From f7645bd636d06f64f3eadb63cf1c8145219fdc58 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Tue, 3 Apr 2018 17:34:57 +0200 Subject: [PATCH 1/5] ALSA: usb-audio: Refactor clock finder helpers There are lots of open-coded functions to find a clock source, selector and multiplier. Now there are both v2 and v3, so six variants. This patch refactors the code to use a common helper for the main loop, and define each validator function for each target. There is no functional change. Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support") Reviewed-by: Ruslan Bilovol Signed-off-by: Takashi Iwai --- sound/usb/clock.c | 131 +++++++++++++++++++--------------------------- 1 file changed, 55 insertions(+), 76 deletions(-) diff --git a/sound/usb/clock.c b/sound/usb/clock.c index ab39ccb974c6..27c2275a2505 100644 --- a/sound/usb/clock.c +++ b/sound/usb/clock.c @@ -35,105 +35,84 @@ #include "clock.h" #include "quirks.h" -static struct uac_clock_source_descriptor * - snd_usb_find_clock_source(struct usb_host_interface *ctrl_iface, - int clock_id) +static void *find_uac_clock_desc(struct usb_host_interface *iface, int id, + bool (*validator)(void *, int), u8 type) { - struct uac_clock_source_descriptor *cs = NULL; + void *cs = NULL; - while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, - ctrl_iface->extralen, - cs, UAC2_CLOCK_SOURCE))) { - if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) + while ((cs = snd_usb_find_csint_desc(iface->extra, iface->extralen, + cs, type))) { + if (validator(cs, id)) return cs; } return NULL; } -static struct uac3_clock_source_descriptor * - snd_usb_find_clock_source_v3(struct usb_host_interface *ctrl_iface, - int clock_id) +static bool validate_clock_source_v2(void *p, int id) { - struct uac3_clock_source_descriptor *cs = NULL; - - while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, - ctrl_iface->extralen, - cs, UAC3_CLOCK_SOURCE))) { - if (cs->bClockID == clock_id) - return cs; - } - - return NULL; + struct uac_clock_source_descriptor *cs = p; + return cs->bLength >= sizeof(*cs) && cs->bClockID == id; } -static struct uac_clock_selector_descriptor * - snd_usb_find_clock_selector(struct usb_host_interface *ctrl_iface, - int clock_id) +static bool validate_clock_source_v3(void *p, int id) { - struct uac_clock_selector_descriptor *cs = NULL; - - while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, - ctrl_iface->extralen, - cs, UAC2_CLOCK_SELECTOR))) { - if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) { - if (cs->bLength < 5 + cs->bNrInPins) - return NULL; - return cs; - } - } - - return NULL; + struct uac3_clock_source_descriptor *cs = p; + return cs->bClockID == id; } -static struct uac3_clock_selector_descriptor * - snd_usb_find_clock_selector_v3(struct usb_host_interface *ctrl_iface, - int clock_id) +static bool validate_clock_selector_v2(void *p, int id) { - struct uac3_clock_selector_descriptor *cs = NULL; - - while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, - ctrl_iface->extralen, - cs, UAC3_CLOCK_SELECTOR))) { - if (cs->bClockID == clock_id) - return cs; - } - - return NULL; + struct uac_clock_selector_descriptor *cs = p; + return cs->bLength >= sizeof(*cs) && cs->bClockID == id && + cs->bLength >= 5 + cs->bNrInPins; } -static struct uac_clock_multiplier_descriptor * - snd_usb_find_clock_multiplier(struct usb_host_interface *ctrl_iface, - int clock_id) +static bool validate_clock_selector_v3(void *p, int id) { - struct uac_clock_multiplier_descriptor *cs = NULL; - - while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, - ctrl_iface->extralen, - cs, UAC2_CLOCK_MULTIPLIER))) { - if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) - return cs; - } - - return NULL; + struct uac3_clock_selector_descriptor *cs = p; + return cs->bClockID == id; } -static struct uac3_clock_multiplier_descriptor * - snd_usb_find_clock_multiplier_v3(struct usb_host_interface *ctrl_iface, - int clock_id) +static bool validate_clock_multiplier_v2(void *p, int id) { - struct uac3_clock_multiplier_descriptor *cs = NULL; - - while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, - ctrl_iface->extralen, - cs, UAC3_CLOCK_MULTIPLIER))) { - if (cs->bClockID == clock_id) - return cs; - } - - return NULL; + struct uac_clock_multiplier_descriptor *cs = p; + return cs->bLength >= sizeof(*cs) && cs->bClockID == id; } +static bool validate_clock_multiplier_v3(void *p, int id) +{ + struct uac3_clock_multiplier_descriptor *cs = p; + return cs->bClockID == id; +} + +#define DEFINE_FIND_HELPER(name, obj, validator, type) \ +static obj *name(struct usb_host_interface *iface, int id) \ +{ \ + return find_uac_clock_desc(iface, id, validator, type); \ +} + +DEFINE_FIND_HELPER(snd_usb_find_clock_source, + struct uac_clock_source_descriptor, + validate_clock_source_v2, UAC2_CLOCK_SOURCE); +DEFINE_FIND_HELPER(snd_usb_find_clock_source_v3, + struct uac3_clock_source_descriptor, + validate_clock_source_v3, UAC3_CLOCK_SOURCE); + +DEFINE_FIND_HELPER(snd_usb_find_clock_selector, + struct uac_clock_selector_descriptor, + validate_clock_selector_v2, UAC2_CLOCK_SELECTOR); +DEFINE_FIND_HELPER(snd_usb_find_clock_selector_v3, + struct uac3_clock_selector_descriptor, + validate_clock_selector_v3, UAC3_CLOCK_SELECTOR); + +DEFINE_FIND_HELPER(snd_usb_find_clock_multiplier, + struct uac_clock_multiplier_descriptor, + validate_clock_multiplier_v2, UAC2_CLOCK_MULTIPLIER); +DEFINE_FIND_HELPER(snd_usb_find_clock_multiplier_v3, + struct uac3_clock_multiplier_descriptor, + validate_clock_multiplier_v3, UAC3_CLOCK_MULTIPLIER); + static int uac_clock_selector_get_val(struct snd_usb_audio *chip, int selector_id) { unsigned char buf; From f5d76e9c40fd8791202d31c66a63f6f7ebbb8dcb Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Wed, 4 Apr 2018 07:18:44 +0200 Subject: [PATCH 2/5] ALSA: usb-audio: More strict sanity checks for clock parsers The sanity checks introduced for malformed descriptors loosely check the given descriptor size, although the size greater than the defined description is invalid. It was due to a concern of any funky firmware in the actual products. But this doesn't look hitting, and any sane products must have the defined descriptors. So in this patch, we make the validators more strict, allowing only with the defined descriptor sizes. The value in clock selector validator is corrected from 5 to 7 to count the two unlisted fields after baCSourceID[]. Suggested-by: Ruslan Bilovol Reviewed-by: Ruslan Bilovol Signed-off-by: Takashi Iwai --- sound/usb/clock.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sound/usb/clock.c b/sound/usb/clock.c index 27c2275a2505..30cfd5b1bdfb 100644 --- a/sound/usb/clock.c +++ b/sound/usb/clock.c @@ -52,7 +52,7 @@ static void *find_uac_clock_desc(struct usb_host_interface *iface, int id, static bool validate_clock_source_v2(void *p, int id) { struct uac_clock_source_descriptor *cs = p; - return cs->bLength >= sizeof(*cs) && cs->bClockID == id; + return cs->bLength == sizeof(*cs) && cs->bClockID == id; } static bool validate_clock_source_v3(void *p, int id) @@ -65,7 +65,7 @@ static bool validate_clock_selector_v2(void *p, int id) { struct uac_clock_selector_descriptor *cs = p; return cs->bLength >= sizeof(*cs) && cs->bClockID == id && - cs->bLength >= 5 + cs->bNrInPins; + cs->bLength == 7 + cs->bNrInPins; } static bool validate_clock_selector_v3(void *p, int id) @@ -77,7 +77,7 @@ static bool validate_clock_selector_v3(void *p, int id) static bool validate_clock_multiplier_v2(void *p, int id) { struct uac_clock_multiplier_descriptor *cs = p; - return cs->bLength >= sizeof(*cs) && cs->bClockID == id; + return cs->bLength == sizeof(*cs) && cs->bClockID == id; } static bool validate_clock_multiplier_v3(void *p, int id) From b580fbfff13b01fa79a0760cbb6386f33bc9e10b Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Tue, 3 Apr 2018 17:45:19 +0200 Subject: [PATCH 3/5] ALSA: usb-audio: Add sanity checks in UAC3 clock parsers The UAC3 clock parser codes lack of the sanity checks for malformed descriptors like UAC2 parser does. Without it, the driver may lead to a potential crash. Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support") Tested-by: Ruslan Bilovol Reviewed-by: Ruslan Bilovol Signed-off-by: Takashi Iwai --- sound/usb/clock.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/sound/usb/clock.c b/sound/usb/clock.c index 30cfd5b1bdfb..0b030d8fe3fa 100644 --- a/sound/usb/clock.c +++ b/sound/usb/clock.c @@ -58,7 +58,7 @@ static bool validate_clock_source_v2(void *p, int id) static bool validate_clock_source_v3(void *p, int id) { struct uac3_clock_source_descriptor *cs = p; - return cs->bClockID == id; + return cs->bLength == sizeof(*cs) && cs->bClockID == id; } static bool validate_clock_selector_v2(void *p, int id) @@ -71,7 +71,8 @@ static bool validate_clock_selector_v2(void *p, int id) static bool validate_clock_selector_v3(void *p, int id) { struct uac3_clock_selector_descriptor *cs = p; - return cs->bClockID == id; + return cs->bLength >= sizeof(*cs) && cs->bClockID == id && + cs->bLength == 11 + cs->bNrInPins; } static bool validate_clock_multiplier_v2(void *p, int id) @@ -83,7 +84,7 @@ static bool validate_clock_multiplier_v2(void *p, int id) static bool validate_clock_multiplier_v3(void *p, int id) { struct uac3_clock_multiplier_descriptor *cs = p; - return cs->bClockID == id; + return cs->bLength == sizeof(*cs) && cs->bClockID == id; } #define DEFINE_FIND_HELPER(name, obj, validator, type) \ From e15dc99dbb9cf99f6432e8e3c0b3a8f7a3403a86 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Sat, 7 Apr 2018 11:48:58 +0200 Subject: [PATCH 4/5] ALSA: pcm: Fix endless loop for XRUN recovery in OSS emulation The commit 02a5d6925cd3 ("ALSA: pcm: Avoid potential races between OSS ioctls and read/write") split the PCM preparation code to a locked version, and it added a sanity check of runtime->oss.prepare flag along with the change. This leaded to an endless loop when the stream gets XRUN: namely, snd_pcm_oss_write3() and co call snd_pcm_oss_prepare() without setting runtime->oss.prepare flag and the loop continues until the PCM state reaches to another one. As the function is supposed to execute the preparation unconditionally, drop the invalid state check there. The bug was triggered by syzkaller. Fixes: 02a5d6925cd3 ("ALSA: pcm: Avoid potential races between OSS ioctls and read/write") Reported-by: syzbot+150189c103427d31a053@syzkaller.appspotmail.com Reported-by: syzbot+7e3f31a52646f939c052@syzkaller.appspotmail.com Reported-by: syzbot+4f2016cf5185da7759dc@syzkaller.appspotmail.com Cc: Signed-off-by: Takashi Iwai --- sound/core/oss/pcm_oss.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c index 481ab0e94ffa..1980f68246cb 100644 --- a/sound/core/oss/pcm_oss.c +++ b/sound/core/oss/pcm_oss.c @@ -1128,13 +1128,14 @@ static int snd_pcm_oss_get_active_substream(struct snd_pcm_oss_file *pcm_oss_fil } /* call with params_lock held */ +/* NOTE: this always call PREPARE unconditionally no matter whether + * runtime->oss.prepare is set or not + */ static int snd_pcm_oss_prepare(struct snd_pcm_substream *substream) { int err; struct snd_pcm_runtime *runtime = substream->runtime; - if (!runtime->oss.prepare) - return 0; err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_PREPARE, NULL); if (err < 0) { pcm_dbg(substream->pcm, From e1a3a981e320a6916b30ff53571ba144274def0e Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Mon, 9 Apr 2018 17:12:16 +0200 Subject: [PATCH 5/5] ALSA: pcm: Remove WARN_ON() at snd_pcm_hw_params() error snd_pcm_hw_params() (more exactly snd_pcm_hw_params_choose()) contains a check of the return error from snd_pcm_hw_param_first() and _last() with snd_BUG_ON() -- i.e. it may trigger WARN_ON() depending on the kconfig. This was a valid check in the past, as these functions shouldn't return any error if the parameters have been already refined via snd_pcm_hw_refine() beforehand. However, the recent rewrite introduced a kmalloc() in snd_pcm_hw_refine() for removing VLA, and this brought a possibility to trigger an error. As a result, syzbot caught lots of superfluous kernel WARN_ON() and paniced via fault injection. As the WARN_ON() is no longer valid with the introduction of kmalloc(), let's drop snd_BUG_ON() check, in order to make the world peaceful place again. Reported-by: syzbot+803e0047ac3a3096bb4f@syzkaller.appspotmail.com Fixes: 5730f9f744cf ("ALSA: pcm: Remove VLA usage") Signed-off-by: Takashi Iwai --- sound/core/pcm_native.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c index b84554893fab..35ffccea94c3 100644 --- a/sound/core/pcm_native.c +++ b/sound/core/pcm_native.c @@ -617,7 +617,7 @@ static int snd_pcm_hw_params_choose(struct snd_pcm_substream *pcm, changed = snd_pcm_hw_param_first(pcm, params, *v, NULL); else changed = snd_pcm_hw_param_last(pcm, params, *v, NULL); - if (snd_BUG_ON(changed < 0)) + if (changed < 0) return changed; if (changed == 0) continue;