Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.12.80 2025-08-28T14:31:15+00:00 2025-08-28T14:31:15+00:00 Dewei Meng mengdewei@cqsoftware.com.cn 2025-08-21T01:43:17+00:00 urn:sha1:34327b362ce2849a5eb02f47e800049e7a20a0ba [ Upstream commit 5003a65790ed66be882d1987cc2ca86af0de3db1 ] In the snd_utimer_create() function, if the kasprintf() function return NULL, snd_utimer_put_id() will be called, finally use ida_free() to free the unallocated id 0. the syzkaller reported the following information: ------------[ cut here ]------------ ida_free called for id=0 which is not allocated. WARNING: CPU: 1 PID: 1286 at lib/idr.c:592 ida_free+0x1fd/0x2f0 lib/idr.c:592 Modules linked in: CPU: 1 UID: 0 PID: 1286 Comm: syz-executor164 Not tainted 6.15.8 #3 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014 RIP: 0010:ida_free+0x1fd/0x2f0 lib/idr.c:592 Code: f8 fc 41 83 fc 3e 76 69 e8 70 b2 f8 (...) RSP: 0018:ffffc900007f79c8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 1ffff920000fef3b RCX: ffffffff872176a5 RDX: ffff88800369d200 RSI: 0000000000000000 RDI: ffff88800369d200 RBP: 0000000000000000 R08: ffffffff87ba60a5 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000002 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f6f1abc1740(0000) GS:ffff8880d76a0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6f1ad7a784 CR3: 000000007a6e2000 CR4: 00000000000006f0 Call Trace: <TASK> snd_utimer_put_id sound/core/timer.c:2043 [inline] [snd_timer] snd_utimer_create+0x59b/0x6a0 sound/core/timer.c:2184 [snd_timer] snd_utimer_ioctl_create sound/core/timer.c:2202 [inline] [snd_timer] __snd_timer_user_ioctl.isra.0+0x724/0x1340 sound/core/timer.c:2287 [snd_timer] snd_timer_user_ioctl+0x75/0xc0 sound/core/timer.c:2298 [snd_timer] vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x198/0x200 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x7b/0x160 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] The utimer->id should be set properly before the kasprintf() function, ensures the snd_utimer_put_id() function will free the allocated id. Fixes: 37745918e0e75 ("ALSA: timer: Introduce virtual userspace-driven timers") Signed-off-by: Dewei Meng <mengdewei@cqsoftware.com.cn> Link: https://patch.msgid.link/20250821014317.40786-1-mengdewei@cqsoftware.com.cn Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org> 2025-04-10T12:39:13+00:00 Takashi Iwai tiwai@suse.de 2025-03-21T17:26:52+00:00 urn:sha1:15291b561d8cc835a2eea76b394070cf8e072771 [ Upstream commit 3424c8f53bc63c87712a7fc22dc13d0cc85fb0d6 ] The infamous mmap_lock taken in copy_from/to_user() can be often problematic when it's called inside another mutex, as they might lead to deadlocks. In the case of ALSA timer code, the bad pattern is with guard(mutex)(&register_mutex) that covers copy_from/to_user() -- which was mistakenly introduced at converting to guard(), and it had been carefully worked around in the past. This patch fixes those pieces simply by moving copy_from/to_user() out of the register mutex lock again. Fixes: 3923de04c817 ("ALSA: pcm: oss: Use guard() for setup") Reported-by: syzbot+2b96f44164236dda0f3b@syzkaller.appspotmail.com Closes: https://lore.kernel.org/67dd86c8.050a0220.25ae54.0059.GAE@google.com Link: https://patch.msgid.link/20250321172653.14310-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-09-27T15:18:43+00:00 Al Viro viro@zeniv.linux.org.uk 2024-09-27T01:56:11+00:00 urn:sha1:cb787f4ac0c2e439ea8d7e6387b925f74576bdf8 no_llseek had been defined to NULL two years ago, in commit 868941b14441 ("fs: remove no_llseek") To quote that commit, At -rc1 we'll need do a mechanical removal of no_llseek - git grep -l -w no_llseek | grep -v porting.rst | while read i; do sed -i '/\<no_llseek\>/d' $i done would do it. Unfortunately, that hadn't been done. Linus, could you do that now, so that we could finally put that thing to rest? All instances are of the form .llseek = no_llseek, so it's obviously safe. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2024-09-02T08:21:41+00:00 Takashi Iwai tiwai@suse.de 2024-09-02T07:52:27+00:00 urn:sha1:40a024b81d1cbad6bc8cd960481f025b43712b01 We used to wrap with no_free_ptr() for the return value from memdup_user() with errors where the auto cleanup is applied. This was a workaround because the initial implementation of kfree auto-cleanup checked only NULL pointers. Since recently, though, the kfree auto-cleanup checks with IS_ERR_OR_NULL() (by the commit cd7eb8f83fcf ("mm/slab: make __free(kfree) accept error pointers")), hence those workarounds became superfluous. Let's drop them now. Link: https://patch.msgid.link/20240902075246.3743-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 2024-09-02T08:18:11+00:00 Jinjie Ruan ruanjinjie@huawei.com 2024-09-02T07:16:22+00:00 urn:sha1:f48bd50a1c8d7d733b83a8fbabb3041e0d505fc7 1000000000L is number of ns per second, use NSEC_PER_SEC macro to replace it to make it more readable Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com> Link: https://patch.msgid.link/20240902071622.3519787-1-ruanjinjie@huawei.com Signed-off-by: Takashi Iwai <tiwai@suse.de> 2024-08-18T07:55:54+00:00 Ivan Orlov ivan.orlov0322@gmail.com 2024-08-13T12:07:00+00:00 urn:sha1:37745918e0e7575bc40f38da93a99b9fa6406224 Implement two ioctl calls in order to support virtual userspace-driven ALSA timers. The first ioctl is SNDRV_TIMER_IOCTL_CREATE, which gets the snd_timer_uinfo struct as a parameter and puts a file descriptor of a virtual timer into the `fd` field of the snd_timer_unfo structure. It also updates the `id` field of the snd_timer_uinfo struct, which provides a unique identifier for the timer (basically, the subdevice number which can be used when creating timer instances). This patch also introduces a tiny id allocator for the userspace-driven timers, which guarantees that we don't have more than 128 of them in the system. Another ioctl is SNDRV_TIMER_IOCTL_TRIGGER, which allows us to trigger the virtual timer (and calls snd_timer_interrupt for the timer under the hood), causing all of the timer instances binded to this timer to execute their callbacks. The maximum amount of ticks available for the timer is 1 for the sake of simplicity of the userspace API. 'start', 'stop', 'open' and 'close' callbacks for the userspace-driven timers are empty since we don't really do any hardware initialization here. Suggested-by: Axel Holzinger <aholzinger@gmx.de> Signed-off-by: Ivan Orlov <ivan.orlov0322@gmail.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Link: https://patch.msgid.link/20240813120701.171743-4-ivan.orlov0322@gmail.com 2024-08-10T08:49:14+00:00 Takashi Iwai tiwai@suse.de 2024-08-10T08:48:32+00:00 urn:sha1:ccbfcac05866ebe6eb3bc6d07b51d4ed4fcde436 The recent addition of a sanity check for a too low start tick time seems breaking some applications that uses aloop with a certain slave timer setup. They may have the initial resolution 0, hence it's treated as if it were a too low value. Relax and skip the check for the slave timer instance for addressing the regression. Fixes: 4a63bd179fa8 ("ALSA: timer: Set lower bound of start tick time") Cc: <stable@vger.kernel.org> Link: https://github.com/raspberrypi/linux/issues/6294 Link: https://patch.msgid.link/20240810084833.10939-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 2024-05-16T14:00:08+00:00 Takashi Iwai tiwai@suse.de 2024-05-14T18:27:36+00:00 urn:sha1:4a63bd179fa8d3fcc44a0d9d71d941ddd62f0c4e Currently ALSA timer doesn't have the lower limit of the start tick time, and it allows a very small size, e.g. 1 tick with 1ns resolution for hrtimer. Such a situation may lead to an unexpected RCU stall, where the callback repeatedly queuing the expire update, as reported by fuzzer. This patch introduces a sanity check of the timer start tick time, so that the system returns an error when a too small start size is set. As of this patch, the lower limit is hard-coded to 100us, which is small enough but can still work somehow. Reported-by: syzbot+43120c2af6ca2938cc38@syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/000000000000fa00a1061740ab6d@google.com Cc: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20240514182745.4015-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 2024-03-15T10:16:47+00:00 Takashi Iwai tiwai@suse.de 2024-03-15T10:14:42+00:00 urn:sha1:587d67fd929ad89801bcc429675bda90d53f6592 The conversion to guard macro dropped the irq-disablement at closing mistakenly, which may lead to a race. Fix it. Fixes: beb45974dd49 ("ALSA: timer: Use guard() for locking") Reported-by: syzbot+28c1a5a5b041a754b947@syzkaller.appspotmail.com Closes: http://lore.kernel.org/r/0000000000000b9a510613b0145f@google.com Message-ID: <20240315101447.18395-1-tiwai@suse.de> Signed-off-by: Takashi Iwai <tiwai@suse.de> 2024-02-28T14:01:20+00:00 Takashi Iwai tiwai@suse.de 2024-02-27T08:52:45+00:00 urn:sha1:beb45974dd49068b24788bbfc2abe20d50503761 We can simplify the code gracefully with new guard() macro and co for automatic cleanup of locks. For making changes easier, some functions widen the application of register_mutex, but those shouldn't influence on any actual performance. Also, one code block was factored out as a function so that guard() can be applied cleanly without much indentation. There are still a few remaining explicit spin_lock/unlock calls, and those are for the places where we do temporary unlock/relock, which doesn't fit well with the guard(), so far. Only the code refactoring, and no functional changes. Signed-off-by: Takashi Iwai <tiwai@suse.de> Link: https://lore.kernel.org/r/20240227085306.9764-4-tiwai@suse.de