ALSA: oss: Fix PCM OSS buffer allocation overflow

We've got syzbot reports hitting INT_MAX overflow at vmalloc()
allocation that is called from snd_pcm_plug_alloc(). Although we
apply the restrictions to input parameters, it's based only on the
hw_params of the underlying PCM device. Since the PCM OSS layer
allocates a temporary buffer for the data conversion, the size may
become unexpectedly large when more channels or higher rates is given;
in the reported case, it went over INT_MAX, hence it hits WARN_ON().

This patch is an attempt to avoid such an overflow and an allocation
for too large buffers. First off, it adds the limit of 1MB as the
upper bound for period bytes. This must be large enough for all use
cases, and we really don't want to handle a larger temporary buffer
than this size. The size check is performed at two places, where the
original period bytes is calculated and where the plugin buffer size
is calculated.

In addition, the driver uses array_size() and array3_size() for
multiplications to catch overflows for the converted period size and
buffer bytes.

Reported-by: syzbot+72732c532ac1454eeee9@syzkaller.appspotmail.com
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/00000000000085b1b305da5a66f3@google.com
Link: https://lore.kernel.org/r/20220318082036.29699-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: oss: Fix assignment in if condition

There are a few places doing assignments in if condition in ALSA PCM
and OSS emulation layers, which is a bad coding style that may confuse
readers and occasionally lead to bugs.

This patch is merely for coding-style fixes, no functional changes.

Link: https://lore.kernel.org/r/20210608140540.17885-56-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: Use fallthrough pseudo-keyword

Replace the existing /* fall through */ comments and its variants with
the new pseudo-keyword macro fallthrough[1]. Also, remove unnecessary
fall-through markings when it is the case.

[1] https://www.kernel.org/doc/html/latest/process/deprecated.html?highlight=fallthrough#implicit-switch-case-fall-through

Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Link: https://lore.kernel.org/r/20200708203236.GA5112@embeddedor
Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: pcm: oss: Place the plugin buffer overflow checks correctly (for 5.7)

[ This is again a forward-port of the fix applied for 5.6-base code
(commit 4285de0725b1) to 5.7-base, hence neither Fixes nor
Cc-to-stable tags are included here -- tiwai ]

The checks of the plugin buffer overflow in the previous fix by commit
f2ecf903ef06 ("ALSA: pcm: oss: Avoid plugin buffer overflow")
are put in the wrong places mistakenly, which leads to the expected
(repeated) sound when the rate plugin is involved. Fix in the right
places.

Also, at those right places, the zero check is needed for the
termination node, so added there as well, and let's get it done,
finally.

Link: https://lore.kernel.org/r/20200424193843.20397-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: pcm: oss: Place the plugin buffer overflow checks correctly

The checks of the plugin buffer overflow in the previous fix by commit
f2ecf903ef06 ("ALSA: pcm: oss: Avoid plugin buffer overflow")
are put in the wrong places mistakenly, which leads to the expected
(repeated) sound when the rate plugin is involved. Fix in the right
places.

Also, at those right places, the zero check is needed for the
termination node, so added there as well, and let's get it done,
finally.

Fixes: f2ecf903ef06 ("ALSA: pcm: oss: Avoid plugin buffer overflow")
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200424193350.19678-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: pcm: oss: Fix regression by buffer overflow fix (again)

[ This is essentially the same fix as commit ae769d355664, but it's
adapted to the latest code for 5.7; hence it contains no Fixes or
other tags for avoid backport confusion -- tiwai ]

The recent fix for the OOB access in PCM OSS plugins (commit
f2ecf903ef06: "ALSA: pcm: oss: Avoid plugin buffer overflow") caused a
regression on OSS applications. The patch introduced the size check
in client and slave size calculations to limit to each plugin's buffer
size, but I overlooked that some code paths call those without
allocating the buffer but just for estimation.

This patch fixes the bug by skipping the size check for those code
paths while keeping checking in the actual transfer calls.

Link: https://lore.kernel.org/r/20200403073818.27943-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: pcm: oss: Fix regression by buffer overflow fix

The recent fix for the OOB access in PCM OSS plugins (commit
f2ecf903ef06: "ALSA: pcm: oss: Avoid plugin buffer overflow") caused a
regression on OSS applications. The patch introduced the size check
in client and slave size calculations to limit to each plugin's buffer
size, but I overlooked that some code paths call those without
allocating the buffer but just for estimation.

This patch fixes the bug by skipping the size check for those code
paths while keeping checking in the actual transfer calls.

Fixes: f2ecf903ef06 ("ALSA: pcm: oss: Avoid plugin buffer overflow")
Tested-and-reported-by: Jari Ruusu <jari.ruusu@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200403072515.25539-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks

The return value checks in snd_pcm_plug_alloc() are covered with
snd_BUG_ON() macro that may trigger a kernel WARNING depending on the
kconfig. But since the error condition can be triggered by a weird
user space parameter passed to OSS layer, we shouldn't give the kernel
stack trace just for that. As it's a normal error condition, let's
remove snd_BUG_ON() macro usage there.

Reported-by: syzbot+2a59ee7a9831b264f45e@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200312155730.7520-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: pcm: oss: Simplify plugin frame size calculations

Both snd_pcm_plug_client_size() and snd_pcm_plug_slave_size() do the
almost same calculations of calling src_frames() and dst_frames() in
the chain, but just to the different directions with each other.

This patch simplifies those functions. Now they return -EINVAL for
the invalid direction, but practically seen, there is no functional
changes at all.

Link: https://lore.kernel.org/r/20200309185855.15693-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: pcm: oss: Avoid plugin buffer overflow

Each OSS PCM plugins allocate its internal buffer per pre-calculation
of the max buffer size through the chain of plugins (calling
src_frames and dst_frames callbacks). This works for most plugins,
but the rate plugin might behave incorrectly. The calculation in the
rate plugin involves with the fractional position, i.e. it may vary
depending on the input position. Since the buffer size
pre-calculation is always done with the offset zero, it may return a
shorter size than it might be; this may result in the out-of-bound
access as spotted by fuzzer.

This patch addresses those possible buffer overflow accesses by simply
setting the upper limit per the given buffer size for each plugin
before src_frames() and after dst_frames() calls.

Reported-by: syzbot+e1fe9f44fb8ecf4fb5dd@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/000000000000b25ea005a02bcf21@google.com
Link: https://lore.kernel.org/r/20200309082148.19855-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: oss: More constifications

Apply const prefix to the static tables for strings and formats.

Just for minor optimization and no functional changes.

Link: https://lore.kernel.org/r/20200105144823.29547-41-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: oss: Use kvzalloc() for local buffer allocations

PCM OSS layer may allocate a few temporary buffers, one for the core
read/write and another for the conversions via plugins. Currently
both are allocated via vmalloc(). But as the allocation size is
equivalent with the PCM period size, the required size might be quite
small, depending on the application.

This patch replaces these vmalloc() calls with kvzalloc() for covering
small period sizes better. Also, we use "z"-alloc variant here for
addressing the possible uninitialized access reported by syzkaller.

Reported-by: syzbot+1cb36954e127c98dd037@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: pcm: signedness bug in snd_pcm_plug_alloc()

The "frames" variable is unsigned so the error handling doesn't work
properly.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: pcm: Mark expected switch fall-through

In preparation to enabling -Wimplicit-fallthrough, mark switch cases
where we are expecting to fall through.

Addresses-Coverity-ID: 1357375 ("Missing break in switch")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: pcm: Use standard lower_32_bits() and upper_32_bits()

Instead of open codes, use the standard macros for obtaining the lower
and upper 32bit values.

Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: pcm: Add missing error checks in OSS emulation plugin builder

In the OSS emulation plugin builder where the frame size is parsed in
the plugin chain, some places miss the possible errors returned from
the plugin src_ or dst_frames callback.

This patch papers over such places.

Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: pcm/oss: refer to parameters instead of copying to reduce usage of kernel stack

Some functions in compatibility layer for Open Sound System interface has
local variable to copy some parameters in runtime of PCM substream, while
this can be replaced with reference of pointers to parameter itself. This
brings an advantage to reduce usage of kernel stack.

This commit applies this idea.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: core: fix NULL checking in snd_pcm_plug_slave_size()

The dereference snd_pcm_plug_stream(plug) should come after the NULL
check snd_BUG_ON(!plug).

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: core: fix NULL checking in snd_pcm_plug_client_size()

The dereference snd_pcm_plug_stream(plug) should come after the NULL
check snd_BUG_ON(!plug).

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: core: sparse cleanups

Change the core code where sparse complains. In most cases, this means
just adding annotations to confirm that we indeed want to do the dirty
things we're doing.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: Kill snd_assert() in sound/core/*

Kill snd_assert() in sound/core/*, either removed or replaced with
if () with snd_BUG_ON().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>

[ALSA] Remove sound/driver.h

This header file exists only for some hacks to adapt alsa-driver
tree. It's useless for building in the kernel. Let's move a few
lines in it to sound/core.h and remove it.
With this patch, sound/driver.h isn't removed but has just a single
compile warning to include it. This should be really killed in
future.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>

[ALSA] Changed Jaroslav Kysela's e-mail from perex@suse.cz to perex@perex.cz


Signed-off-by: Jaroslav Kysela <perex@perex.cz>

[ALSA] Support 3-bytes 24bit format in PCM OSS emulation

Add the support of 3-bytes 24bit formats in PCM OSS emulation.
Also removed snd_pcm_build_linear_format() function. It's exported
just for OSS emulation, and now the code was changed without calling
this function.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>

[ALSA] Remove ifdefs from OSS PCM emulation codes

Fix Makefile to compile files conditionally to CONFIG_SND_PCM_OSS_PLUGINS,
and remove unneeded ifdefs in these files.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>

[ALSA] Fix mulaw -> linear conversion in OSS PCM emulation

Modules: ALSA<-OSS emulation

Fixed the missing mulaw -> linear conversion in OSS PCM emulation code.

Signed-off-by: Takashi Iwai <tiwai@suse.de>

[ALSA] Clean up pcm-oss plugins

Modules: ALSA<-OSS emulation

Clean up pcm-oss plugin codes.
Removed dead codes, and simplified route/rate plugins.

Signed-off-by: Takashi Iwai <tiwai@suse.de>

[ALSA] PCM midlevel & PCM OSS - make procfs & OSS plugin code optional

Modules: ALSA Core,PCM Midlevel,ALSA<-OSS emulation,USB generic driver

1) The verbose procfs code for the PCM midlevel and usb audio
can be removed now (more patches will follow).
CONFIG_SND_VERBOSE_PROCFS
2) The PCM OSS plugin system can be also compiled optionaly.
CONFIG_SND_PCM_OSS_PLUGINS

Signed-off-by: Jaroslav Kysela <perex@suse.cz>

[ALSA] Remove xxx_t typedefs: PCM OSS-emulation

Modules: ALSA<-OSS emulation

Remove xxx_t typedefs from the core PCM OSS-emulation codes.

Signed-off-by: Takashi Iwai <tiwai@suse.de>

[ALSA] Use standard bitmap functions

Modules: ALSA<-OSS emulation

Use standard bitmap functions instead of in-house ones.

Signed-off-by: Takashi Iwai <tiwai@suse.de>

[ALSA] Replace with kzalloc() - core stuff

Control Midlevel,ALSA Core,HWDEP Midlevel,PCM Midlevel,RawMidi Midlevel
Timer Midlevel,ALSA<-OSS emulation
Replace kcalloc(1,..) with kzalloc().

Signed-off-by: Takashi Iwai <tiwai@suse.de>

[ALSA] kill dead code

ALSA<-OSS emulation
The Coverity checker found this obviously dead code.

I'm not sure which of the if (plugin == NULL) is correct - this patch
removes the one that couldn't be true.

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

Linux-2.6.12-rc2

Initial git repository build. I'm not bothering with the full history,
even though we have it. We can create a separate "historical" git
archive of that later if we want to, and in the meantime it's about
3.2GB when imported into git - space that would just make the early
git days unnecessarily complicated, when we don't have a lot of good
infrastructure for it.

Let it rip!