Skip to content
Snippets Groups Projects
Select Git revision
  • msm-next-lumag
  • msm-next-lumag-test
  • msm-next-lumag-cwb
  • msm-next-lumag-test2
  • msm-next default
  • test-dpu-virtual-wide
  • msm-next-lumag-test-mode-width
  • drm-misc-next-test
  • b4/fd-fix-lxml
  • msm-fixes-lumag
  • msm-next-lumag-6.8-ci-fixes
  • dpu-4k
  • dpu-wideplanes
  • msm-psr-support
  • msm-next-fixes-lumag
  • msm-next-fixes
16 results
Search by author
  • Any Author
  • Dmitry Baryshkov Dmitry Baryshkov lumag
1 author
  1. Aug 08, 2024
  3. May 08, 2024
  5. Mar 26, 2024
    • Duoming Zhou's avatar
      ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs · 051e0840
      Duoming Zhou authored and Takashi Iwai's avatar Takashi Iwai committed 
      
The dreamcastcard->timer could schedule the spu_dma_work and the
spu_dma_work could also arm the dreamcastcard->timer.

When the snd_pcm_substream is closing, the aica_channel will be
deallocated. But it could still be dereferenced in the worker
thread. The reason is that del_timer() will return directly
regardless of whether the timer handler is running or not and
the worker could be rescheduled in the timer handler. As a result,
the UAF bug will happen. The racy situation is shown below:

      (Thread 1)                 |      (Thread 2)
snd_aicapcm_pcm_close()          |
 ...                             |  run_spu_dma() //worker
                                 |    mod_timer()
  flush_work()                   |
  del_timer()                    |  aica_period_elapsed() //timer
  kfree(dreamcastcard->channel)  |    schedule_work()
                                 |  run_spu_dma() //worker
  ...                            |    dreamcastcard->channel-> //USE

In order to mitigate this bug and other possible corner cases,
call mod_timer() conditionally in run_spu_dma(), then implement
PCM sync_stop op to cancel both the timer and worker. The sync_stop
op will be called from PCM core appropriately when needed.

Fixes: 198de43d ("[ALSA] Add ALSA support for the SEGA Dreamcast PCM device")
Suggested-by: default avatarTakashi Iwai <tiwai@suse.de>
Signed-off-by: default avatarDuoming Zhou <duoming@zju.edu.cn>
Message-ID: <20240326094238.95442-1-duoming@zju.edu.cn>
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      051e0840
  7. Aug 18, 2023
  9. Mar 20, 2023
  11. Mar 17, 2021
  13. Jan 05, 2020
  15. Jan 04, 2020
  17. Jan 03, 2020
  19. Dec 11, 2019
  21. Nov 06, 2019
  23. Jun 05, 2019
  25. May 30, 2019
  27. May 21, 2019
  29. May 08, 2019
    • Takashi Iwai's avatar
      ALSA: aica: Fix a long-time build breakage · 534420c6
      Takashi Iwai authored 
      
The build of aica sound driver has been broken since the timer API
conversion and some code rewrite.  This patch fixes the breakage by
using the common substream field, as well as a bit cleaning up wrt the
timer handling in the code.

Fixes: d522bb6a ("ALSA: sh: aica: Convert timers to use timer_setup()")
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      534420c6
  31. Feb 06, 2019
  33. Oct 05, 2017
  35. Aug 31, 2017
  37. Aug 19, 2017
  39. Aug 17, 2017
  41. Jun 02, 2017
  43. May 30, 2017
    • Bhumika Goyal's avatar
      ALSA: declare snd_kcontrol_new structures as const · 905e46ac
      Bhumika Goyal authored and Takashi Iwai's avatar Takashi Iwai committed 
      
Declare snd_kcontrol_new structures as const as they are only passed an
argument to the function snd_ctl_new1. This argument is of type const,
so snd_kcontrol_new structures having this property can be made const.
Done using Coccinelle:

@r disable optional_qualifier@
identifier x;
position p;
@@
static struct snd_kcontrol_new x@p={...};

@ok@
identifier r.x;
position p;
@@
snd_ctl_new1(&x@p,...)

@bad@
position p != {r.p,ok.p};
identifier r.x;
@@
x@p

@depends on !bad disable optional_qualifier@
identifier r.x;
@@
+const
struct snd_kcontrol_new x;

Cross compiled these files:
sound/aoa/codecs/tas.c - powerpc
sound/mips/{hal2.c/sgio2audio.c} - mips
sound/ppc/{awacs.c/beep.c/tumbler.c} - powerpc
sound/soc/sh/siu_dai.c - sh
Could not find an architecture to compile sound/sh/aica.c.

Signed-off-by: default avatarBhumika Goyal <bhumirks@gmail.com>
Acked-by: default avatarMark Brown <broonie@kernel.org>
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      905e46ac
  45. Dec 25, 2016
    • Thomas Gleixner's avatar
      ktime: Cleanup ktime_set() usage · 8b0e1953
      Thomas Gleixner authored 
      
ktime_set(S,N) was required for the timespec storage type and is still
useful for situations where a Seconds and Nanoseconds part of a time value
needs to be converted. For anything where the Seconds argument is 0, this
is pointless and can be replaced with a simple assignment.

Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
      8b0e1953
  47. Jun 07, 2016
    • Bhaktipriya Shridhar's avatar
      ALSA: sh: aica: Remove deprecated create_workqueue · 43aa56d9
      Bhaktipriya Shridhar authored and Takashi Iwai's avatar Takashi Iwai committed 
      
System workqueues have been able to handle high level of concurrency
for a long time now and there's no reason to use dedicated workqueues
just to gain concurrency. Since aica_queue for AICA sound
driver has workitem dreamcastcard->spu_dma_work (maps to run_spu_dma)
which is involved in aica dma transfers and is not being used on a memory
reclaim path, dedicated aica_queue has been replaced with the
use of system_wq.

Unlike a dedicated per-cpu workqueue created with create_workqueue(),
system_wq allows multiple work items to overlap executions even on
the same CPU; however, a per-cpu workqueue doesn't have any CPU
locality or global ordering guarantees unless the target CPU is
explicitly specified and thus the increase of local concurrency
shouldn't make any difference.

Since the work items could be pending, flush_work() has been used in
snd_aicapcm_pcm_close() to ensure that there is no pending task while
disconnecting the driver.

Signed-off-by: default avatarBhaktipriya Shridhar <bhaktipriya96@gmail.com>
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      43aa56d9
  49. Jan 28, 2015
  51. Jan 19, 2015
  53. Oct 20, 2014
  55. Feb 14, 2014
  57. May 23, 2013
  59. Dec 07, 2012
  61. Jul 02, 2012
  63. May 21, 2012
    • Paul Mundt's avatar
      ALSA: sh: Fix up namespace collision in sh_dac_audio. · d4c69838
      Paul Mundt authored and Takashi Iwai's avatar Takashi Iwai committed 
      
The module_platform_driver() conversion ended up tripping over the driver
name, leading to confusion in the macro with regards to 'driver' being
redefined. rename it to something slightly more suitable to avoid
namespace collisions.

sound/sh/sh_dac_audio.c:444:122: error: conflicting types for 'driver_init'
include/linux/device.h:773:6: note: previous declaration of 'driver_init' was here
make[3]: *** [sound/sh/sh_dac_audio.o] Error 1

Signed-off-by: default avatarPaul Mundt <lethal@linux-sh.org>
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      d4c69838
  65. Dec 19, 2011
  67. Nov 27, 2011