Revision 382225e62bdb8059b7f915b133426425516dd300 authored by Takashi Iwai on 22 February 2011, 09:21:18 UTC, committed by Takashi Iwai on 23 February 2011, 07:15:43 UTC
When a USB audio device is disconnected, snd_usb_audio_disconnect() kills all audio URBs. At the same time, the application, after being notified of the disconnection, might close the device, in which case ALSA calls the .hw_free callback, which should free the URBs too. Commit de1b8b93a0ba "[ALSA] Fix hang-up at disconnection of usb-audio" prevented snd_usb_hw_free() from freeing the URBs to avoid a hang that resulted from this race, but this introduced another race because the URB callbacks could now be executed after snd_usb_hw_free() has returned, and try to access already freed data. Fix the first race by introducing a mutex to serialize the disconnect callback and all PCM callbacks that manage URBs (hw_free and hw_params). Reported-and-tested-by: Pierre-Louis Bossart <pierre-louis.bossart@intel.com> Cc: <stable@kernel.org> [CL: also serialize hw_params callback] Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Takashi Iwai <tiwai@suse.de>
1 parent 3064967
ihex.h
/*
* Compact binary representation of ihex records. Some devices need their
* firmware loaded in strange orders rather than a single big blob, but
* actually parsing ihex-as-text within the kernel seems silly. Thus,...
*/
#ifndef __LINUX_IHEX_H__
#define __LINUX_IHEX_H__
#include <linux/types.h>
#include <linux/firmware.h>
#include <linux/device.h>
/* Intel HEX files actually limit the length to 256 bytes, but we have
drivers which would benefit from using separate records which are
longer than that, so we extend to 16 bits of length */
struct ihex_binrec {
__be32 addr;
__be16 len;
uint8_t data[0];
} __attribute__((packed));
/* Find the next record, taking into account the 4-byte alignment */
static inline const struct ihex_binrec *
ihex_next_binrec(const struct ihex_binrec *rec)
{
int next = ((be16_to_cpu(rec->len) + 5) & ~3) - 2;
rec = (void *)&rec->data[next];
return be16_to_cpu(rec->len) ? rec : NULL;
}
/* Check that ihex_next_binrec() won't take us off the end of the image... */
static inline int ihex_validate_fw(const struct firmware *fw)
{
const struct ihex_binrec *rec;
size_t ofs = 0;
while (ofs <= fw->size - sizeof(*rec)) {
rec = (void *)&fw->data[ofs];
/* Zero length marks end of records */
if (!be16_to_cpu(rec->len))
return 0;
/* Point to next record... */
ofs += (sizeof(*rec) + be16_to_cpu(rec->len) + 3) & ~3;
}
return -EINVAL;
}
/* Request firmware and validate it so that we can trust we won't
* run off the end while reading records... */
static inline int request_ihex_firmware(const struct firmware **fw,
const char *fw_name,
struct device *dev)
{
const struct firmware *lfw;
int ret;
ret = request_firmware(&lfw, fw_name, dev);
if (ret)
return ret;
ret = ihex_validate_fw(lfw);
if (ret) {
dev_err(dev, "Firmware \"%s\" not valid IHEX records\n",
fw_name);
release_firmware(lfw);
return ret;
}
*fw = lfw;
return 0;
}
#endif /* __LINUX_IHEX_H__ */
Computing file changes ...
