<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/sound/core/timer.c, branch v4.7</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
</subtitle>
<id>https://git.shady.money/linux/atom?h=v4.7</id>
<link rel='self' href='https://git.shady.money/linux/atom?h=v4.7'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/linux/'/>
<updated>2016-07-04T12:02:15Z</updated>
<entry>
<title>ALSA: timer: Fix negative queue usage by racy accesses</title>
<updated>2016-07-04T12:02:15Z</updated>
<author>
<name>Takashi Iwai</name>
<email>tiwai@suse.de</email>
</author>
<published>2016-07-04T12:02:15Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/linux/commit/?id=3fa6993fef634e05d200d141a85df0b044572364'/>
<id>urn:sha1:3fa6993fef634e05d200d141a85df0b044572364</id>
<content type='text'>
The user timer tu-&gt;qused counter may go to a negative value when
multiple concurrent reads are performed since both the check and the
decrement of tu-&gt;qused are done in two individual locked contexts.
This results in bogus read outs, and the endless loop in the
user-space side.

The fix is to move the decrement of the tu-&gt;qused counter into the
same spinlock context as the zero-check of the counter.

Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Takashi Iwai &lt;tiwai@suse.de&gt;
</content>
</entry>
<entry>
<title>ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt</title>
<updated>2016-05-08T09:36:17Z</updated>
<author>
<name>Kangjie Lu</name>
<email>kangjielu@gmail.com</email>
</author>
<published>2016-05-03T20:44:32Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/linux/commit/?id=e4ec8cc8039a7063e24204299b462bd1383184a5'/>
<id>urn:sha1:e4ec8cc8039a7063e24204299b462bd1383184a5</id>
<content type='text'>
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.

Signed-off-by: Kangjie Lu &lt;kjlu@gatech.edu&gt;
Signed-off-by: Takashi Iwai &lt;tiwai@suse.de&gt;
</content>
</entry>
<entry>
<title>ALSA: timer: Fix leak in events via snd_timer_user_ccallback</title>
<updated>2016-05-08T09:36:07Z</updated>
<author>
<name>Kangjie Lu</name>
<email>kangjielu@gmail.com</email>
</author>
<published>2016-05-03T20:44:20Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/linux/commit/?id=9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6'/>
<id>urn:sha1:9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6</id>
<content type='text'>
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.

Signed-off-by: Kangjie Lu &lt;kjlu@gatech.edu&gt;
Signed-off-by: Takashi Iwai &lt;tiwai@suse.de&gt;
</content>
</entry>
<entry>
<title>ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS</title>
<updated>2016-05-08T09:31:27Z</updated>
<author>
<name>Kangjie Lu</name>
<email>kangjielu@gmail.com</email>
</author>
<published>2016-05-03T20:44:07Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/linux/commit/?id=cec8f96e49d9be372fdb0c3836dcf31ec71e457e'/>
<id>urn:sha1:cec8f96e49d9be372fdb0c3836dcf31ec71e457e</id>
<content type='text'>
The stack object “tread” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.

Signed-off-by: Kangjie Lu &lt;kjlu@gatech.edu&gt;
Signed-off-by: Takashi Iwai &lt;tiwai@suse.de&gt;
</content>
</entry>
<entry>
<title>ALSA: timer: remove legacy rtctimer</title>
<updated>2016-04-25T08:41:46Z</updated>
<author>
<name>Alexandre Belloni</name>
<email>alexandre.belloni@free-electrons.com</email>
</author>
<published>2016-04-23T00:58:05Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/linux/commit/?id=34ce71a96dcba24c71b07f1b087bd179b885784d'/>
<id>urn:sha1:34ce71a96dcba24c71b07f1b087bd179b885784d</id>
<content type='text'>
There are no users of rtctimer left. Remove its code as this is the
in-kernel user of the legacy PC RTC driver that will hopefully be removed
at some point.

Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@free-electrons.com&gt;
Signed-off-by: Takashi Iwai &lt;tiwai@suse.de&gt;
</content>
</entry>
<entry>
<title>ALSA: timer: Use mod_timer() for rearming the system timer</title>
<updated>2016-04-01T10:28:16Z</updated>
<author>
<name>Takashi Iwai</name>
<email>tiwai@suse.de</email>
</author>
<published>2016-04-01T10:28:16Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/linux/commit/?id=4a07083ed613644c96c34a7dd2853dc5d7c70902'/>
<id>urn:sha1:4a07083ed613644c96c34a7dd2853dc5d7c70902</id>
<content type='text'>
ALSA system timer backend stops the timer via del_timer() without sync
and leaves del_timer_sync() at the close instead.  This is because of
the restriction by the design of ALSA timer: namely, the stop callback
may be called from the timer handler, and calling the sync shall lead
to a hangup.  However, this also triggers a kernel BUG() when the
timer is rearmed immediately after stopping without sync:
 kernel BUG at kernel/time/timer.c:966!
 Call Trace:
  &lt;IRQ&gt;
  [&lt;ffffffff8239c94e&gt;] snd_timer_s_start+0x13e/0x1a0
  [&lt;ffffffff8239e1f4&gt;] snd_timer_interrupt+0x504/0xec0
  [&lt;ffffffff8122fca0&gt;] ? debug_check_no_locks_freed+0x290/0x290
  [&lt;ffffffff8239ec64&gt;] snd_timer_s_function+0xb4/0x120
  [&lt;ffffffff81296b72&gt;] call_timer_fn+0x162/0x520
  [&lt;ffffffff81296add&gt;] ? call_timer_fn+0xcd/0x520
  [&lt;ffffffff8239ebb0&gt;] ? snd_timer_interrupt+0xec0/0xec0
  ....

It's the place where add_timer() checks the pending timer.  It's clear
that this may happen after the immediate restart without sync in our
cases.

So, the workaround here is just to use mod_timer() instead of
add_timer().  This looks like a band-aid fix, but it's a right move,
as snd_timer_interrupt() takes care of the continuous rearm of timer.

Reported-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Takashi Iwai &lt;tiwai@suse.de&gt;
</content>
</entry>
<entry>
<title>ALSA: timer: fix gparams ioctl compatibility for different architectures</title>
<updated>2016-03-23T07:06:16Z</updated>
<author>
<name>Takashi Sakamoto</name>
<email>o-takashi@sakamocchi.jp</email>
</author>
<published>2016-03-22T23:03:59Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/linux/commit/?id=91d2178e26fdc806f33063f9df5904a48e3b6aeb'/>
<id>urn:sha1:91d2178e26fdc806f33063f9df5904a48e3b6aeb</id>
<content type='text'>
'struct snd_timer_gparams' includes some members with 'unsigned long',
therefore its size differs depending on data models of architecture. As
a result, x86/x32 applications fail to execute ioctl(2) with
SNDRV_TIMER_GPARAMS command on x86_64 machine.

This commit fixes this bug by adding a pair of structure and ioctl
command for the compatibility.

Signed-off-by: Takashi Sakamoto &lt;o-takashi@sakamocchi.jp&gt;
Signed-off-by: Takashi Iwai &lt;tiwai@suse.de&gt;
</content>
</entry>
<entry>
<title>ALSA: timer: Call notifier in the same spinlock</title>
<updated>2016-02-12T14:07:31Z</updated>
<author>
<name>Takashi Iwai</name>
<email>tiwai@suse.de</email>
</author>
<published>2016-02-10T11:47:03Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/linux/commit/?id=f65e0d299807d8a11812845c972493c3f9a18e10'/>
<id>urn:sha1:f65e0d299807d8a11812845c972493c3f9a18e10</id>
<content type='text'>
snd_timer_notify1() is called outside the spinlock and it retakes the
lock after the unlock.  This is rather racy, and it's safer to move
snd_timer_notify() call inside the main spinlock.

The patch also contains a slight refactoring / cleanup of the code.
Now all start/stop/continue/pause look more symmetric and a bit better
readable.

Signed-off-by: Takashi Iwai &lt;tiwai@suse.de&gt;
</content>
</entry>
<entry>
<title>ALSA: timer: Protect the whole snd_timer_close() with open race</title>
<updated>2016-02-10T11:56:07Z</updated>
<author>
<name>Takashi Iwai</name>
<email>tiwai@suse.de</email>
</author>
<published>2016-02-10T10:53:30Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/linux/commit/?id=9984d1b5835ca29fc7025186a891ee7398d21cc7'/>
<id>urn:sha1:9984d1b5835ca29fc7025186a891ee7398d21cc7</id>
<content type='text'>
In order to make the open/close more robust, widen the register_mutex
protection over the whole snd_timer_close() function.  Also, the close
procedure is slightly shuffled to be in the safer order, as well as a
few code refactoring.

Signed-off-by: Takashi Iwai &lt;tiwai@suse.de&gt;
</content>
</entry>
<entry>
<title>ALSA: timer: Fix race at concurrent reads</title>
<updated>2016-02-09T11:23:42Z</updated>
<author>
<name>Takashi Iwai</name>
<email>tiwai@suse.de</email>
</author>
<published>2016-02-08T16:26:58Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/linux/commit/?id=4dff5c7b7093b19c19d3a100f8a3ad87cb7cd9e7'/>
<id>urn:sha1:4dff5c7b7093b19c19d3a100f8a3ad87cb7cd9e7</id>
<content type='text'>
snd_timer_user_read() has a potential race among parallel reads, as
qhead and qused are updated outside the critical section due to
copy_to_user() calls.  Move them into the critical section, and also
sanitize the relevant code a bit.

Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Takashi Iwai &lt;tiwai@suse.de&gt;
</content>
</entry>
</feed>
