Embedding the ctl_dev in the snd_card object may result in UAF when
the delayed kobj release is used; at the delayed kobj release, it
still accesses the struct device itself while the card memory (that
embeds the struct device) may be already gone.
As a workaround, detach the struct device from the card object by
allocating via the new snd_device_alloc() helper. The rest are just
replacing ctl_dev access to the pointer.
This is based on the fix Curtis posted initially. In this patch, the
changes are split and use the new helper function instead.
Link: https://lore.kernel.org/r/20230801171928.1460120-1-cujomalainey@chromium.org
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Curtis Malainey <cujomalainey@chromium.org>
Tested-by: Curtis Malainey <cujomalainey@chromium.org>
Link: https://lore.kernel.org/r/20230816160252.23396-3-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
For reducing the unnecessary use of controls_rwsem in the drivers,
this patch adds a new variant for snd_ctl_find_*() helpers:
snd_ctl_find_id_locked() and snd_ctl_find_numid_locked() look for a
kctl element inside the card->controls_rwsem -- that is, doing the
very same as what snd_ctl_find_id() and snd_ctl_find_numid() did until
now. snd_ctl_find_id() and snd_ctl_find_numid() remain same,
i.e. still unlocked version, but they will be switched to locked
version once after all callers are replaced.
The patch also replaces the calls of snd_ctl_find_id() and
snd_ctl_find_numid() in a few places; all of those are places where we
know that the functions are called properly with controls_rwsem held.
All others are without rwsem (although they should have been).
After this patch, we'll turn on the locking in snd_ctl_find_id() and
snd_ctl_find_numid() to be more race-free.
Link: https://lore.kernel.org/r/20230718141304.1032-10-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Now that the driver core allows for struct class to be in read-only
memory, making all 'class' structures to be declared at build time
placing them into read-only memory, instead of having to be dynamically
allocated at load time.
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: Ivan Orlov <ivan.orlov0322@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Geoff Levand <geoff@infradead.org>
Cc: Thierry Reding <treding@nvidia.com>
Cc: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>
Cc: alsa-devel@alsa-project.org
Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ivan Orlov <ivan.orlov0322@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20230620175633.641141-2-gregkh@linuxfoundation.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The use of strncpy() in the set_led_id() was incorrect.
The len variable should use 'min(sizeof(buf2) - 1, count)'
expression.
Use strscpy() function to simplify things and handle the error gracefully.
Fixes: a135dfb5de ("ALSA: led control - add sysfs kcontrol LED marking layer")
Reported-by: yang.yang29@zte.com.cn
Link: https://lore.kernel.org/alsa-devel/202301091945513559977@zte.com.cn/
Cc: <stable@vger.kernel.org>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
For sysfs outputs, it's safer to use a new helper, sysfs_emit(),
instead of the raw sprintf() & co. This patch replaces such sprintf()
calls with sysfs_emit() while simplifying the open code in
list_show().
Link: https://lore.kernel.org/r/20220801165639.26030-4-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The str variable should be always initialized before use even if
the switch covers all cases. This is a minimalistic fix: Assign NULL,
the sprintf() may print '(null)' if something is corrupted.
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20210614071710.1786866-1-perex@perex.cz
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The snd_ctl_led_sysfs_add and snd_ctl_led_sysfs_remove should contain
the refcount operations in pair. However, snd_ctl_led_sysfs_remove fails
to decrease the refcount to zero, which causes device_release never to
be invoked. This leads to memory leak to some resources, like struct
device_private. In addition, we also free some other similar memory
leaks in snd_ctl_led_init/snd_ctl_led_exit.
Fix this by replacing device_del to device_unregister
in snd_ctl_led_sysfs_remove/snd_ctl_led_init/snd_ctl_led_exit.
Note that, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device will
call kobject_release and delay the release of kobject, which will cause
use-after-free when the memory backing the kobject is freed at once.
Reported-by: syzbot+08a7d8b51ea048a74ffb@syzkaller.appspotmail.com
Fixes: a135dfb5de ("ALSA: led control - add sysfs kcontrol LED marking layer")
Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20210602034136.2762497-1-mudongliangabcd@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Use DEVICE_ATTR_*() helper instead of plain DEVICE_ATTR,
which makes the code a bit shorter and easier to read.
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Link: https://lore.kernel.org/r/20210523071109.28940-1-yuehaibing@huawei.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
It's a bad idea to allocate big structures on the stack.
Mark the variables as static and add a note for the locking.
Fixes: 22d8de62f1 ("ALSA: control - add generic LED trigger module as the new control layer")
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20210414105858.1937710-1-perex@perex.cz
Signed-off-by: Takashi Iwai <tiwai@suse.de>
"group - 1" was intended here instead of "group". The current error
handling will double free the first item in the array and leak the last
item.
Fixes: cb17fe0045 ("ALSA: control - add sysfs support to the LED trigger module")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/YHBJ4frGxErWB182@mwanda
Signed-off-by: Takashi Iwai <tiwai@suse.de>
If count is 16 then this will put the NUL terminator one element beyond
the end of the array.
Fixes: cb17fe0045 ("ALSA: control - add sysfs support to the LED trigger module")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/YGcDOtrimR46vr0k@mwanda
Signed-off-by: Takashi Iwai <tiwai@suse.de>
It may be possible that the string pointer does not move
when parsing. Add a code which detects this state and
simply break the parser loop in this case.
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20210331180725.663623-1-perex@perex.cz
Signed-off-by: Takashi Iwai <tiwai@suse.de>
We need to manage the kcontrol entries association for the LED trigger
from the user space. This patch adds a layer to the sysfs tree like:
/sys/devices/virtual/sound/ctl-led/mic
+ card0
| + attach
| + detach
| ...
+ card1
+ attach
...
Operations:
attach and detach
- amixer style ID is accepted and easy strings for numid and
simple names
reset
- reset all associated kcontrol entries
list
- list associated kcontrol entries (numid values only)
Additional symlinks:
/sys/devices/virtual/sound/ctl-led/mic/card0/card ->
/sys/class/sound/card0
/sys/class/sound/card0/controlC0/led-mic ->
/sys/devices/virtual/sound/ctl-led/mic/card0
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20210317172945.842280-7-perex@perex.cz
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Create SYSFS/devices/virtual/sound/ctl-led tree
(with SYSFS/class/sound/ctl-led symlink).
speaker/
+-- mode
+-- brightness
mic/
+-- mode
+-- brightness
Copy the idea from the HDA driver and allow to set the audio
LEDs based on the various modes:
- follow mute
- follow moute (inverted to follow mute)
- off
- on
Also, the actual LED state is exposed.
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20210317172945.842280-6-perex@perex.cz
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The recent laptops have usually two LEDs assigned to reflect
the speaker and microphone mute state. This implementation
adds a tiny layer on top of the control API which calculates
the state for those LEDs using the driver callbacks.
Two new access flags are introduced to describe the controls
which affects the audio path settings (an easy code change
for drivers).
The LED resource can be shared with multiple sound cards with
this code. The user space controls may be added to the state
chain on demand, too.
This code should replace the LED code in the HDA driver and
add a possibility to easy extend the other drivers (ASoC
codecs etc.).
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20210317172945.842280-4-perex@perex.cz
Signed-off-by: Takashi Iwai <tiwai@suse.de>
