1b992d7e19a2361a73364bd4
-
- Oct 12, 2017
-
-
Kary Jin authored
The reference count of gem object should not be increased after calling "nouveau_gem_ioctl_map", and then the "nouveau_gem_ioctl_unmap" do not have to decrease the reference count of gem object. Bug: 37770951 Change-Id: I847fa3b201d5a32918066bd8f8678d542fdd8502 Signed-off-by:Kary Jin <karyj@nvidia.com>
-
- Sep 27, 2017
-
-
Jerry Zhang authored
If the user passes in a negative file size in a int64, this will compare to be smaller than buffer length, and it will get truncated to form a read length that is larger than the buffer length. To fix, return -EINVAL if the count argument is negative, so the loop will never happen. Bug: 37429972 Test: Test with PoC Change-Id: I5d52e38e6fbe2c17eb8c493f9eb81df6cfd780a4 Signed-off-by:Jerry Zhang <zhangjerry@google.com>
-
- Sep 25, 2017
-
-
Gwendal Grignou authored
When interrupted by EC, we normally wake up and interrupt suspend. However, when suspending, we should not abort suspend because of sensor events: EC sensor stack does not know yet we are suspending, and interrupts are send very often. We are losing significant motion interrupt, but suspending is a short window. BUG=b:25425420 TEST=Check we are entering suspend. Change-Id: I60fc031a70535ababe28d62e5dffd548752078a0 Signed-off-by:Gwendal Grignou <gwendal@chromium.org>
-
Adrian Salido authored
Merge changes Iad4f1a09,I79e8929c,I81557024,I6962e334,Icbc3b258, ... into android-chromeos-dragon-3.18 * changes: ALSA: timer: Call notifier in the same spinlock ALSA: timer: Fix race between stop and interrupt ALSA: timer: Fix link corruption due to double start or stop ALSA: timer: Code cleanup ALSA: timer: Fix race between read and ioctl ALSA: timer: Fix race at concurrent reads ALSA: timer: Handle disconnection more safely ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT ALSA: timer: Fix leak in events via snd_timer_user_ccallback ALSA: timer: Fix wrong instance passed to slave callbacks
-
Kary Jin authored
Check the path_nr before passing it into nvkm_ioctl_path to avoid the out-of-bound issue. Bug: 63851980 Change-Id: Ida06ef6218b914df0794a7431b9679c916988f33 Signed-off-by:
-
- Sep 21, 2017
-
-
Takashi Iwai authored
[ Upstream commit f65e0d299807d8a11812845c972493c3f9a18e10 ] snd_timer_notify1() is called outside the spinlock and it retakes the lock after the unlock. This is rather racy, and it's safer to move snd_timer_notify() call inside the main spinlock. The patch also contains a slight refactoring / cleanup of the code. Now all start/stop/continue/pause look more symmetric and a bit better readable. Change-Id: Iad4f1a096f02cd6fc7411197cc9307c917fc07d8 Signed-off-by:
Sasha Levin <alexander.levin@verizon.com>
-
Takashi Iwai authored
[ Upstream commit ed8b1d6d2c741ab26d60d499d7fbb7ac801f0f51 ] A slave timer element also unlinks at snd_timer_stop() but it takes only slave_active_lock. When a slave is assigned to a master, however, this may become a race against the master's interrupt handling, eventually resulting in a list corruption. The actual bug could be seen with a syzkaller fuzzer test case in BugLink below. As a fix, we need to take timeri->timer->lock when timer isn't NULL, i.e. assigned to a master, while the assignment to a master itself is protected by slave_active_lock. Change-Id: I79e8929cb3fe9000b13ee16053fcc0467342deb0 BugLink: http://lkml.kernel.org/r/CACT4Y+Y_Bm+7epAb=8Wi=AaWd+DYS7qawX52qxdCfOfY49vozQ@mail.gmail.com Cc: <stable@vger.kernel.org> Signed-off-by:
-
Takashi Iwai authored
[ Upstream commit f784beb75ce82f4136f8a0960d3ee872f7109e09 ] Although ALSA timer code got hardening for races, it still causes use-after-free error. This is however rather a corrupted linked list, not actually the concurrent accesses. Namely, when timer start is triggered twice, list_add_tail() is called twice, too. This ends up with the link corruption and triggers KASAN error. The simplest fix would be replacing list_add_tail() with list_move_tail(), but fundamentally it's the problem that we don't check the double start/stop correctly. So, the right fix here is to add the proper checks to snd_timer_start() and snd_timer_stop() (and their variants). Change-Id: I815570244468ced4a7a8b525763b2853412eb1bb BugLink: http://lkml.kernel.org/r/CACT4Y+ZyPRoMQjmawbvmCEDrkBD2BQuH7R09=eOkf5ESK8kJAw@mail.gmail.com Reported-by:
-
Takashi Iwai authored
[ Upstream commit c3b1681375dc6e71d89a3ae00cc3ce9e775a8917 ] This is a minor code cleanup without any functional changes: - Kill keep_flag argument from _snd_timer_stop(), as all callers pass only it false. - Remove redundant NULL check in _snd_timer_stop(). Change-Id: I6962e334136372b3dfd909e4f31f24c076459912 Signed-off-by:
-
