linux.git/sound/core/seq, branch v4.19.39 Clone of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git ALSA: seq: Fix OOB-reads from strlcpy 2019-04-17T06:38:48+00:00 Zubin Mithra zsm@chromium.org 2019-04-04T21:33:55+00:00 73b50a56e51edcd78ef7602afe75083d640548e8 commit 212ac181c158c09038c474ba68068be49caecebb upstream. When ioctl calls are made with non-null-terminated userspace strings, strlcpy causes an OOB-read from within strlen. Fix by changing to use strscpy instead. Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 212ac181c158c09038c474ba68068be49caecebb upstream.

When ioctl calls are made with non-null-terminated userspace strings,
strlcpy causes an OOB-read from within strlen. Fix by changing to use
strscpy instead.

Signed-off-by: Zubin Mithra <zsm@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ALSA: seq: oss: Fix Spectre v1 vulnerability 2019-04-03T04:26:22+00:00 Gustavo A. R. Silva gustavo@embeddedor.com 2019-03-20T23:42:01+00:00 b425f45295dd9692c146a6ca46cb533195aa3d9f commit c709f14f0616482b67f9fbcb965e1493a03ff30b upstream. dev is indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: sound/core/seq/oss/seq_oss_synth.c:626 snd_seq_oss_synth_make_info() warn: potential spectre issue 'dp->synths' [w] (local cap) Fix this by sanitizing dev before using it to index dp->synths. Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/ Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit c709f14f0616482b67f9fbcb965e1493a03ff30b upstream.

dev is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

sound/core/seq/oss/seq_oss_synth.c:626 snd_seq_oss_synth_make_info() warn: potential spectre issue 'dp->synths' [w] (local cap)

Fix this by sanitizing dev before using it to index dp->synths.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/

Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ALSA: seq: virmidi: Fix discarding the unsubscribed output 2018-08-14T20:50:52+00:00 Takashi Iwai tiwai@suse.de 2018-08-14T19:27:51+00:00 82fd4b05d704623a0e4aa7fda48e272a9889337d The recent change to move the virmidi output processing to a work slightly modified the code to discard the unsubscribed outputs so that it works without a temporary buffer. However, this is actually buggy, and may spew a kernel warning due to the unexpected call of snd_rawmidi_transmit_ack(), as triggered by syzbot. This patch takes back to the original code in that part, use a temporary buffer and simply repeat snd_rawmidi_transmit(), in order to address the regression. Fixes: f7debfe54090 ("ALSA: seq: virmidi: Offload the output event processing") Reported-by: syzbot+ec5f605c91812d200367@syzkaller.appspotmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de> 
The recent change to move the virmidi output processing to a work
slightly modified the code to discard the unsubscribed outputs so that
it works without a temporary buffer.  However, this is actually buggy,
and may spew a kernel warning due to the unexpected call of
snd_rawmidi_transmit_ack(), as triggered by syzbot.

This patch takes back to the original code in that part, use a
temporary buffer and simply repeat snd_rawmidi_transmit(), in order to
address the regression.

Fixes: f7debfe54090 ("ALSA: seq: virmidi: Offload the output event processing")
Reported-by: syzbot+ec5f605c91812d200367@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: seq_oss: Mark expected switch fall-through 2018-08-04T06:30:45+00:00 Gustavo A. R. Silva gustavo@embeddedor.com 2018-08-03T20:53:54+00:00 eb2caeb88c181904110f8e74995c7b0bb7fd39f6 In preparation to enabling -Wimplicit-fallthrough, mark switch cases where we are expecting to fall through. Warning level 2 was used: -Wimplicit-fallthrough=2 Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> 
In preparation to enabling -Wimplicit-fallthrough, mark switch cases
where we are expecting to fall through.

Warning level 2 was used: -Wimplicit-fallthrough=2

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: seq: Mark expected switch fall-through 2018-08-04T06:30:36+00:00 Gustavo A. R. Silva gustavo@embeddedor.com 2018-08-03T20:52:33+00:00 2f3b94e539a46052f8eba1f295ff5646e227578a In preparation to enabling -Wimplicit-fallthrough, mark switch cases where we are expecting to fall through. Notice that in this particular case, I replaced the code comment with a proper "fall through" annotation, which is what GCC is expecting to find. Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> 
In preparation to enabling -Wimplicit-fallthrough, mark switch cases
where we are expecting to fall through.

Notice that in this particular case, I replaced the code comment with
a proper "fall through" annotation, which is what GCC is expecting
to find.

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: seq: Drop unused 64bit division macros 2018-08-01T20:54:37+00:00 Takashi Iwai tiwai@suse.de 2018-08-01T14:43:56+00:00 93ce1b12966d9d60ee5583ffbde822a22909568e The old ugly macros remained in the code without usage. Rip them off. Signed-off-by: Takashi Iwai <tiwai@suse.de> 
The old ugly macros remained in the code without usage.
Rip them off.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: seq: Use no intrruptible mutex_lock 2018-08-01T20:54:36+00:00 Takashi Iwai tiwai@suse.de 2018-08-01T14:42:29+00:00 04702e8d0092832eaeeacc6b1bfbf81a66f242c9 All usages of mutex in ALSA sequencer core would take too long, hence we don't have to care about the user interruption that makes things complicated. Let's replace them with simpler mutex_lock(). Signed-off-by: Takashi Iwai <tiwai@suse.de> 
All usages of mutex in ALSA sequencer core would take too long, hence
we don't have to care about the user interruption that makes things
complicated.  Let's replace them with simpler mutex_lock().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: seq: Fix leftovers at probe error path 2018-08-01T20:54:36+00:00 Takashi Iwai tiwai@suse.de 2018-08-01T14:37:02+00:00 00976ad5271999ba06d24319fd1031b178aff832 The sequencer core module doesn't call some destructors in the error path of the init code, which may leave some resources. This patch mainly fix these leaks by calling the destructors appropriately at alsa_seq_init(). Also the patch brings a few cleanups along with it, namely: - Expand the old "if ((err = xxx) < 0)" coding style - Get rid of empty seq_queue_init() and its caller - Change snd_seq_info_done() to void Last but not least, a couple of functions lose __exit annotation since they are called also in alsa_seq_init(). No functional changes but minor code cleanups. Signed-off-by: Takashi Iwai <tiwai@suse.de> 
The sequencer core module doesn't call some destructors in the error
path of the init code, which may leave some resources.

This patch mainly fix these leaks by calling the destructors
appropriately at alsa_seq_init().  Also the patch brings a few
cleanups along with it, namely:

- Expand the old "if ((err = xxx) < 0)" coding style
- Get rid of empty seq_queue_init() and its caller
- Change snd_seq_info_done() to void

Last but not least, a couple of functions lose __exit annotation since
they are called also in alsa_seq_init().

No functional changes but minor code cleanups.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: seq: Remove dead codes 2018-08-01T20:54:35+00:00 Takashi Iwai tiwai@suse.de 2018-08-01T12:59:07+00:00 fc4bfd9a35f3d9cbf5ad6a20faedca71d1d9ed52 There are a few functions that have been commented out for ages. And also there are functions that do nothing but placeholders. Let's kill them. Signed-off-by: Takashi Iwai <tiwai@suse.de> 
There are a few functions that have been commented out for ages.
And also there are functions that do nothing but placeholders.
Let's kill them.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: seq: Minor cleanup of MIDI event parser helpers 2018-08-01T20:54:35+00:00 Takashi Iwai tiwai@suse.de 2018-08-01T12:38:18+00:00 ef965ad5a7697ff16e3be01954f5c57208e36c22 snd_midi_event_encode_byte() can never fail, and it can return rather true/false. Change the return type to bool, adjust the argument to receive a MIDI byte as unsigned char, and adjust the comment accordingly. This allows callers to drop error checks, which simplifies the code. Meanwhile, snd_midi_event_encode() helper is used only in seq_midi.c, and it can be better folded into it. This will reduce the total amount of lines in the end. Signed-off-by: Takashi Iwai <tiwai@suse.de> 
snd_midi_event_encode_byte() can never fail, and it can return rather
true/false.  Change the return type to bool, adjust the argument to
receive a MIDI byte as unsigned char, and adjust the comment
accordingly.  This allows callers to drop error checks, which
simplifies the code.

Meanwhile, snd_midi_event_encode() helper is used only in seq_midi.c,
and it can be better folded into it.  This will reduce the total
amount of lines in the end.

Signed-off-by: Takashi Iwai <tiwai@suse.de>