Received: by 10.223.185.116 with SMTP id b49csp6367245wrg; Wed, 28 Feb 2018 08:15:18 -0800 (PST) X-Google-Smtp-Source: AG47ELujrpH/0Y2K8eGJTLYwZyL8dCDnx64+pe0NMR6jTmrqn6gjYy7r+rOadAIWbWDHtXNJSjtr X-Received: by 2002:a17:902:7c16:: with SMTP id x22-v6mr2105419pll.23.1519834518565; Wed, 28 Feb 2018 08:15:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519834518; cv=none; d=google.com; s=arc-20160816; b=boV+7Y/CO5WzlYCVnfdaK3kK2rPOdGGD2k3GBQLXOFUlEZnE2XBWx3qkpiqPYg8EEM yDqxB0FA/ZhKB4ch9jH3f6qvPhFquckRUUchaF28Rh5YgvOAV5JaJPELY//7p0qZKsXZ oB1i//4/i2CNuBacQ3v+yfnMvTfM71PyLvb+Lp9W5VDR0NQUrgS2vvdxHuoKdSXV+0Cm NuW7WZINV8EAU3hikceH2+Y/TvdgAj3ZG8IfEdMy0vptbQqBHNztA2+6eJ//P21vtSb8 z3FvgT2AhRDILmpfsRgPExF7+ZWVYUB7HEmDtGT8qR0AYe7pwajPevsO/TBf+4s3PyEu 8RfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=3xtpgXKa9lL0jECEvmfNxg+UqOrBL9/uJ5SnJVtEMPw=; b=Wgi875Rj1yTx2CeKNn79a2MDk/c6pMa1iLjIFuc1r8snp0VzSYmerTl3c2VRbtg0zF 0S+8AtyySDXdQ7UJSehzTvkADEugBByvg/39GmOus20zRQYbzov8nXs9aynOKAVpKqao krrvoXIpR371dR8sZwAUBBkIDjWkySOwedesb+5gDQuCAIxP3m5r0gOdXf6PHFsJ6hpn 0svx9IdapJz2oBW262XzHQJVMec+6eoW8WW2gmYrOkpZ/oH8RK27WOfsCFyzGjBv1bzs Vdi5tLm/Ied0MLfYcyXmzgHzVK4ECNmAxGLGLiXy74BrEUXZxTHCmMmiXO+d3Y+X3jZq yQVg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e6si1192879pgt.198.2018.02.28.08.15.03; Wed, 28 Feb 2018 08:15:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753214AbeB1QOT (ORCPT + 99 others); Wed, 28 Feb 2018 11:14:19 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35100 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752615AbeB1QOQ (ORCPT ); Wed, 28 Feb 2018 11:14:16 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1er3Yk-0006XT-9R; Wed, 28 Feb 2018 15:22:23 +0000 Received: from ben by deadeye with local (Exim 4.90_1) (envelope-from ) id 1er3Yi-0000Ca-O8; Wed, 28 Feb 2018 15:22:20 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, syzbot+3902b5220e8ca27889ca@syzkaller.appspotmail.com, "Takashi Iwai" Date: Wed, 28 Feb 2018 15:20:18 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 176/254] ALSA: aloop: Fix inconsistent format due to incomplete rule In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.55-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit b088b53e20c7d09b5ab84c5688e609f478e5c417 upstream. The extra hw constraint rule for the formats the aloop driver introduced has a slight flaw, where it doesn't return a positive value when the mask got changed. It came from the fact that it's basically a copy&paste from snd_hw_constraint_mask64(). The original code is supposed to be a single-shot and it modifies the mask bits only once and never after, while what we need for aloop is the dynamic hw rule that limits the mask bits. This difference results in the inconsistent state, as the hw_refine doesn't apply the dependencies fully. The worse and surprisingly result is that it causes a crash in OSS emulation when multiple full-duplex reads/writes are performed concurrently (I leave why it triggers Oops to readers as a homework). For fixing this, replace a few open-codes with the standard snd_mask_*() macros. Reported-by: syzbot+3902b5220e8ca27889ca@syzkaller.appspotmail.com Fixes: b1c73fc8e697 ("ALSA: snd-aloop: Fix hw_params restrictions and checking") Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings --- sound/drivers/aloop.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) --- a/sound/drivers/aloop.c +++ b/sound/drivers/aloop.c @@ -39,6 +39,7 @@ #include #include #include +#include #include #include @@ -623,14 +624,12 @@ static int rule_format(struct snd_pcm_hw { struct snd_pcm_hardware *hw = rule->private; - struct snd_mask *maskp = hw_param_mask(params, rule->var); + struct snd_mask m; - maskp->bits[0] &= (u_int32_t)hw->formats; - maskp->bits[1] &= (u_int32_t)(hw->formats >> 32); - memset(maskp->bits + 2, 0, (SNDRV_MASK_MAX-64) / 8); /* clear rest */ - if (! maskp->bits[0] && ! maskp->bits[1]) - return -EINVAL; - return 0; + snd_mask_none(&m); + m.bits[0] = (u_int32_t)hw->formats; + m.bits[1] = (u_int32_t)(hw->formats >> 32); + return snd_mask_refine(hw_param_mask(params, rule->var), &m); } static int rule_rate(struct snd_pcm_hw_params *params,