linux/sound/core
Takashi Iwai 9f8a7658bc ALSA: timer: Fix zero-division by continue of uninitialized instance
When a user timer instance is continued without the explicit start
beforehand, the system gets eventually zero-division error like:

  divide error: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
  CPU: 1 PID: 27320 Comm: syz-executor Not tainted 4.8.0-rc3-next-20160825+ #8
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
   task: ffff88003c9b2280 task.stack: ffff880027280000
   RIP: 0010:[<ffffffff858e1a6c>]  [<     inline     >] ktime_divns include/linux/ktime.h:195
   RIP: 0010:[<ffffffff858e1a6c>]  [<ffffffff858e1a6c>] snd_hrtimer_callback+0x1bc/0x3c0 sound/core/hrtimer.c:62
  Call Trace:
   <IRQ>
   [<     inline     >] __run_hrtimer kernel/time/hrtimer.c:1238
   [<ffffffff81504335>] __hrtimer_run_queues+0x325/0xe70 kernel/time/hrtimer.c:1302
   [<ffffffff81506ceb>] hrtimer_interrupt+0x18b/0x420 kernel/time/hrtimer.c:1336
   [<ffffffff8126d8df>] local_apic_timer_interrupt+0x6f/0xe0 arch/x86/kernel/apic/apic.c:933
   [<ffffffff86e13056>] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:957
   [<ffffffff86e1210c>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:487
   <EOI>
   .....

Although a similar issue was spotted and a fix patch was merged in
commit [6b760bb2c6: ALSA: timer: fix division by zero after
SNDRV_TIMER_IOCTL_CONTINUE], it seems covering only a part of
iceberg.

In this patch, we fix the issue a bit more drastically.  Basically the
continue of an uninitialized timer is supposed to be a fresh start, so
we do it for user timers.  For the direct snd_timer_continue() call,
there is no way to pass the initial tick value, so we kick out for the
uninitialized case.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2016-09-08 10:45:05 +02:00
..
oss ALSA: pcm: Fix potential deadlock in OSS emulation 2016-02-01 12:23:29 +01:00
seq ALSA: seq_timer: use monotonic times internally 2016-06-17 22:56:13 +02:00
compress_offload.c ALSA: compress: Add function to indicate the stream has gone bad 2016-06-13 16:45:37 +01:00
control_compat.c ALSA: ctl: change return value in compatibility layer so that it's the same value in core implementation 2016-03-17 14:11:36 +01:00
control.c Merge branch 'for-next' into for-linus 2016-07-25 17:01:14 +02:00
ctljack.c
device.c
hrtimer.c ALSA: hrtimer: Handle start/stop more properly 2016-04-26 09:34:40 +02:00
hwdep_compat.c
hwdep.c
info_oss.c
info.c
init.c ALSA: hda_intel: add card number to irq description 2016-01-12 21:05:16 +01:00
isadma.c
jack.c ALSA: jack: Allow building the jack layer without input device 2016-02-23 09:03:07 +01:00
Kconfig ALSA: timer: remove legacy rtctimer 2016-04-25 10:41:46 +02:00
Makefile ALSA: timer: remove legacy rtctimer 2016-04-25 10:41:46 +02:00
memalloc.c
memory.c
misc.c
pcm_compat.c ALSA: pcm: Fix ioctls for X32 ABI 2016-02-28 17:44:35 +01:00
pcm_dmaengine.c ASoC: dmaengine_pcm: Add support for packed transfers 2016-04-27 17:34:11 +01:00
pcm_drm_eld.c
pcm_iec958.c ALSA: pcm: Allow 32 bit sample format in IEC958 channel status helper 2016-04-06 14:33:38 -07:00
pcm_lib.c ALSA: pcm: Bail out when chmap is already present 2016-05-10 17:05:16 +02:00
pcm_memory.c
pcm_misc.c ALSA: pcm: Add snd_pcm_rate_range_to_bits() 2016-02-05 18:49:00 +00:00
pcm_native.c ALSA: pcm: Fix poll error return codes 2016-05-09 17:34:49 +02:00
pcm_timer.c
pcm_trace.h
pcm.c ALSA: pcm: Free chmap at PCM free callback, too 2016-07-08 09:15:44 +02:00
rawmidi_compat.c ALSA: rawmidi: Fix ioctls X32 ABI 2016-02-28 17:44:51 +01:00
rawmidi.c ALSA: rawmidi: Fix race at copying & updating the position 2016-02-03 14:51:42 +01:00
sgbuf.c
sound_oss.c
sound.c
timer_compat.c ALSA: timer: fix gparams ioctl compatibility for different architectures 2016-03-23 08:06:16 +01:00
timer.c ALSA: timer: Fix zero-division by continue of uninitialized instance 2016-09-08 10:45:05 +02:00
vmaster.c