git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blob

   1 From 493626f2d87a74e6dbea1686499ed6e7e600484e Mon Sep 17 00:00:00 2001
   2 From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
   3 Date: Sun, 9 Sep 2018 22:25:12 +0900
   4 Subject: ALSA: bebob: use address returned by kmalloc() instead of kernel stack for streaming DMA mapping
   5
   6 From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
   7
   8 commit 493626f2d87a74e6dbea1686499ed6e7e600484e upstream.
   9
  10 When executing 'fw_run_transaction()' with 'TCODE_WRITE_BLOCK_REQUEST',
  11 an address of 'payload' argument is used for streaming DMA mapping by
  12 'firewire_ohci' module if 'size' argument is larger than 8 byte.
  13 Although in this case the address should not be on kernel stack, current
  14 implementation of ALSA bebob driver uses data in kernel stack for a cue
  15 to boot M-Audio devices. This often brings unexpected result, especially
  16 for a case of CONFIG_VMAP_STACK=y.
  17
  18 This commit fixes the bug.
  19
  20 Reference: https://bugzilla.kernel.org/show_bug.cgi?id=201021
  21 Reference: https://forum.manjaro.org/t/firewire-m-audio-410-driver-wont-load-firmware/51165
  22 Fixes: a2b2a7798fb6('ALSA: bebob: Send a cue to load firmware for M-Audio Firewire series')
  23 Cc: <stable@vger.kernel.org> # v3.16+
  24 Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
  25 Signed-off-by: Takashi Iwai <tiwai@suse.de>
  26 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  27
  28 ---
  29  sound/firewire/bebob/bebob_maudio.c |   24 ++++++++++++++----------
  30  1 file changed, 14 insertions(+), 10 deletions(-)
  31
  32 --- a/sound/firewire/bebob/bebob_maudio.c
  33 +++ b/sound/firewire/bebob/bebob_maudio.c
  34 @@ -96,17 +96,13 @@ int snd_bebob_maudio_load_firmware(struc
  35         struct fw_device *device = fw_parent_device(unit);
  36         int err, rcode;
  37         u64 date;
  38 -       __le32 cues[3] = {
  39 -               cpu_to_le32(MAUDIO_BOOTLOADER_CUE1),
  40 -               cpu_to_le32(MAUDIO_BOOTLOADER_CUE2),
  41 -               cpu_to_le32(MAUDIO_BOOTLOADER_CUE3)
  42 -       };
  43 +       __le32 *cues;
  44
  45         /* check date of software used to build */
  46         err = snd_bebob_read_block(unit, INFO_OFFSET_SW_DATE,
  47                                    &date, sizeof(u64));
  48         if (err < 0)
  49 -               goto end;
  50 +               return err;
  51         /*
  52          * firmware version 5058 or later has date later than "20070401", but
  53          * 'date' is not null-terminated.
  54 @@ -114,20 +110,28 @@ int snd_bebob_maudio_load_firmware(struc
  55         if (date < 0x3230303730343031LL) {
  56                 dev_err(&unit->device,
  57                         "Use firmware version 5058 or later\n");
  58 -               err = -ENOSYS;
  59 -               goto end;
  60 +               return -ENXIO;
  61         }
  62
  63 +       cues = kmalloc_array(3, sizeof(*cues), GFP_KERNEL);
  64 +       if (!cues)
  65 +               return -ENOMEM;
  66 +
  67 +       cues[0] = cpu_to_le32(MAUDIO_BOOTLOADER_CUE1);
  68 +       cues[1] = cpu_to_le32(MAUDIO_BOOTLOADER_CUE2);
  69 +       cues[2] = cpu_to_le32(MAUDIO_BOOTLOADER_CUE3);
  70 +
  71         rcode = fw_run_transaction(device->card, TCODE_WRITE_BLOCK_REQUEST,
  72                                    device->node_id, device->generation,
  73                                    device->max_speed, BEBOB_ADDR_REG_REQ,
  74 -                                  cues, sizeof(cues));
  75 +                                  cues, 3 * sizeof(*cues));
  76 +       kfree(cues);
  77         if (rcode != RCODE_COMPLETE) {
  78                 dev_err(&unit->device,
  79                         "Failed to send a cue to load firmware\n");
  80                 err = -EIO;
  81         }
  82 -end:
  83 +
  84         return err;
  85  }
  86