Commit 12ed7192 authored by Takashi Sakamoto's avatar Takashi Sakamoto Committed by Takashi Iwai

ALSA: fireworks/bebob/dice/oxfw: add reference-counting for FireWire unit

Fireworks and Dice drivers try to touch instances of FireWire unit after
sound card object is released, while references to the unit is decremented
in .remove(). When unplugging during streaming, sound card object is
released after .remove(), thus Fireworks and Dice drivers causes GPF or
Null-pointer-dereferencing to application processes because an instance of
FireWire unit was already released.

This commit adds reference-counting for FireWire unit in drivers to allow
them to touch an instance of FireWire unit after .remove(). In most case,
any operations after .remove() may be failed safely.
Signed-off-by: default avatarTakashi Sakamoto <o-takashi@sakamocchi.jp>
Cc: <stable@vger.kernel.org> # 3.19+
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
parent 6426460e
...@@ -116,11 +116,19 @@ name_device(struct snd_bebob *bebob, unsigned int vendor_id) ...@@ -116,11 +116,19 @@ name_device(struct snd_bebob *bebob, unsigned int vendor_id)
return err; return err;
} }
/*
* This module releases the FireWire unit data after all ALSA character devices
* are released by applications. This is for releasing stream data or finishing
* transactions safely. Thus at returning from .remove(), this module still keep
* references for the unit.
*/
static void static void
bebob_card_free(struct snd_card *card) bebob_card_free(struct snd_card *card)
{ {
struct snd_bebob *bebob = card->private_data; struct snd_bebob *bebob = card->private_data;
fw_unit_put(bebob->unit);
if (bebob->card_index >= 0) { if (bebob->card_index >= 0) {
mutex_lock(&devices_mutex); mutex_lock(&devices_mutex);
clear_bit(bebob->card_index, devices_used); clear_bit(bebob->card_index, devices_used);
...@@ -205,7 +213,7 @@ bebob_probe(struct fw_unit *unit, ...@@ -205,7 +213,7 @@ bebob_probe(struct fw_unit *unit,
card->private_free = bebob_card_free; card->private_free = bebob_card_free;
bebob->card = card; bebob->card = card;
bebob->unit = unit; bebob->unit = fw_unit_get(unit);
bebob->spec = spec; bebob->spec = spec;
mutex_init(&bebob->mutex); mutex_init(&bebob->mutex);
spin_lock_init(&bebob->lock); spin_lock_init(&bebob->lock);
...@@ -310,6 +318,8 @@ static void bebob_remove(struct fw_unit *unit) ...@@ -310,6 +318,8 @@ static void bebob_remove(struct fw_unit *unit)
snd_bebob_stream_destroy_duplex(bebob); snd_bebob_stream_destroy_duplex(bebob);
snd_card_disconnect(bebob->card); snd_card_disconnect(bebob->card);
/* No need to wait for releasing card object in this context. */
snd_card_free_when_closed(bebob->card); snd_card_free_when_closed(bebob->card);
} }
......
...@@ -226,11 +226,19 @@ static void dice_card_strings(struct snd_dice *dice) ...@@ -226,11 +226,19 @@ static void dice_card_strings(struct snd_dice *dice)
strcpy(card->mixername, "DICE"); strcpy(card->mixername, "DICE");
} }
/*
* This module releases the FireWire unit data after all ALSA character devices
* are released by applications. This is for releasing stream data or finishing
* transactions safely. Thus at returning from .remove(), this module still keep
* references for the unit.
*/
static void dice_card_free(struct snd_card *card) static void dice_card_free(struct snd_card *card)
{ {
struct snd_dice *dice = card->private_data; struct snd_dice *dice = card->private_data;
snd_dice_transaction_destroy(dice); snd_dice_transaction_destroy(dice);
fw_unit_put(dice->unit);
mutex_destroy(&dice->mutex); mutex_destroy(&dice->mutex);
} }
...@@ -251,7 +259,7 @@ static int dice_probe(struct fw_unit *unit, const struct ieee1394_device_id *id) ...@@ -251,7 +259,7 @@ static int dice_probe(struct fw_unit *unit, const struct ieee1394_device_id *id)
dice = card->private_data; dice = card->private_data;
dice->card = card; dice->card = card;
dice->unit = unit; dice->unit = fw_unit_get(unit);
card->private_free = dice_card_free; card->private_free = dice_card_free;
spin_lock_init(&dice->lock); spin_lock_init(&dice->lock);
...@@ -309,6 +317,7 @@ static void dice_remove(struct fw_unit *unit) ...@@ -309,6 +317,7 @@ static void dice_remove(struct fw_unit *unit)
snd_dice_stream_destroy_duplex(dice); snd_dice_stream_destroy_duplex(dice);
/* No need to wait for releasing card object in this context. */
snd_card_free_when_closed(dice->card); snd_card_free_when_closed(dice->card);
} }
......
...@@ -173,11 +173,19 @@ get_hardware_info(struct snd_efw *efw) ...@@ -173,11 +173,19 @@ get_hardware_info(struct snd_efw *efw)
return err; return err;
} }
/*
* This module releases the FireWire unit data after all ALSA character devices
* are released by applications. This is for releasing stream data or finishing
* transactions safely. Thus at returning from .remove(), this module still keep
* references for the unit.
*/
static void static void
efw_card_free(struct snd_card *card) efw_card_free(struct snd_card *card)
{ {
struct snd_efw *efw = card->private_data; struct snd_efw *efw = card->private_data;
fw_unit_put(efw->unit);
if (efw->card_index >= 0) { if (efw->card_index >= 0) {
mutex_lock(&devices_mutex); mutex_lock(&devices_mutex);
clear_bit(efw->card_index, devices_used); clear_bit(efw->card_index, devices_used);
...@@ -218,7 +226,7 @@ efw_probe(struct fw_unit *unit, ...@@ -218,7 +226,7 @@ efw_probe(struct fw_unit *unit,
card->private_free = efw_card_free; card->private_free = efw_card_free;
efw->card = card; efw->card = card;
efw->unit = unit; efw->unit = fw_unit_get(unit);
mutex_init(&efw->mutex); mutex_init(&efw->mutex);
spin_lock_init(&efw->lock); spin_lock_init(&efw->lock);
init_waitqueue_head(&efw->hwdep_wait); init_waitqueue_head(&efw->hwdep_wait);
...@@ -293,6 +301,8 @@ static void efw_remove(struct fw_unit *unit) ...@@ -293,6 +301,8 @@ static void efw_remove(struct fw_unit *unit)
snd_efw_transaction_remove_instance(efw); snd_efw_transaction_remove_instance(efw);
snd_card_disconnect(efw->card); snd_card_disconnect(efw->card);
/* No need to wait for releasing card object in this context. */
snd_card_free_when_closed(efw->card); snd_card_free_when_closed(efw->card);
} }
......
...@@ -104,11 +104,19 @@ static int name_card(struct snd_oxfw *oxfw) ...@@ -104,11 +104,19 @@ static int name_card(struct snd_oxfw *oxfw)
return err; return err;
} }
/*
* This module releases the FireWire unit data after all ALSA character devices
* are released by applications. This is for releasing stream data or finishing
* transactions safely. Thus at returning from .remove(), this module still keep
* references for the unit.
*/
static void oxfw_card_free(struct snd_card *card) static void oxfw_card_free(struct snd_card *card)
{ {
struct snd_oxfw *oxfw = card->private_data; struct snd_oxfw *oxfw = card->private_data;
unsigned int i; unsigned int i;
fw_unit_put(oxfw->unit);
for (i = 0; i < SND_OXFW_STREAM_FORMAT_ENTRIES; i++) { for (i = 0; i < SND_OXFW_STREAM_FORMAT_ENTRIES; i++) {
kfree(oxfw->tx_stream_formats[i]); kfree(oxfw->tx_stream_formats[i]);
kfree(oxfw->rx_stream_formats[i]); kfree(oxfw->rx_stream_formats[i]);
...@@ -136,7 +144,7 @@ static int oxfw_probe(struct fw_unit *unit, ...@@ -136,7 +144,7 @@ static int oxfw_probe(struct fw_unit *unit,
oxfw = card->private_data; oxfw = card->private_data;
oxfw->card = card; oxfw->card = card;
mutex_init(&oxfw->mutex); mutex_init(&oxfw->mutex);
oxfw->unit = unit; oxfw->unit = fw_unit_get(unit);
oxfw->device_info = (const struct device_info *)id->driver_data; oxfw->device_info = (const struct device_info *)id->driver_data;
spin_lock_init(&oxfw->lock); spin_lock_init(&oxfw->lock);
init_waitqueue_head(&oxfw->hwdep_wait); init_waitqueue_head(&oxfw->hwdep_wait);
...@@ -218,6 +226,7 @@ static void oxfw_remove(struct fw_unit *unit) ...@@ -218,6 +226,7 @@ static void oxfw_remove(struct fw_unit *unit)
if (oxfw->has_output) if (oxfw->has_output)
snd_oxfw_stream_destroy_simplex(oxfw, &oxfw->tx_stream); snd_oxfw_stream_destroy_simplex(oxfw, &oxfw->tx_stream);
/* No need to wait for releasing card object in this context. */
snd_card_free_when_closed(oxfw->card); snd_card_free_when_closed(oxfw->card);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment