Unnamed repository; edit this file 'description' to name the repository. https://gitea.privatedns.org/xavi/android_kernel_m2note/atom?h=o-8.1 2018-11-29T17:33:27+00:00 2018-11-29T17:33:27+00:00 Moyster oysterized@gmail.com 2018-11-29T12:51:22+00:00 urn:sha1:9ce6e638fac54599a8cdf893ea5e7236d989a46d [-Wmisleading-indentation] in function 'snd_timer_user_read' /home/oyster/Github/android_kernel_m2note/sound/core/timer.c: In function 'snd_timer_user_read': /home/oyster/Github/android_kernel_m2note/sound/core/timer.c:1986:4: warning: this 'if' clause does not guard... [-Wmisleading-indentation] if (copy_to_user(buffer, &tu->tqueue[qhead], ^~ /home/oyster/Github/android_kernel_m2note/sound/core/timer.c:1989:5: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the 'if' err = -EFAULT; ^~~ /home/oyster/Github/android_kernel_m2note/sound/core/timer.c:1991:4: warning: this 'if' clause does not guard... [-Wmisleading-indentation] if (copy_to_user(buffer, &tu->queue[qhead], ^~ /home/oyster/Github/android_kernel_m2note/sound/core/timer.c:1994:5: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the 'if' err = -EFAULT; ^~~ 2017-12-08T16:55:35+00:00 Takashi Iwai tiwai@suse.de 2016-02-10T11:47:03+00:00 urn:sha1:e88a0189ebc303b4e8596d501f50a4d1732be947 snd_timer_notify1() is called outside the spinlock and it retakes the lock after the unlock. This is rather racy, and it's safer to move snd_timer_notify() call inside the main spinlock. The patch also contains a slight refactoring / cleanup of the code. Now all start/stop/continue/pause look more symmetric and a bit better readable. Bug: 37240993 Change-Id: Ib90099f88c8b04928a8cdd2808cd9e16da6d519c Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Siqi Lin <siqilin@google.com> 2017-12-08T16:52:14+00:00 Takashi Iwai tiwai@suse.de 2016-02-08T16:26:58+00:00 urn:sha1:dc752c9ff0fc1685879a43ce65e1e418044c4b5b snd_timer_user_read() has a potential race among parallel reads, as qhead and qused are updated outside the critical section due to copy_to_user() calls. Move them into the critical section, and also sanitize the relevant code a bit. Bug: 37240993 Change-Id: I7358a57638ef23eb7f97341eaee1f0dd4ba2795a Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Siqi Lin <siqilin@google.com> (cherry picked from commit 4dff5c7b7093b19c19d3a100f8a3ad87cb7cd9e7) 2017-12-08T16:44:08+00:00 Takashi Iwai tiwai@suse.de 2016-01-21T16:19:31+00:00 urn:sha1:811c2b00bf0c47bae81cd43cfb5816a0b59f3b7c [ Upstream commit 230323dac060123c340cf75997971145a42661ee ] Currently ALSA timer device doesn't take the disconnection into account very well; it merely unlinks the timer device at disconnection callback but does nothing else. Because of this, when an application accessing the timer device is disconnected, it may release the resource before actually closed. In most cases, it results in a warning message indicating a leftover timer instance like: ALSA: timer xxxx is busy? But basically this is an open race. This patch tries to address it. The strategy is like other ALSA devices: namely, - Manage card's refcount at each open/close - Wake up the pending tasks at disconnection - Check the shutdown flag appropriately at each possible call Note that this patch has one ugly hack to handle the wakeup of pending tasks. It'd be cleaner to introduce a new disconnect op to snd_timer_instance ops. But since it would lead to internal ABI breakage and it eventually increase my own work when backporting to stable kernels, I took a different path to implement locally in timer.c. A cleanup patch will follow at next for 4.5 kernel. Bug: 37240993 Change-Id: I05c7f0e7d28b63fc343091f800ceae9ec2afe4a4 Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=109431 Cc: <stable@vger.kernel.org> # v3.15+ Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Siqi Lin <siqilin@google.com> (cherry picked from commit 230323dac060123c340cf75997971145a42661ee) 2017-12-08T16:38:32+00:00 Takashi Iwai tiwai@suse.de 2017-06-02T15:26:56+00:00 urn:sha1:df841abcac737c53ebbfde186c7b8b75cfac10db snd_timer_user_tselect() reallocates the queue buffer dynamically, but it forgot to reset its indices. Since the read may happen concurrently with ioctl and snd_timer_user_tselect() allocates the buffer via kmalloc(), this may lead to the leak of uninitialized kernel-space data, as spotted via KMSAN: BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10 CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 dump_stack+0x143/0x1b0 lib/dump_stack.c:52 kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007 kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086 copy_to_user ./arch/x86/include/asm/uaccess.h:725 snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004 do_loop_readv_writev fs/read_write.c:716 __do_readv_writev+0x94c/0x1380 fs/read_write.c:864 do_readv_writev fs/read_write.c:894 vfs_readv fs/read_write.c:908 do_readv+0x52a/0x5d0 fs/read_write.c:934 SYSC_readv+0xb6/0xd0 fs/read_write.c:1021 SyS_readv+0x87/0xb0 fs/read_write.c:1018 This patch adds the missing reset of queue indices. Together with the previous fix for the ioctl/read race, we cover the whole problem. Reported-by: Alexander Potapenko <glider@google.com> Tested-by: Alexander Potapenko <glider@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> (cherry picked from commit ba3021b2c79b2fa9114f92790a99deb27a65b728) Signed-off-by: Connor O'Brien <connoro@google.com> Bug: 62201221 Change-Id: I8d3d97bb0e6c2eefd050bf46b860dd603fe3f4c6 2017-12-08T16:37:33+00:00 Takashi Iwai tiwai@suse.de 2017-06-02T13:03:38+00:00 urn:sha1:3d40140a720ae27b0c621608d32e3cafd7705d86 The read from ALSA timer device, the function snd_timer_user_tread(), may access to an uninitialized struct snd_timer_user fields when the read is concurrently performed while the ioctl like snd_timer_user_tselect() is invoked. We have already fixed the races among ioctls via a mutex, but we seem to have forgotten the race between read vs ioctl. This patch simply applies (more exactly extends the already applied range of) tu->ioctl_lock in snd_timer_user_tread() for closing the race window. Reported-by: Alexander Potapenko <glider@google.com> Tested-by: Alexander Potapenko <glider@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> (cherry picked from commit d11662f4f798b50d8c8743f433842c3e40fe3378) Signed-off-by: Connor O'Brien <connoro@google.com> Bug: 62201221 Change-Id: I67a3b5153c39ce9f6d7571b5aa8faabe5e3dbb83 2017-08-30T23:37:56+00:00 Siqi Lin siqilin@google.com 2017-07-21T20:57:06+00:00 urn:sha1:055adfa0ad41ebcb66388635f30c27646cf1e55e This reverts commit 59a480f39844a9a51ac143e8171580171b613b22. Bug: 62201221 Change-Id: Id79733dc0bd55ec55edb8b6b4884fd47711f9838 Signed-off-by: Siqi Lin <siqilin@google.com> 2017-08-30T21:27:18+00:00 Jonathan Solnit jsolnit@google.com 2017-07-21T19:37:51+00:00 urn:sha1:abb82b369bbc6dd85a5d007f6ebc45e377b1e510 This reverts commit 31aaef072e5f8ce4fd12243be0695252bc736cd8. Bug: 62201221 Change-Id: Iff57c945dcffcdd5632aeb65992ae7a5aca98186 Signed-off-by: Jonathan Solnit <jsolnit@google.com> 2017-07-02T17:39:12+00:00 Takashi Iwai tiwai@suse.de 2017-02-28T13:49:07+00:00 urn:sha1:354e6a5f397f46e7c73889228d9d9d0b98edf601 commit 71321eb3f2d0df4e6c327e0b936eec4458a12054 upstream. When a user sets a too small ticks with a fine-grained timer like hrtimer, the kernel tries to fire up the timer irq too frequently. This may lead to the condensed locks, eventually the kernel spinlock lockup with warnings. For avoiding such a situation, we define a lower limit of the resolution, namely 1ms. When the user passes a too small tick value that results in less than that, the kernel returns -EINVAL now. Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Willy Tarreau <w@1wt.eu> 2017-06-24T10:41:11+00:00 Takashi Iwai tiwai@suse.de 2017-06-02T15:26:56+00:00 urn:sha1:9811ad71117e8dd4260517fc82f410fea0b992e2 snd_timer_user_tselect() reallocates the queue buffer dynamically, but it forgot to reset its indices. Since the read may happen concurrently with ioctl and snd_timer_user_tselect() allocates the buffer via kmalloc(), this may lead to the leak of uninitialized kernel-space data, as spotted via KMSAN: BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10 CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 dump_stack+0x143/0x1b0 lib/dump_stack.c:52 kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007 kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086 copy_to_user ./arch/x86/include/asm/uaccess.h:725 snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004 do_loop_readv_writev fs/read_write.c:716 __do_readv_writev+0x94c/0x1380 fs/read_write.c:864 do_readv_writev fs/read_write.c:894 vfs_readv fs/read_write.c:908 do_readv+0x52a/0x5d0 fs/read_write.c:934 SYSC_readv+0xb6/0xd0 fs/read_write.c:1021 SyS_readv+0x87/0xb0 fs/read_write.c:1018 This patch adds the missing reset of queue indices. Together with the previous fix for the ioctl/read race, we cover the whole problem. Reported-by: Alexander Potapenko <glider@google.com> Tested-by: Alexander Potapenko <glider@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> (cherry picked from commit ba3021b2c79b2fa9114f92790a99deb27a65b728) Signed-off-by: Connor O'Brien <connoro@google.com> Bug: 62201221 Change-Id: I8d3d97bb0e6c2eefd050bf46b860dd603fe3f4c6