Patch "ALSA: timer: Fix zero-division by continue of uninitialized instance" has been added to the 4.7-stable tree

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Patch "ALSA: timer: Fix zero-division by continue of uninitialized instance" has been added to the 4.7-stable tree
@ 2016-09-12 15:18 gregkh
  0 siblings, 0 replies; only message in thread
From: gregkh @ 2016-09-12 15:18 UTC (permalink / raw)
  To: tiwai, dvyukov, gregkh; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    ALSA: timer: Fix zero-division by continue of uninitialized instance

to the 4.7-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     alsa-timer-fix-zero-division-by-continue-of-uninitialized-instance.patch
and it can be found in the queue-4.7 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 9f8a7658bcafb2a7853f7a2eae8a94e87e6e695b Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.de>
Date: Wed, 7 Sep 2016 15:45:31 +0200
Subject: ALSA: timer: Fix zero-division by continue of uninitialized instance

From: Takashi Iwai <tiwai@suse.de>

commit 9f8a7658bcafb2a7853f7a2eae8a94e87e6e695b upstream.

When a user timer instance is continued without the explicit start
beforehand, the system gets eventually zero-division error like:

  divide error: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
  CPU: 1 PID: 27320 Comm: syz-executor Not tainted 4.8.0-rc3-next-20160825+ #8
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
   task: ffff88003c9b2280 task.stack: ffff880027280000
   RIP: 0010:[<ffffffff858e1a6c>]  [<     inline     >] ktime_divns include/linux/ktime.h:195
   RIP: 0010:[<ffffffff858e1a6c>]  [<ffffffff858e1a6c>] snd_hrtimer_callback+0x1bc/0x3c0 sound/core/hrtimer.c:62
  Call Trace:
   <IRQ>
   [<     inline     >] __run_hrtimer kernel/time/hrtimer.c:1238
   [<ffffffff81504335>] __hrtimer_run_queues+0x325/0xe70 kernel/time/hrtimer.c:1302
   [<ffffffff81506ceb>] hrtimer_interrupt+0x18b/0x420 kernel/time/hrtimer.c:1336
   [<ffffffff8126d8df>] local_apic_timer_interrupt+0x6f/0xe0 arch/x86/kernel/apic/apic.c:933
   [<ffffffff86e13056>] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:957
   [<ffffffff86e1210c>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:487
   <EOI>
   .....

Although a similar issue was spotted and a fix patch was merged in
commit [6b760bb2c63a: ALSA: timer: fix division by zero after
SNDRV_TIMER_IOCTL_CONTINUE], it seems covering only a part of
iceberg.

In this patch, we fix the issue a bit more drastically.  Basically the
continue of an uninitialized timer is supposed to be a fresh start, so
we do it for user timers.  For the direct snd_timer_continue() call,
there is no way to pass the initial tick value, so we kick out for the
uninitialized case.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/timer.c |   14 ++++++++++++++
 1 file changed, 14 insertions(+)

--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -35,6 +35,9 @@
 #include <sound/initval.h>
 #include <linux/kmod.h>
 
+/* internal flags */
+#define SNDRV_TIMER_IFLG_PAUSED		0x00010000
+
 #if IS_ENABLED(CONFIG_SND_HRTIMER)
 #define DEFAULT_TIMER_LIMIT 4
 #else
@@ -539,6 +542,10 @@ static int snd_timer_stop1(struct snd_ti
 		}
 	}
 	timeri->flags &= ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START);
+	if (stop)
+		timeri->flags &= ~SNDRV_TIMER_IFLG_PAUSED;
+	else
+		timeri->flags |= SNDRV_TIMER_IFLG_PAUSED;
 	snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP :
 			  SNDRV_TIMER_EVENT_CONTINUE);
  unlock:
@@ -600,6 +607,10 @@ int snd_timer_stop(struct snd_timer_inst
  */
 int snd_timer_continue(struct snd_timer_instance *timeri)
 {
+	/* timer can continue only after pause */
+	if (!(timeri->flags & SNDRV_TIMER_IFLG_PAUSED))
+		return -EINVAL;
+
 	if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
 		return snd_timer_start_slave(timeri, false);
 	else
@@ -1831,6 +1842,9 @@ static int snd_timer_user_continue(struc
 	tu = file->private_data;
 	if (!tu->timeri)
 		return -EBADFD;
+	/* start timer instead of continue if it's not used before */
+	if (!(tu->timeri->flags & SNDRV_TIMER_IFLG_PAUSED))
+		return snd_timer_user_start(file);
 	tu->timeri->lost = 0;
 	return (err = snd_timer_continue(tu->timeri)) < 0 ? err : 0;
 }


Patches currently in stable-queue which might be from tiwai@suse.de are

queue-4.7/alsa-rawmidi-fix-possible-deadlock-with-virmidi-registration.patch
queue-4.7/alsa-fireworks-accessing-to-user-space-outside-spinlock.patch
queue-4.7/alsa-firewire-tascam-accessing-to-user-space-outside-spinlock.patch
queue-4.7/alsa-timer-fix-null-pointer-dereference-on-memory-allocation-failure.patch
queue-4.7/alsa-hda-add-headset-mic-quirk-for-dell-inspiron-5468.patch
queue-4.7/alsa-timer-fix-zero-division-by-continue-of-uninitialized-instance.patch
queue-4.7/alsa-timer-fix-null-pointer-dereference-in-read-ioctl-race.patch
queue-4.7/alsa-timer-fix-division-by-zero-after-sndrv_timer_ioctl_continue.patch
queue-4.7/alsa-hda-enable-subwoofer-on-dell-inspiron-7559.patch
queue-4.7/alsa-usb-audio-add-sample-rate-inquiry-quirk-for-b850v3-cp2114.patch

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2016-09-12 15:18 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-12 15:18 Patch "ALSA: timer: Fix zero-division by continue of uninitialized instance" has been added to the 4.7-stable tree gregkh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).