From 8a8d56b2a2f9aa423c3d8b6b1e2792c0492059ed Mon Sep 17 00:00:00 2001 From: Jesper Juhl Date: Fri, 29 Oct 2010 20:40:23 +0200 Subject: [PATCH 1/6] ALSA: usb - driver neglects kmalloc return value check and may deref NULL sound/usb/pcm.c::snd_usb_pcm_check_knot() fails to check the return value from kmalloc() and may end up dereferencing a null pointer. The patch below (compile tested only) should take care of that little problem. Signed-off-by: Jesper Juhl Signed-off-by: Takashi Iwai --- sound/usb/pcm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c index cff3a3c465d..4132522ac90 100644 --- a/sound/usb/pcm.c +++ b/sound/usb/pcm.c @@ -676,8 +676,10 @@ static int snd_usb_pcm_check_knot(struct snd_pcm_runtime *runtime, if (!needs_knot) return 0; - subs->rate_list.count = count; subs->rate_list.list = kmalloc(sizeof(int) * count, GFP_KERNEL); + if (!subs->rate_list.list) + return -ENOMEM; + subs->rate_list.count = count; subs->rate_list.mask = 0; count = 0; list_for_each_entry(fp, &subs->fmt_list, list) { From bb617ee3f82ba94072c8b08043d9166bbfe397a2 Mon Sep 17 00:00:00 2001 From: Jesper Juhl Date: Fri, 29 Oct 2010 22:54:45 +0200 Subject: [PATCH 2/6] ALSA: cs46xx memory management fixes for cs46xx_dsp_spos_create() When reading through sound/pci/cs46xx/dsp_spos.c I noticed a couple of things in cs46xx_dsp_spos_create(). It seems to me that we don't always free the various memory buffers we allocate and we also do some work (structure member assignment) early, that is completely pointless if some of the memory allocations fail and we end up just aborting the whole thing. I don't have hardware to test, so the patch below is compile tested only, but it makes the following changes: - Make sure we always free all allocated memory on failures. - Don't do pointless work assigning to structure members before we know all memory allocations, that may abort progress, have completed successfully. - Remove some trailing whitespace. Signed-off-by: Jesper Juhl Tested-by: Ondrej Zary Signed-off-by: Takashi Iwai --- sound/pci/cs46xx/dsp_spos.c | 33 +++++++++++---------------------- 1 file changed, 11 insertions(+), 22 deletions(-) diff --git a/sound/pci/cs46xx/dsp_spos.c b/sound/pci/cs46xx/dsp_spos.c index 3e5ca8fb519..e377287192a 100644 --- a/sound/pci/cs46xx/dsp_spos.c +++ b/sound/pci/cs46xx/dsp_spos.c @@ -225,39 +225,25 @@ struct dsp_spos_instance *cs46xx_dsp_spos_create (struct snd_cs46xx * chip) { struct dsp_spos_instance * ins = kzalloc(sizeof(struct dsp_spos_instance), GFP_KERNEL); - if (ins == NULL) + if (ins == NULL) return NULL; /* better to use vmalloc for this big table */ - ins->symbol_table.nsymbols = 0; ins->symbol_table.symbols = vmalloc(sizeof(struct dsp_symbol_entry) * DSP_MAX_SYMBOLS); - ins->symbol_table.highest_frag_index = 0; - - if (ins->symbol_table.symbols == NULL) { + ins->code.data = kmalloc(DSP_CODE_BYTE_SIZE, GFP_KERNEL); + ins->modules = kmalloc(sizeof(struct dsp_module_desc) * DSP_MAX_MODULES, GFP_KERNEL); + if (!ins->symbol_table.symbols || !ins->code.data || !ins->modules) { cs46xx_dsp_spos_destroy(chip); goto error; } - + ins->symbol_table.nsymbols = 0; + ins->symbol_table.highest_frag_index = 0; ins->code.offset = 0; ins->code.size = 0; - ins->code.data = kmalloc(DSP_CODE_BYTE_SIZE, GFP_KERNEL); - - if (ins->code.data == NULL) { - cs46xx_dsp_spos_destroy(chip); - goto error; - } - ins->nscb = 0; ins->ntask = 0; - ins->nmodules = 0; - ins->modules = kmalloc(sizeof(struct dsp_module_desc) * DSP_MAX_MODULES, GFP_KERNEL); - - if (ins->modules == NULL) { - cs46xx_dsp_spos_destroy(chip); - goto error; - } /* default SPDIF input sample rate to 48000 khz */ @@ -271,8 +257,8 @@ struct dsp_spos_instance *cs46xx_dsp_spos_create (struct snd_cs46xx * chip) /* set left and right validity bits and default channel status */ - ins->spdif_csuv_default = - ins->spdif_csuv_stream = + ins->spdif_csuv_default = + ins->spdif_csuv_stream = /* byte 0 */ ((unsigned int)_wrap_all_bits( (SNDRV_PCM_DEFAULT_CON_SPDIF & 0xff)) << 24) | /* byte 1 */ ((unsigned int)_wrap_all_bits( ((SNDRV_PCM_DEFAULT_CON_SPDIF >> 8) & 0xff)) << 16) | /* byte 3 */ (unsigned int)_wrap_all_bits( (SNDRV_PCM_DEFAULT_CON_SPDIF >> 24) & 0xff) | @@ -281,6 +267,9 @@ struct dsp_spos_instance *cs46xx_dsp_spos_create (struct snd_cs46xx * chip) return ins; error: + kfree(ins->modules); + kfree(ins->code.data); + vfree(ins->symbol_table.symbols); kfree(ins); return NULL; } From f7467452291f7c9e5e1271e8c8e45b77f34b1257 Mon Sep 17 00:00:00 2001 From: Tim Blechmann Date: Sun, 31 Oct 2010 19:46:19 +0100 Subject: [PATCH 3/6] ALSA: lx6464es - make 1 bit signed bitfield unsigned converts a 1 bit signed bitfield to an unsigned. Reported-by: Dr. David Alan Gilbert Signed-off-by: Tim Blechmann Signed-off-by: Takashi Iwai --- sound/pci/lx6464es/lx6464es.c | 4 ++-- sound/pci/lx6464es/lx6464es.h | 2 +- sound/pci/lx6464es/lx_core.c | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/sound/pci/lx6464es/lx6464es.c b/sound/pci/lx6464es/lx6464es.c index ef9af3f4ace..1bd7a540fd4 100644 --- a/sound/pci/lx6464es/lx6464es.c +++ b/sound/pci/lx6464es/lx6464es.c @@ -425,7 +425,7 @@ exit: static void lx_trigger_start(struct lx6464es *chip, struct lx_stream *lx_stream) { struct snd_pcm_substream *substream = lx_stream->stream; - const int is_capture = lx_stream->is_capture; + const unsigned int is_capture = lx_stream->is_capture; int err; @@ -473,7 +473,7 @@ static void lx_trigger_start(struct lx6464es *chip, struct lx_stream *lx_stream) static void lx_trigger_stop(struct lx6464es *chip, struct lx_stream *lx_stream) { - const int is_capture = lx_stream->is_capture; + const unsigned int is_capture = lx_stream->is_capture; int err; snd_printd(LXP "stopping: stopping stream\n"); diff --git a/sound/pci/lx6464es/lx6464es.h b/sound/pci/lx6464es/lx6464es.h index 51afc048961..aea621eafbb 100644 --- a/sound/pci/lx6464es/lx6464es.h +++ b/sound/pci/lx6464es/lx6464es.h @@ -60,7 +60,7 @@ struct lx_stream { snd_pcm_uframes_t frame_pos; enum lx_stream_status status; /* free, open, running, draining * pause */ - int is_capture:1; + unsigned int is_capture:1; }; diff --git a/sound/pci/lx6464es/lx_core.c b/sound/pci/lx6464es/lx_core.c index 3086b751da4..617f98b0cba 100644 --- a/sound/pci/lx6464es/lx_core.c +++ b/sound/pci/lx6464es/lx_core.c @@ -1152,7 +1152,7 @@ static int lx_interrupt_request_new_buffer(struct lx6464es *chip, struct lx_stream *lx_stream) { struct snd_pcm_substream *substream = lx_stream->stream; - int is_capture = lx_stream->is_capture; + const unsigned int is_capture = lx_stream->is_capture; int err; unsigned long flags; From fd0977d0f42d3e73121b88f57c7d48ca9b861a58 Mon Sep 17 00:00:00 2001 From: Jesper Juhl Date: Fri, 29 Oct 2010 21:35:25 +0200 Subject: [PATCH 4/6] ALSA: asihpi - Unsafe memory management when allocating control cache I noticed that sound/pci/asihpi/hpicmn.c::hpi_alloc_control_cache() does not check the return value from kmalloc(), which may fail. If kmalloc() fails we'll dereference a null pointer and things will go bad fast. There are two memory allocations in that function and there's also the problem that the first may succeed and the second may fail and nothing is done about that either which will also go wrong down the line. Signed-off-by: Jesper Juhl Acked-by: Eliot Blennerhassett Signed-off-by: Takashi Iwai --- sound/pci/asihpi/hpi6000.c | 2 ++ sound/pci/asihpi/hpi6205.c | 2 ++ sound/pci/asihpi/hpicmn.c | 12 +++++++++--- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/sound/pci/asihpi/hpi6000.c b/sound/pci/asihpi/hpi6000.c index f7e374ec441..1b9bf9395cf 100644 --- a/sound/pci/asihpi/hpi6000.c +++ b/sound/pci/asihpi/hpi6000.c @@ -625,6 +625,8 @@ static short create_adapter_obj(struct hpi_adapter_obj *pao, control_cache_size, (struct hpi_control_cache_info *) &phw->control_cache[0] ); + if (!phw->p_cache) + pao->has_control_cache = 0; } else pao->has_control_cache = 0; diff --git a/sound/pci/asihpi/hpi6205.c b/sound/pci/asihpi/hpi6205.c index 22c5fc62553..2672f6591ce 100644 --- a/sound/pci/asihpi/hpi6205.c +++ b/sound/pci/asihpi/hpi6205.c @@ -644,6 +644,8 @@ static u16 create_adapter_obj(struct hpi_adapter_obj *pao, interface->control_cache.size_in_bytes, (struct hpi_control_cache_info *) p_control_cache_virtual); + if (!phw->p_cache) + err = HPI_ERROR_MEMORY_ALLOC; } if (!err) { err = hpios_locked_mem_get_phys_addr(&phw-> diff --git a/sound/pci/asihpi/hpicmn.c b/sound/pci/asihpi/hpicmn.c index dda4f1c6f65..d67f4d3db91 100644 --- a/sound/pci/asihpi/hpicmn.c +++ b/sound/pci/asihpi/hpicmn.c @@ -571,14 +571,20 @@ struct hpi_control_cache *hpi_alloc_control_cache(const u32 { struct hpi_control_cache *p_cache = kmalloc(sizeof(*p_cache), GFP_KERNEL); + if (!p_cache) + return NULL; + p_cache->p_info = + kmalloc(sizeof(*p_cache->p_info) * number_of_controls, + GFP_KERNEL); + if (!p_cache->p_info) { + kfree(p_cache); + return NULL; + } p_cache->cache_size_in_bytes = size_in_bytes; p_cache->control_count = number_of_controls; p_cache->p_cache = (struct hpi_control_cache_single *)pDSP_control_buffer; p_cache->init = 0; - p_cache->p_info = - kmalloc(sizeof(*p_cache->p_info) * p_cache->control_count, - GFP_KERNEL); return p_cache; } From ca8dc34eaf7a1db7daa604495ed2c143af32f1ed Mon Sep 17 00:00:00 2001 From: Mandar Joshi Date: Tue, 2 Nov 2010 14:43:19 +0000 Subject: [PATCH 5/6] ALSA: usb-audio - Support for Power/Status LED on Creative USB X-Fi S51 This patch adds support for Power/Status LED on Creative USB X-Fi S51. There is just one LED on the device. The LED can either be On or it can be set to Blink. There doesn't seem to be a way to switch it off. The control message to change LED status is similar to that of audigy2nx except that the index is to be set to 0 and value is 1 for Blink and 0 for On. The 'Power LED' control in alsamixer when muted will cause the LED to Blink continuously. When unmuted the LED will stay On. The Creative driver under Windows sets the LED to blink whenever audio is muted. This LED can be treated as the CMSS LED but I figured since there is just one LED, it should be treated as the Power LED. Is that alright? I've also changed the comment "Usb X-Fi" to "Usb X-Fi S51" as there are other external X-Fi devices from Creative like Usb X-Fi Go and Xmod. The volume knob and LED support patch doesn't apply to them. Signed-off-by: Mandar Joshi Signed-off-by: Takashi Iwai --- sound/usb/mixer_quirks.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c index 7dae05d8783..782f741cd00 100644 --- a/sound/usb/mixer_quirks.c +++ b/sound/usb/mixer_quirks.c @@ -60,7 +60,7 @@ static const struct rc_config { { USB_ID(0x041e, 0x3000), 0, 1, 2, 1, 18, 0x0013 }, /* Extigy */ { USB_ID(0x041e, 0x3020), 2, 1, 6, 6, 18, 0x0013 }, /* Audigy 2 NX */ { USB_ID(0x041e, 0x3040), 2, 2, 6, 6, 2, 0x6e91 }, /* Live! 24-bit */ - { USB_ID(0x041e, 0x3042), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi */ + { USB_ID(0x041e, 0x3042), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 */ { USB_ID(0x041e, 0x3048), 2, 2, 6, 6, 2, 0x6e91 }, /* Toshiba SB0500 */ }; @@ -183,7 +183,13 @@ static int snd_audigy2nx_led_put(struct snd_kcontrol *kcontrol, struct snd_ctl_e if (value > 1) return -EINVAL; changed = value != mixer->audigy2nx_leds[index]; - err = snd_usb_ctl_msg(mixer->chip->dev, + if (mixer->chip->usb_id == USB_ID(0x041e, 0x3042)) + err = snd_usb_ctl_msg(mixer->chip->dev, + usb_sndctrlpipe(mixer->chip->dev, 0), 0x24, + USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_OTHER, + !value, 0, NULL, 0, 100); + else + err = snd_usb_ctl_msg(mixer->chip->dev, usb_sndctrlpipe(mixer->chip->dev, 0), 0x24, USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_OTHER, value, index + 2, NULL, 0, 100); @@ -225,8 +231,12 @@ static int snd_audigy2nx_controls_create(struct usb_mixer_interface *mixer) int i, err; for (i = 0; i < ARRAY_SIZE(snd_audigy2nx_controls); ++i) { + /* USB X-Fi S51 doesn't have a CMSS LED */ + if ((mixer->chip->usb_id == USB_ID(0x041e, 0x3042)) && i == 0) + continue; if (i > 1 && /* Live24ext has 2 LEDs only */ (mixer->chip->usb_id == USB_ID(0x041e, 0x3040) || + mixer->chip->usb_id == USB_ID(0x041e, 0x3042) || mixer->chip->usb_id == USB_ID(0x041e, 0x3048))) break; err = snd_ctl_add(mixer->chip->card, @@ -365,6 +375,7 @@ int snd_usb_mixer_apply_create_quirk(struct usb_mixer_interface *mixer) if (mixer->chip->usb_id == USB_ID(0x041e, 0x3020) || mixer->chip->usb_id == USB_ID(0x041e, 0x3040) || + mixer->chip->usb_id == USB_ID(0x041e, 0x3042) || mixer->chip->usb_id == USB_ID(0x041e, 0x3048)) { if ((err = snd_audigy2nx_controls_create(mixer)) < 0) return err; From 87232dd49aeb6b7d1af291edca8bd129a82ef4b5 Mon Sep 17 00:00:00 2001 From: "Edgar (gimli) Hucek" Date: Wed, 3 Nov 2010 08:14:10 +0100 Subject: [PATCH 6/6] ALSA: hda - MacBookAir3,1(3,2) alsa support This patch add support for the MacBookAir3,1 and MacBookAir3,2 to the alsa sound system. Signed-off-by: Edgar (gimli) Hucek Signed-off-by: Takashi Iwai --- sound/pci/hda/patch_cirrus.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/pci/hda/patch_cirrus.c b/sound/pci/hda/patch_cirrus.c index 460fb2ef7e3..18af38ebf75 100644 --- a/sound/pci/hda/patch_cirrus.c +++ b/sound/pci/hda/patch_cirrus.c @@ -1166,6 +1166,7 @@ static const char *cs420x_models[CS420X_MODELS] = { static struct snd_pci_quirk cs420x_cfg_tbl[] = { SND_PCI_QUIRK(0x10de, 0x0ac0, "MacBookPro 5,3", CS420X_MBP53), + SND_PCI_QUIRK(0x10de, 0x0d94, "MacBookAir 3,1(2)", CS420X_MBP55), SND_PCI_QUIRK(0x10de, 0xcb79, "MacBookPro 5,5", CS420X_MBP55), SND_PCI_QUIRK(0x10de, 0xcb89, "MacBookPro 7,1", CS420X_MBP55), SND_PCI_QUIRK(0x8086, 0x7270, "IMac 27 Inch", CS420X_IMAC27),