summaryrefslogtreecommitdiff
path: root/sound/pci/asihpi/hpioctl.c
AgeCommit message (Collapse)AuthorFilesLines
2020-10-01ALSA: asihpi: fix iounmap in error handlerTom Rix1-2/+2
[ Upstream commit 472eb39103e885f302fd8fd6eff104fcf5503f1b ] clang static analysis flags this problem hpioctl.c:513:7: warning: Branch condition evaluates to a garbage value if (pci.ap_mem_base[idx]) { ^~~~~~~~~~~~~~~~~~~~ If there is a failure in the middle of the memory space loop, only some of the memory spaces need to be cleaned up. At the error handler, idx holds the number of successful memory spaces mapped. So rework the handler loop to use the old idx. There is a second problem, the memory space loop conditionally iomaps()/sets the mem_base so it is necessay to initize pci. Fixes: 719f82d3987a ("ALSA: Add support of AudioScience ASI boards") Signed-off-by: Tom Rix <trix@redhat.com> Link: https://lore.kernel.org/r/20200913165230.17166-1-trix@redhat.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org>
2018-05-01ALSA: asihpi: Hardening for potential Spectre v1Takashi Iwai1-1/+3
commit f9d94b57e30fd1575b4935045b32d738668aa74b upstream. As recently Smatch suggested, a couple of places in ASIHPI driver may expand the array directly from the user-space value with speculation: sound/pci/asihpi/hpimsginit.c:70 hpi_init_response() warn: potential spectre issue 'res_size' (local cap) sound/pci/asihpi/hpioctl.c:189 asihpi_hpi_ioctl() warn: potential spectre issue 'adapters' This patch puts array_index_nospec() for hardening against them. BugLink: https://marc.info/?l=linux-kernel&m=152411496503418&w=2 Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-09-19ALSA: asihpi: fix a potential double-fetch bug when copying puhmMeng Xu1-4/+8
The hm->h.size is intended to hold the actual size of the hm struct that is copied from userspace and should always be <= sizeof(*hm). However, after copy_from_user(hm, puhm, hm->h.size), since userspace process has full control over the memory region pointed by puhm, it is possible that the value of hm->h.size is different from what is fetched-in previously (get_user(hm->h.size, (u16 __user *)puhm)). In other words, hm->h.size is overriden and the relation between hm->h.size and the hm struct is broken. This patch proposes to use a seperate variable, msg_size, to hold the value of the first fetch and override hm->h.size to msg_size after the second fetch to maintain the relation. Signed-off-by: Meng Xu <mengxu.gatech@gmail.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2016-10-18ALSA: asihpi: fix kernel memory disclosureVlad Tsyrklevich1-1/+1
Some elements in hr are not cleared before being copied to user space, leaking kernel heap memory to user space. For example, this happens in the error handling code for the HPI_ADAPTER_DELETE case. Zero the memory before it's copied. Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-06-03x86/mm: Decouple <linux/vmalloc.h> from <asm/io.h>Stephen Rothwell1-0/+1
Nothing in <asm/io.h> uses anything from <linux/vmalloc.h>, so remove it from there and fix up the resulting build problems triggered on x86 {64|32}-bit {def|allmod|allno}configs. The breakages were triggering in places where x86 builds relied on vmalloc() facilities but did not include <linux/vmalloc.h> explicitly and relied on the implicit inclusion via <asm/io.h>. Also add: - <linux/init.h> to <linux/io.h> - <asm/pgtable_types> to <asm/io.h> ... which were two other implicit header file dependencies. Suggested-by: David Miller <davem@davemloft.net> Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au> [ Tidied up the changelog. ] Acked-by: David Miller <davem@davemloft.net> Acked-by: Takashi Iwai <tiwai@suse.de> Acked-by: Viresh Kumar <viresh.kumar@linaro.org> Acked-by: Vinod Koul <vinod.koul@intel.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Anton Vorontsov <anton@enomsg.org> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Colin Cross <ccross@android.com> Cc: David Vrabel <david.vrabel@citrix.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Haiyang Zhang <haiyangz@microsoft.com> Cc: James E.J. Bottomley <JBottomley@odin.com> Cc: Jaroslav Kysela <perex@perex.cz> Cc: K. Y. Srinivasan <kys@microsoft.com> Cc: Kees Cook <keescook@chromium.org> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Cc: Kristen Carlson Accardi <kristen@linux.intel.com> Cc: Len Brown <lenb@kernel.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Rafael J. Wysocki <rjw@rjwysocki.net> Cc: Suma Ramars <sramars@cisco.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Tony Luck <tony.luck@intel.com> Signed-off-by: Ingo Molnar <mingo@kernel.org>
2015-01-28ALSA: Include linux/uaccess.h and linux/bitopts.h instead of asm/*Takashi Iwai1-1/+1
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-01-04ALSA: Deletion of checks before the function call "iounmap"Markus Elfring1-4/+2
The iounmap() function performs also input parameter validation. Thus the test around the call is not needed. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2014-12-31ALSA: asihpi: fix an information leak in asihpi_hpi_ioctl()Eliot Blennerhassett1-0/+2
Add missing limits to keep copied data within allocated buffer. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Eliot Blennerhassett <eliot@blennerhassett.gen.nz> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2014-12-02ALSA: asihpi: Deletion of an unnecessary check before the function call "vfree"Markus Elfring1-2/+1
The vfree() function performs also input parameter validation. Thus the test around the call is not needed. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2014-11-23ALSA: asihpi: don't fail probe if adapter mode read failsEliot Blennerhassett1-7/+6
Only determining if low latency mode is enabled. Failure indicates adapter has no modes Signed-off-by: Eliot Blennerhassett <eliot@blennerhassett.gen.nz> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2014-11-23ALSA: asihpi: Add support for stream interrupt.Eliot Blennerhassett1-9/+115
Some cards have a so-called low-latency mode, in which they present a single multichannel stream with no mixing or samplerate conversion. In this mode the card can generate an interrupt per internal processing block (typically 32 or 64 frames) Signed-off-by: Eliot Blennerhassett <eliot@blennerhassett.gen.nz> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2013-05-29ALSA: PCI: Remove superfluous pci_set_drvdata(pci, NULL) at removeTakashi Iwai1-1/+0
As drvdata is cleared to NULL at probe failure or at removal by the driver core, we don't have to call pci_set_drvdata(pci, NULL) any longer in each driver. The only remaining pci_set_drvdata(NULL) is in azx_firmware_cb() in hda_intel.c. Since this function itself releases the card instance, we need to clear drvdata here as well, so that it won't be released doubly in the remove callback. Signed-off-by: Takashi Iwai <tiwai@suse.de>
2012-12-07ALSA: pci: remove __dev* attributesBill Pemberton1-3/+3
CONFIG_HOTPLUG is going away as an option. As result the __dev* markings will be going away. Remove use of __devinit, __devexit_p, __devinitdata, __devinitconst, and __devexit. Signed-off-by: Bill Pemberton <wfp5p@virginia.edu> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2012-10-28ALSA: Convert dev_printk(KERN_<LEVEL> to dev_<level>(Joe Perches1-9/+8
dev_<level> calls take less code than dev_printk(KERN_<LEVEL> and reducing object size is good. Coalesce multiline formats for easier grep. Coalesce segmented single line formats too. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2011-12-22ALSA: asihpi - Remove redundant struct members.Eliot Blennerhassett1-36/+26
Structs hpi_adapter and snd_card_asihpi had members that duplicate those in underlying hpi_adapter_obj or whose info can be retrieved using hpi_adapter_get_info(). Print less info in probe function, it can be retrieved from /proc. Avoid name redundancy: hpi_adapter_obj.adapter_type renamed to .type Signed-off-by: Eliot Blennerhassett <eblennerhassett@audioscience.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2011-12-22ALSA: asihpi - Split hpi version info into separate header file.Eliot Blennerhassett1-0/+1
and update HPI version to 4.10 Signed-off-by: Eliot Blennerhassett <eblennerhassett@audioscience.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2011-11-01sound: Add module.h to the previously silent sound usersPaul Gortmaker1-0/+1
Lots of sound drivers were getting module.h via the implicit presence of it in <linux/device.h> but we are going to clean that up. So fix up those users now. Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
2011-08-02ALSA: asihpi - Clarify adapter index validity checkEliot Blennerhassett1-7/+12
Avoids assigning possibly invalid address to pa, even if it is never dereferenced. Correct error response to reflect request object/function ids. Signed-off-by: Eliot Blennerhassett <eblennerhassett@audioscience.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2011-07-27ALSA: asihpi - off by one in asihpi_hpi_ioctl()Dan Carpenter1-1/+1
"adapter" is used as an array index in the adapters[] array so the off by one would make us read past the end. 1c073b67979 "ALSA: asihpi - Remove spurious adapter index check" reverted Dan Rosenberg's check that would have prevented the overflow here. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2011-07-27ALSA: asihpi - bug fix pa use before init.Eliot Blennerhassett1-7/+4
Fixes bug introduced by 1c073b67. Also declare pa local to block in which it is used. Signed-off-by: Eliot Blennerhassett <eblennerhassett@audioscience.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2011-07-22ALSA: asihpi - Remove spurious adapter index checkEliot Blennerhassett1-7/+3
Subsystem requests don't have or need a valid adapter index. The adapter index is already checked further on, before it is used to index the adapters array. (Reverts 4a122c10f) Signed-off-by: Eliot Blennerhassett <eblennerhassett@audioscience.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2011-04-05ALSA: asihpi: Minor cleanupsEliot Blennerhassett1-6/+3
Remove some unneeded defintions Use %pR to print resources Make some data const Consistent braces for else Signed-off-by: Eliot Blennerhassett <eblennerhassett@audioscience.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2011-04-05ALSA: asihpi: Simplify driver unload cleanupEliot Blennerhassett1-26/+28
Replacing subsys_delete_adapter with adapter_delete allows some special-case adapter lookup code to be removed. Signed-off-by: Eliot Blennerhassett <eblennerhassett@audioscience.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2011-03-18ALSA: sound/pci/asihpi: check adapter index in hpi_ioctlDan Rosenberg1-0/+5
The user-supplied index into the adapters array needs to be checked, or an out-of-bounds kernel pointer could be accessed and used, leading to potentially exploitable memory corruption. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Cc: <stable@kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2011-02-10ALSA: asihpi - Ensure all adapter data is cleared on device removal.Eliot Blennerhassett1-3/+3
Signed-off-by: Eliot Blennerhassett <eblennerhassett@audioscience.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2011-02-10ALSA: asihpi - Replace adapter list with single item in subsys response.Eliot Blennerhassett1-1/+1
Signed-off-by: Eliot Blennerhassett <eblennerhassett@audioscience.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2011-02-10ALSA: asihpi - Remove unused subsys pointer from all HPI functions.Eliot Blennerhassett1-1/+1
asihpi.c don't link playback and capture streams, there is too much offset between them. Signed-off-by: Eliot Blennerhassett <eblennerhassett@audioscience.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2011-02-10ALSA: asihpi - Interrelated HPI tidy up.Eliot Blennerhassett1-39/+36
Remove many unused functions. Update some message and cache structs. Use pci info directly from pci_dev. Allow control cache elements with variable size, and handle large message/response from dsp. hpi6000 and hpi6205: fix error path when adapter bootload fails. hpimsgx.c get rid of code duplicated in hpicmn.c Signed-off-by: Eliot Blennerhassett <eblennerhassett@audioscience.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2010-11-22ALSA: sound/pci/asihpi/hpioctl.c: Remove unnecessary casts of pci_get_drvdataJoe Perches1-1/+1
Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2010-07-29ALSA: asihpi: check return value of get_user()Kulikov Vasiliy1-4/+13
get_user() may fail, if so return -EFAULT. Signed-off-by: Kulikov Vasiliy <segooon@gmail.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2010-07-06ALSA: asihpi - Use version string instead of printf formattingEliot Blennerhassett1-3/+1
Signed-off-by: Eliot Blennerhassett <eblennerhassett@audioscience.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2010-04-22ALSA: Add support of AudioScience ASI boardsEliot Blennerhassett1-0/+484
Added the support of AudioScience ASI boards. The driver has been tested for years on alsa-driver external tree, now finally got merged to the kernel. Signed-off-by: Eliot Blennerhassett <eblennerhassett@audioscience.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>