* [PATCH AUTOSEL 4.4 2/4] drm/bochs: downgrade pci_request_region failure from error to warning
2020-03-26 23:25 [PATCH AUTOSEL 4.4 1/4] ALSA: hda/realtek: Fix pop noise on ALC225 Sasha Levin
@ 2020-03-26 23:25 ` Sasha Levin
2020-03-26 23:25 ` [PATCH AUTOSEL 4.4 3/4] ALSA: pcm: oss: Avoid plugin buffer overflow Sasha Levin
2020-03-26 23:25 ` [PATCH AUTOSEL 4.4 4/4] ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks Sasha Levin
2 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2020-03-26 23:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Gerd Hoffmann, Marek Marczykowski-Górecki, Sam Ravnborg,
Sasha Levin, virtualization, dri-devel
From: Gerd Hoffmann <kraxel@redhat.com>
[ Upstream commit 8c34cd1a7f089dc03933289c5d4a4d1489549828 ]
Shutdown of firmware framebuffer has a bunch of problems. Because
of this the framebuffer region might still be reserved even after
drm_fb_helper_remove_conflicting_pci_framebuffers() returned.
Don't consider pci_request_region() failure for the framebuffer
region as fatal error to workaround this issue.
Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Sam Ravnborg <sam@ravnborg.org>
Link: http://patchwork.freedesktop.org/patch/msgid/20200313084152.2734-1-kraxel@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/bochs/bochs_hw.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/bochs/bochs_hw.c b/drivers/gpu/drm/bochs/bochs_hw.c
index a39b0343c197d..401c218567af9 100644
--- a/drivers/gpu/drm/bochs/bochs_hw.c
+++ b/drivers/gpu/drm/bochs/bochs_hw.c
@@ -97,10 +97,8 @@ int bochs_hw_init(struct drm_device *dev, uint32_t flags)
size = min(size, mem);
}
- if (pci_request_region(pdev, 0, "bochs-drm") != 0) {
- DRM_ERROR("Cannot request framebuffer\n");
- return -EBUSY;
- }
+ if (pci_request_region(pdev, 0, "bochs-drm") != 0)
+ DRM_WARN("Cannot request framebuffer, boot fb still active?\n");
bochs->fb_map = ioremap(addr, size);
if (bochs->fb_map == NULL) {
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH AUTOSEL 4.4 3/4] ALSA: pcm: oss: Avoid plugin buffer overflow
2020-03-26 23:25 [PATCH AUTOSEL 4.4 1/4] ALSA: hda/realtek: Fix pop noise on ALC225 Sasha Levin
2020-03-26 23:25 ` [PATCH AUTOSEL 4.4 2/4] drm/bochs: downgrade pci_request_region failure from error to warning Sasha Levin
@ 2020-03-26 23:25 ` Sasha Levin
2020-03-26 23:25 ` [PATCH AUTOSEL 4.4 4/4] ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks Sasha Levin
2 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2020-03-26 23:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Takashi Iwai, syzbot+e1fe9f44fb8ecf4fb5dd, Sasha Levin, alsa-devel
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit f2ecf903ef06eb1bbbfa969db9889643d487e73a ]
Each OSS PCM plugins allocate its internal buffer per pre-calculation
of the max buffer size through the chain of plugins (calling
src_frames and dst_frames callbacks). This works for most plugins,
but the rate plugin might behave incorrectly. The calculation in the
rate plugin involves with the fractional position, i.e. it may vary
depending on the input position. Since the buffer size
pre-calculation is always done with the offset zero, it may return a
shorter size than it might be; this may result in the out-of-bound
access as spotted by fuzzer.
This patch addresses those possible buffer overflow accesses by simply
setting the upper limit per the given buffer size for each plugin
before src_frames() and after dst_frames() calls.
Reported-by: syzbot+e1fe9f44fb8ecf4fb5dd@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/000000000000b25ea005a02bcf21@google.com
Link: https://lore.kernel.org/r/20200309082148.19855-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/core/oss/pcm_plugin.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/sound/core/oss/pcm_plugin.c b/sound/core/oss/pcm_plugin.c
index c6888d76ca5e9..b08b2d2d804bd 100644
--- a/sound/core/oss/pcm_plugin.c
+++ b/sound/core/oss/pcm_plugin.c
@@ -209,6 +209,8 @@ snd_pcm_sframes_t snd_pcm_plug_client_size(struct snd_pcm_substream *plug, snd_p
if (stream == SNDRV_PCM_STREAM_PLAYBACK) {
plugin = snd_pcm_plug_last(plug);
while (plugin && drv_frames > 0) {
+ if (drv_frames > plugin->buf_frames)
+ drv_frames = plugin->buf_frames;
plugin_prev = plugin->prev;
if (plugin->src_frames)
drv_frames = plugin->src_frames(plugin, drv_frames);
@@ -220,6 +222,8 @@ snd_pcm_sframes_t snd_pcm_plug_client_size(struct snd_pcm_substream *plug, snd_p
plugin_next = plugin->next;
if (plugin->dst_frames)
drv_frames = plugin->dst_frames(plugin, drv_frames);
+ if (drv_frames > plugin->buf_frames)
+ drv_frames = plugin->buf_frames;
plugin = plugin_next;
}
} else
@@ -248,11 +252,15 @@ snd_pcm_sframes_t snd_pcm_plug_slave_size(struct snd_pcm_substream *plug, snd_pc
if (frames < 0)
return frames;
}
+ if (frames > plugin->buf_frames)
+ frames = plugin->buf_frames;
plugin = plugin_next;
}
} else if (stream == SNDRV_PCM_STREAM_CAPTURE) {
plugin = snd_pcm_plug_last(plug);
while (plugin) {
+ if (frames > plugin->buf_frames)
+ frames = plugin->buf_frames;
plugin_prev = plugin->prev;
if (plugin->src_frames) {
frames = plugin->src_frames(plugin, frames);
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH AUTOSEL 4.4 4/4] ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks
2020-03-26 23:25 [PATCH AUTOSEL 4.4 1/4] ALSA: hda/realtek: Fix pop noise on ALC225 Sasha Levin
2020-03-26 23:25 ` [PATCH AUTOSEL 4.4 2/4] drm/bochs: downgrade pci_request_region failure from error to warning Sasha Levin
2020-03-26 23:25 ` [PATCH AUTOSEL 4.4 3/4] ALSA: pcm: oss: Avoid plugin buffer overflow Sasha Levin
@ 2020-03-26 23:25 ` Sasha Levin
2 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2020-03-26 23:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Takashi Iwai, syzbot+2a59ee7a9831b264f45e, Sasha Levin, alsa-devel
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 5461e0530c222129dfc941058be114b5cbc00837 ]
The return value checks in snd_pcm_plug_alloc() are covered with
snd_BUG_ON() macro that may trigger a kernel WARNING depending on the
kconfig. But since the error condition can be triggered by a weird
user space parameter passed to OSS layer, we shouldn't give the kernel
stack trace just for that. As it's a normal error condition, let's
remove snd_BUG_ON() macro usage there.
Reported-by: syzbot+2a59ee7a9831b264f45e@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200312155730.7520-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/core/oss/pcm_plugin.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/core/oss/pcm_plugin.c b/sound/core/oss/pcm_plugin.c
index b08b2d2d804bd..0e3dd6014ce55 100644
--- a/sound/core/oss/pcm_plugin.c
+++ b/sound/core/oss/pcm_plugin.c
@@ -111,7 +111,7 @@ int snd_pcm_plug_alloc(struct snd_pcm_substream *plug, snd_pcm_uframes_t frames)
while (plugin->next) {
if (plugin->dst_frames)
frames = plugin->dst_frames(plugin, frames);
- if (snd_BUG_ON((snd_pcm_sframes_t)frames <= 0))
+ if ((snd_pcm_sframes_t)frames <= 0)
return -ENXIO;
plugin = plugin->next;
err = snd_pcm_plugin_alloc(plugin, frames);
@@ -123,7 +123,7 @@ int snd_pcm_plug_alloc(struct snd_pcm_substream *plug, snd_pcm_uframes_t frames)
while (plugin->prev) {
if (plugin->src_frames)
frames = plugin->src_frames(plugin, frames);
- if (snd_BUG_ON((snd_pcm_sframes_t)frames <= 0))
+ if ((snd_pcm_sframes_t)frames <= 0)
return -ENXIO;
plugin = plugin->prev;
err = snd_pcm_plugin_alloc(plugin, frames);
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread