This is a note to let you know that I've just added the patch titled ALSA: aloop: Fix inconsistent format due to incomplete rule to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: alsa-aloop-fix-inconsistent-format-due-to-incomplete-rule.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From b088b53e20c7d09b5ab84c5688e609f478e5c417 Mon Sep 17 00:00:00 2001 From: Takashi Iwai <tiwai@xxxxxxx> Date: Fri, 5 Jan 2018 16:15:33 +0100 Subject: ALSA: aloop: Fix inconsistent format due to incomplete rule From: Takashi Iwai <tiwai@xxxxxxx> commit b088b53e20c7d09b5ab84c5688e609f478e5c417 upstream. The extra hw constraint rule for the formats the aloop driver introduced has a slight flaw, where it doesn't return a positive value when the mask got changed. It came from the fact that it's basically a copy&paste from snd_hw_constraint_mask64(). The original code is supposed to be a single-shot and it modifies the mask bits only once and never after, while what we need for aloop is the dynamic hw rule that limits the mask bits. This difference results in the inconsistent state, as the hw_refine doesn't apply the dependencies fully. The worse and surprisingly result is that it causes a crash in OSS emulation when multiple full-duplex reads/writes are performed concurrently (I leave why it triggers Oops to readers as a homework). For fixing this, replace a few open-codes with the standard snd_mask_*() macros. Reported-by: syzbot+3902b5220e8ca27889ca@xxxxxxxxxxxxxxxxxxxxxxxxx Fixes: b1c73fc8e697 ("ALSA: snd-aloop: Fix hw_params restrictions and checking") Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- sound/drivers/aloop.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) --- a/sound/drivers/aloop.c +++ b/sound/drivers/aloop.c @@ -39,6 +39,7 @@ #include <sound/core.h> #include <sound/control.h> #include <sound/pcm.h> +#include <sound/pcm_params.h> #include <sound/info.h> #include <sound/initval.h> @@ -622,14 +623,12 @@ static int rule_format(struct snd_pcm_hw { struct snd_pcm_hardware *hw = rule->private; - struct snd_mask *maskp = hw_param_mask(params, rule->var); + struct snd_mask m; - maskp->bits[0] &= (u_int32_t)hw->formats; - maskp->bits[1] &= (u_int32_t)(hw->formats >> 32); - memset(maskp->bits + 2, 0, (SNDRV_MASK_MAX-64) / 8); /* clear rest */ - if (! maskp->bits[0] && ! maskp->bits[1]) - return -EINVAL; - return 0; + snd_mask_none(&m); + m.bits[0] = (u_int32_t)hw->formats; + m.bits[1] = (u_int32_t)(hw->formats >> 32); + return snd_mask_refine(hw_param_mask(params, rule->var), &m); } static int rule_rate(struct snd_pcm_hw_params *params, Patches currently in stable-queue which might be from tiwai@xxxxxxx are queue-4.4/alsa-pcm-remove-incorrect-snd_bug_on-usages.patch queue-4.4/alsa-aloop-fix-inconsistent-format-due-to-incomplete-rule.patch queue-4.4/alsa-pcm-add-missing-error-checks-in-oss-emulation-plugin-builder.patch queue-4.4/alsa-pcm-abort-properly-at-pending-signal-in-oss-read-write-loops.patch queue-4.4/alsa-pcm-allow-aborting-mutex-lock-at-oss-read-write-loops.patch queue-4.4/alsa-aloop-fix-racy-hw-constraints-adjustment.patch queue-4.4/alsa-aloop-release-cable-upon-open-error-path.patch