ipcm->substream is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.
This issue was detected with the help of Smatch:
sound/pci/emu10k1/emufx.c:1031 snd_emu10k1_ipcm_poke() warn: potential spectre issue 'emu->fx8010.pcm' [r] (local cap)
sound/pci/emu10k1/emufx.c:1075 snd_emu10k1_ipcm_peek() warn: potential spectre issue 'emu->fx8010.pcm' [r] (local cap)
Fix this by sanitizing ipcm->substream before using it to index emu->fx8010.pcm
Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].
[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
snd_emu10k1_fx8010_ioctl(SNDRV_EMU10K1_IOCTL_INFO) allocates
memory using kmalloc() and partially fills it by calling
snd_emu10k1_fx8010_info() before returning the resulting
structure to userspace, leaving uninitialized holes. Let's
just use kzalloc() here.
BugLink: http://blog.infosectcbr.com.au/2018/09/linux-kernel-infoleaks.html
Signed-off-by: Willy Tarreau <w@1wt.eu>
Cc: Jann Horn <jannh@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The cast between user-space and kernel-space needs an explicit __force
prefix, but it's missing in many places in emu10k1 driver code.
Spotted by sparse as a warning like:
sound/pci/emu10k1/emufx.c:529:33: warning: cast removes address space of expression
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Trivial fix to spelling mistakes in audigy_outs arrays.
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The emu10k1 fx8010 code allocates each irq resource dynamically and
links to the list at PCM trigger callback. Due to the nature of
trigger callback, the allocation is done with GFP_ATOMIC, hence it
may fail more often. Moreover, the irq resource isn't big at all, and
using the kmalloc for this won't save many bytes, either.
This patch removes the dynamic allocation and embeds the irq resource
into struct snd_emu10k1_fx8010_pcm.irq field instead of keeping a
pointer. As a result, it simplifies the code and removes the
unnecessary GFP_ATOMIC usage.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The commit d42fe63d58 ("ALSA: emu10k1: Get rid of set_fs() usage")
converted the user-space copy hack with set_fs() to the direct
memcpy(), but one place was forgotten. This resulted in the error
from snd_emu10k1_init_efx(), eventually failed to load the driver.
Fix the missing piece.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=196687
Fixes: d42fe63d58 ("ALSA: emu10k1: Get rid of set_fs() usage")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Instead of set_fs() hackery, do the straight memcpy() by passing a
flag indicating the kernel space operation.
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The various PCM and hwdep allocation functions in this driver take a pointer
to a pointer of a PCM/hwdep where if this parameter is provided the newly
allocated object is stored. All callers pass NULL though, so remove the
parameter.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The functions kfree(), release_firmware() and snd_util_memhdr_free() test
whether their argument is NULL and then return immediately. Thus the test
around the call is not needed.
This issue was detected by using the Coccinelle software.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Partially restructures _snd_emu10k1_audigy_init_efx() and
_snd_emu10k1_init_efx() functions.
Be noted that the cast is demanded to use '__user'. So, in these cases,
avoid patches based on the coccinelle 'drop_kmalloc_cast' semantic patch.
Signed-off-by: Geyslan G. Bem <geyslan@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
CONFIG_HOTPLUG is going away as an option. As result the __dev*
markings will be going away.
Remove use of __devinit, __devexit_p, __devinitdata, __devinitconst,
and __devexit.
Signed-off-by: Bill Pemberton <wfp5p@virginia.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
As the "Wave", "Wave Surround" or "Front" Playback Volume must be
changed to 70% (i.e. -12 dB) so that distortion won't occur when
increase Bass and Treble from 50% to 100%, so the maximum gain in
Bass and Treble are +12 dB.
Signed-off-by: Raymond Yau <superquad.vortex2@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Add a module option to allow the GPR mixer controls to have the full
resolution of the hardware, i.e., 0...2^31-1 instead of 0...100.
Because of bugs in userspace tools like alsactl and alsamixer, this is
not yet enabled by default.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Kill snd_assert() in sound/pci/*, either removed or replaced with
if () with snd_BUG_ON().
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Reported by Al Viro:
In copy_tlv(), the size of kmalloc is wrongly calculated.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
This header file exists only for some hacks to adapt alsa-driver
tree. It's useless for building in the kernel. Let's move a few
lines in it to sound/core.h and remove it.
With this patch, sound/driver.h isn't removed but has just a single
compile warning to include it. This should be really killed in
future.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
isn't needed there. Upatched code uses:
memset(info, 0, sizeof(info));
where 'info' is a pointer and therefore only first 4 bytes of 'info' gets
cleared on a 32bit machine. Anyway looking at the code zeoring this memory
region isn't needed at all because the snd_emu10k1_fx8010_info() function
initializes all the 'info' fields on its own. So that's why this code works
at all in its original form.
This patch removes this redundant code. Also snd_emu10k1_fx8010_info() can't
fail so lets save some bytes and change its return type to void.
Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Notebook.
Description: The .device=0x0008 chips have new, but different EMU32 in/out
channels. Driver updated to make use of these EMU32 channels.
Signed-off-by: James Courtier-Dutton <James@superbug.co.uk>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
* adding 8 more 32-bit capture channels (total of 16) for emu1010 cards
* adding some code comments and card details description
Signed-off-by: Pavel Hofman <dustin@seznam.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Mark TLV data as 'const'
Signed-of-by: Philipp Matthias Hahn <pmhahn@pmhahn.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Fix ABI for older ld10k1. When no EMU10K1_PVERSION ioctl is issued,
the driver accepts ioctls with the old struct size without TLV information.
Also, changed the struct field to make the conversion easier from the
old to the new structs.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Semaphore to mutex conversion.
The conversion was generated via scripts, and the result was validated
automatically via a script as well.
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
- Move capable() from sched.h to capability.h;
- Use <linux/capability.h> where capable() is used
(in include/, block/, ipc/, kernel/, a few drivers/,
mm/, security/, & sound/;
many more drivers/ to go)
Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Modules: EMU10K1/EMU10K2 driver
sound/pci/emu10k1/emufx.c: In function 'snd_emu10k1_efx_alloc_pm_buffer':
sound/pci/emu10k1/emufx.c:2402: error: implicit declaration of function 'vmalloc'
sound/pci/emu10k1/emufx.c:2402: warning: assignment makes pointer from integer without a cast
sound/pci/emu10k1/emufx.c: In function 'snd_emu10k1_efx_free_pm_buffer':
sound/pci/emu10k1/emufx.c:2413: error: implicit declaration of function 'vfree'
Signed-off-by: Andreas Schwab <schwab@suse.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Modules: EMU10K1/EMU10K2 driver
Distorted sound now comes from the Audio Out socket. Still more work to do.
Signed-off-by: James Courtier-Dutton <James@superbug.co.uk>
Remove snd_runtime_check() macro.
This macro worsens the readability of codes. They should be either
normal if() or removable asserts.
Also, the assert displays stack-dump, instead of only the last caller
pointer.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Modules: EMU10K1/EMU10K2 driver
Adds left and right front channel outputs using fxbus 8 and 9 and 'Front'
playback and capture volume controls.
Signed-off-by: Mikael Magnusson <mikma@users.sourceforge.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA Core,RawMidi Midlevel,ALSA<-OSS emulation,ALSA sequencer
RME32 driver,RME96 driver,EMU10K1/EMU10K2 driver,NM256 driver
Add sparse annotations where we do strange this with __iomem/__user
pointers.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
CMI8330 driver,ENS1370/1+ driver,FM801 driver,VIA82xx driver,AC97 Codec
ALI5451 driver,CS46xx driver,EMU10K1/EMU10K2 driver,HDA Codec driver
ICE1712 driver,ICE1724 driver
Where appropriate, use the SNDRV_CTL_NAME_IEC958 instead of a literal
string.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
EMU10K1/EMU10K2 driver
This patch converts the emu10k1 driver to use the card capabilities
structure for some more things.
Not extensively tested but seems to work.
Signed-off-by: Lee Revell <rlrevell@joe-job.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Initial git repository build. I'm not bothering with the full history,
even though we have it. We can create a separate "historical" git
archive of that later if we want to, and in the meantime it's about
3.2GB when imported into git - space that would just make the early
git days unnecessarily complicated, when we don't have a lot of good
infrastructure for it.
Let it rip!
