From fbe618f216830f47b183858c3380d4767b1ad02f Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Fri, 11 Jun 2010 11:24:58 +0200 Subject: [PATCH 1/9] ALSA: hda - Don't check capture source mixer if no ADC is available With multiple codec configurations, some codec might have no ADC, thus it keeps spec->adc_nids = NULL. This causes an Oops in alc_build_controls(). Reference: kernel bug #16156 https://bugzilla.kernel.org/show_bug.cgi?id=16156 Cc: Signed-off-by: Takashi Iwai --- sound/pci/hda/patch_realtek.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index fc767b6b4785..f6cd8ed3272f 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -2619,16 +2619,18 @@ static int alc_build_controls(struct hda_codec *codec) } /* assign Capture Source enums to NID */ - kctl = snd_hda_find_mixer_ctl(codec, "Capture Source"); - if (!kctl) - kctl = snd_hda_find_mixer_ctl(codec, "Input Source"); - for (i = 0; kctl && i < kctl->count; i++) { - hda_nid_t *nids = spec->capsrc_nids; - if (!nids) - nids = spec->adc_nids; - err = snd_hda_add_nid(codec, kctl, i, nids[i]); - if (err < 0) - return err; + if (spec->capsrc_nids || spec->adc_nids) { + kctl = snd_hda_find_mixer_ctl(codec, "Capture Source"); + if (!kctl) + kctl = snd_hda_find_mixer_ctl(codec, "Input Source"); + for (i = 0; kctl && i < kctl->count; i++) { + hda_nid_t *nids = spec->capsrc_nids; + if (!nids) + nids = spec->adc_nids; + err = snd_hda_add_nid(codec, kctl, i, nids[i]); + if (err < 0) + return err; + } } if (spec->cap_mixer) { const char *kname = kctl ? kctl->id.name : NULL; From d07140ba7fe1b41713627c6dc3f169a00019fb0e Mon Sep 17 00:00:00 2001 From: Daniel Mack Date: Fri, 11 Jun 2010 17:34:19 +0200 Subject: [PATCH 2/9] ALSA: usb-audio: add check for faulty clock in parse_audio_format_rates_v2() Signed-off-by: Daniel Mack Signed-off-by: Takashi Iwai --- sound/usb/format.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sound/usb/format.c b/sound/usb/format.c index 5367cd1e52d9..df5b29fed000 100644 --- a/sound/usb/format.c +++ b/sound/usb/format.c @@ -218,6 +218,12 @@ static int parse_audio_format_rates_v2(struct snd_usb_audio *chip, int i, nr_rates, data_size, ret = 0; int clock = snd_usb_clock_find_source(chip, chip->ctrl_intf, fp->clock); + if (clock < 0) { + snd_printk(KERN_ERR "%s(): unable to find clock source (clock %d)\n", + __func__, clock); + goto err; + } + /* get the number of sample rates first by only fetching 2 bytes */ ret = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0), UAC2_CS_RANGE, USB_TYPE_CLASS | USB_RECIP_INTERFACE | USB_DIR_IN, From 11bcbc443a17653c65bc20029172fae76f4bcca4 Mon Sep 17 00:00:00 2001 From: Daniel Mack Date: Fri, 11 Jun 2010 17:34:20 +0200 Subject: [PATCH 3/9] ALSA: usb-audio: fix control messages for USB_RECIP_INTERFACE Control messages directed to an interface must have the interface number set in the lower 8 bits of wIndex. This wasn't done correctly for some clock and mixer messages. Signed-off-by: Daniel Mack Reported-by: Alex Lee Signed-off-by: Takashi Iwai --- sound/usb/clock.c | 12 ++++++++---- sound/usb/format.c | 6 ++++-- sound/usb/helper.h | 4 ++++ 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/sound/usb/clock.c b/sound/usb/clock.c index b7aadd614c70..b5855114667e 100644 --- a/sound/usb/clock.c +++ b/sound/usb/clock.c @@ -103,7 +103,8 @@ static int uac_clock_selector_get_val(struct snd_usb_audio *chip, int selector_i ret = snd_usb_ctl_msg(chip->dev, usb_rcvctrlpipe(chip->dev, 0), UAC2_CS_CUR, USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN, - UAC2_CX_CLOCK_SELECTOR << 8, selector_id << 8, + UAC2_CX_CLOCK_SELECTOR << 8, + snd_usb_ctrl_intf(chip) | (selector_id << 8), &buf, sizeof(buf), 1000); if (ret < 0) @@ -120,7 +121,8 @@ static bool uac_clock_source_is_valid(struct snd_usb_audio *chip, int source_id) err = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0), UAC2_CS_CUR, USB_TYPE_CLASS | USB_RECIP_INTERFACE | USB_DIR_IN, - UAC2_CS_CONTROL_CLOCK_VALID << 8, source_id << 8, + UAC2_CS_CONTROL_CLOCK_VALID << 8, + snd_usb_ctrl_intf(chip) | (source_id << 8), &data, sizeof(data), 1000); if (err < 0) { @@ -269,7 +271,8 @@ static int set_sample_rate_v2(struct snd_usb_audio *chip, int iface, data[3] = rate >> 24; if ((err = snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), UAC2_CS_CUR, USB_TYPE_CLASS | USB_RECIP_INTERFACE | USB_DIR_OUT, - UAC2_CS_CONTROL_SAM_FREQ << 8, clock << 8, + UAC2_CS_CONTROL_SAM_FREQ << 8, + snd_usb_ctrl_intf(chip) | (clock << 8), data, sizeof(data), 1000)) < 0) { snd_printk(KERN_ERR "%d:%d:%d: cannot set freq %d (v2)\n", dev->devnum, iface, fmt->altsetting, rate); @@ -278,7 +281,8 @@ static int set_sample_rate_v2(struct snd_usb_audio *chip, int iface, if ((err = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0), UAC2_CS_CUR, USB_TYPE_CLASS | USB_RECIP_INTERFACE | USB_DIR_IN, - UAC2_CS_CONTROL_SAM_FREQ << 8, clock << 8, + UAC2_CS_CONTROL_SAM_FREQ << 8, + snd_usb_ctrl_intf(chip) | (clock << 8), data, sizeof(data), 1000)) < 0) { snd_printk(KERN_WARNING "%d:%d:%d: cannot get freq (v2)\n", dev->devnum, iface, fmt->altsetting); diff --git a/sound/usb/format.c b/sound/usb/format.c index df5b29fed000..8eccf17a4ac6 100644 --- a/sound/usb/format.c +++ b/sound/usb/format.c @@ -227,7 +227,8 @@ static int parse_audio_format_rates_v2(struct snd_usb_audio *chip, /* get the number of sample rates first by only fetching 2 bytes */ ret = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0), UAC2_CS_RANGE, USB_TYPE_CLASS | USB_RECIP_INTERFACE | USB_DIR_IN, - UAC2_CS_CONTROL_SAM_FREQ << 8, clock << 8, + UAC2_CS_CONTROL_SAM_FREQ << 8, + snd_usb_ctrl_intf(chip) | (clock << 8), tmp, sizeof(tmp), 1000); if (ret < 0) { @@ -247,7 +248,8 @@ static int parse_audio_format_rates_v2(struct snd_usb_audio *chip, /* now get the full information */ ret = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0), UAC2_CS_RANGE, USB_TYPE_CLASS | USB_RECIP_INTERFACE | USB_DIR_IN, - UAC2_CS_CONTROL_SAM_FREQ << 8, clock << 8, + UAC2_CS_CONTROL_SAM_FREQ << 8, + snd_usb_ctrl_intf(chip) | (clock << 8), data, data_size, 1000); if (ret < 0) { diff --git a/sound/usb/helper.h b/sound/usb/helper.h index a6b0e51b3a9a..09bd943c43bf 100644 --- a/sound/usb/helper.h +++ b/sound/usb/helper.h @@ -28,5 +28,9 @@ unsigned char snd_usb_parse_datainterval(struct snd_usb_audio *chip, #define snd_usb_get_speed(dev) ((dev)->speed) #endif +static inline int snd_usb_ctrl_intf(struct snd_usb_audio *chip) +{ + return get_iface_desc(chip->ctrl_intf)->bInterfaceNumber; +} #endif /* __USBAUDIO_HELPER_H */ From 67c103664a06fa590f2990c01773dfa1dffcefdc Mon Sep 17 00:00:00 2001 From: Daniel Mack Date: Fri, 11 Jun 2010 17:46:33 +0200 Subject: [PATCH 4/9] ALSA: usb-audio: parse UAC2 sample rate ranges correctly A device may report its supported sample rates in ranges rather than in discrete triplets. The code used to only parse the MIN field instead of properly paying attention to the MAX and RES values. Also, handle RES values of 1 correctly and announce a continous sample rate range in this case. Signed-off-by: Daniel Mack Reported-by: Alex Lee Signed-off-by: Takashi Iwai --- sound/usb/format.c | 92 +++++++++++++++++++++++++++++++++++++--------- 1 file changed, 74 insertions(+), 18 deletions(-) diff --git a/sound/usb/format.c b/sound/usb/format.c index 8eccf17a4ac6..30364aba79cc 100644 --- a/sound/usb/format.c +++ b/sound/usb/format.c @@ -205,6 +205,60 @@ static int parse_audio_format_rates_v1(struct snd_usb_audio *chip, struct audiof return 0; } +/* + * Helper function to walk the array of sample rate triplets reported by + * the device. The problem is that we need to parse whole array first to + * get to know how many sample rates we have to expect. + * Then fp->rate_table can be allocated and filled. + */ +static int parse_uac2_sample_rate_range(struct audioformat *fp, int nr_triplets, + const unsigned char *data) +{ + int i, nr_rates = 0; + + fp->rates = fp->rate_min = fp->rate_max = 0; + + for (i = 0; i < nr_triplets; i++) { + int min = combine_quad(&data[2 + 12 * i]); + int max = combine_quad(&data[6 + 12 * i]); + int res = combine_quad(&data[10 + 12 * i]); + int rate; + + if ((max < 0) || (min < 0) || (res < 0) || (max < min)) + continue; + + /* + * for ranges with res == 1, we announce a continuous sample + * rate range, and this function should return 0 for no further + * parsing. + */ + if (res == 1) { + fp->rate_min = min; + fp->rate_max = max; + fp->rates = SNDRV_PCM_RATE_CONTINUOUS; + return 0; + } + + for (rate = min; rate <= max; rate += res) { + if (fp->rate_table) + fp->rate_table[nr_rates] = rate; + if (!fp->rate_min || rate < fp->rate_min) + fp->rate_min = rate; + if (!fp->rate_max || rate > fp->rate_max) + fp->rate_max = rate; + fp->rates |= snd_pcm_rate_to_rate_bit(rate); + + nr_rates++; + + /* avoid endless loop */ + if (res == 0) + break; + } + } + + return nr_rates; +} + /* * parse the format descriptor and stores the possible sample rates * on the audioformat table (audio class v2). @@ -215,7 +269,7 @@ static int parse_audio_format_rates_v2(struct snd_usb_audio *chip, { struct usb_device *dev = chip->dev; unsigned char tmp[2], *data; - int i, nr_rates, data_size, ret = 0; + int nr_triplets, data_size, ret = 0; int clock = snd_usb_clock_find_source(chip, chip->ctrl_intf, fp->clock); if (clock < 0) { @@ -237,8 +291,8 @@ static int parse_audio_format_rates_v2(struct snd_usb_audio *chip, goto err; } - nr_rates = (tmp[1] << 8) | tmp[0]; - data_size = 2 + 12 * nr_rates; + nr_triplets = (tmp[1] << 8) | tmp[0]; + data_size = 2 + 12 * nr_triplets; data = kzalloc(data_size, GFP_KERNEL); if (!data) { ret = -ENOMEM; @@ -259,26 +313,28 @@ static int parse_audio_format_rates_v2(struct snd_usb_audio *chip, goto err_free; } - fp->rate_table = kmalloc(sizeof(int) * nr_rates, GFP_KERNEL); + /* Call the triplet parser, and make sure fp->rate_table is NULL. + * We just use the return value to know how many sample rates we + * will have to deal with. */ + kfree(fp->rate_table); + fp->rate_table = NULL; + fp->nr_rates = parse_uac2_sample_rate_range(fp, nr_triplets, data); + + if (fp->nr_rates == 0) { + /* SNDRV_PCM_RATE_CONTINUOUS */ + ret = 0; + goto err_free; + } + + fp->rate_table = kmalloc(sizeof(int) * fp->nr_rates, GFP_KERNEL); if (!fp->rate_table) { ret = -ENOMEM; goto err_free; } - fp->nr_rates = 0; - fp->rate_min = fp->rate_max = 0; - - for (i = 0; i < nr_rates; i++) { - int rate = combine_quad(&data[2 + 12 * i]); - - fp->rate_table[fp->nr_rates] = rate; - if (!fp->rate_min || rate < fp->rate_min) - fp->rate_min = rate; - if (!fp->rate_max || rate > fp->rate_max) - fp->rate_max = rate; - fp->rates |= snd_pcm_rate_to_rate_bit(rate); - fp->nr_rates++; - } + /* Call the triplet parser again, but this time, fp->rate_table is + * allocated, so the rates will be stored */ + parse_uac2_sample_rate_range(fp, nr_triplets, data); err_free: kfree(data); From e8bdb6bbab60a8731f21823c86391f176d052348 Mon Sep 17 00:00:00 2001 From: Daniel Mack Date: Fri, 11 Jun 2010 17:34:22 +0200 Subject: [PATCH 5/9] ALSA: usb-audio: fix UAC2 control value queries For RANGE requests, we should only query as much bytes as we're in fact interested in. For CUR requests, we shouldn't confuse the firmware with an overlong request but just ask for 2 bytes. This might need fixing in the future as it's not entirely clear when to dispatch 1-byte, 2-byte and 4-byte request blocks. For now, we assume everything is coded in 16bit - this works for all firmware implementations I've seen. Signed-off-by: Daniel Mack Reported-by: Alex Lee Signed-off-by: Takashi Iwai --- sound/usb/mixer.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c index a060d005e209..6939d0f517d9 100644 --- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -297,20 +297,27 @@ static int get_ctl_value_v1(struct usb_mixer_elem_info *cval, int request, int v static int get_ctl_value_v2(struct usb_mixer_elem_info *cval, int request, int validx, int *value_ret) { - unsigned char buf[14]; /* enough space for one range of 4 bytes */ + unsigned char buf[2 + 3*sizeof(__u16)]; /* enough space for one range */ unsigned char *val; - int ret; + int ret, size; __u8 bRequest; - bRequest = (request == UAC_GET_CUR) ? - UAC2_CS_CUR : UAC2_CS_RANGE; + if (request == UAC_GET_CUR) { + bRequest = UAC2_CS_CUR; + size = sizeof(__u16); + } else { + bRequest = UAC2_CS_RANGE; + size = sizeof(buf); + } + + memset(buf, 0, sizeof(buf)); ret = snd_usb_ctl_msg(cval->mixer->chip->dev, usb_rcvctrlpipe(cval->mixer->chip->dev, 0), bRequest, USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN, validx, cval->mixer->ctrlif | (cval->id << 8), - buf, sizeof(buf), 1000); + buf, size, 1000); if (ret < 0) { snd_printk(KERN_ERR "cannot get ctl value: req = %#x, wValue = %#x, wIndex = %#x, type = %d\n", @@ -318,6 +325,8 @@ static int get_ctl_value_v2(struct usb_mixer_elem_info *cval, int request, int v return ret; } + /* FIXME: how should we handle multiple triplets here? */ + switch (request) { case UAC_GET_CUR: val = buf; From b8f171e7e7ed5c9b77324bcc6bb580ddcc84da49 Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Mon, 14 Jun 2010 12:08:43 +0930 Subject: [PATCH 6/9] ALSA: hda - Fix line-in for mb5 model MacBook (Pro) 5,1 / 5,2 The line-in input is 0x7 not 0x2 for MacBook (Pro) 5,1 / 5,2 models Signed-off-by: Alex Murray Signed-off-by: Takashi Iwai --- sound/pci/hda/patch_realtek.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index f6cd8ed3272f..f1ce7d7f5aa3 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -6950,7 +6950,7 @@ static struct hda_input_mux mb5_capture_source = { .num_items = 3, .items = { { "Mic", 0x1 }, - { "Line", 0x2 }, + { "Line", 0x7 }, { "CD", 0x4 }, }, }; @@ -7471,8 +7471,8 @@ static struct snd_kcontrol_new alc885_mb5_mixer[] = { HDA_BIND_MUTE ("LFE Playback Switch", 0x0e, 0x02, HDA_INPUT), HDA_CODEC_VOLUME("Headphone Playback Volume", 0x0f, 0x00, HDA_OUTPUT), HDA_BIND_MUTE ("Headphone Playback Switch", 0x0f, 0x02, HDA_INPUT), - HDA_CODEC_VOLUME("Line Playback Volume", 0x0b, 0x02, HDA_INPUT), - HDA_CODEC_MUTE ("Line Playback Switch", 0x0b, 0x02, HDA_INPUT), + HDA_CODEC_VOLUME("Line Playback Volume", 0x0b, 0x07, HDA_INPUT), + HDA_CODEC_MUTE ("Line Playback Switch", 0x0b, 0x07, HDA_INPUT), HDA_CODEC_VOLUME("Mic Playback Volume", 0x0b, 0x01, HDA_INPUT), HDA_CODEC_MUTE ("Mic Playback Switch", 0x0b, 0x01, HDA_INPUT), HDA_CODEC_VOLUME("Line Boost", 0x15, 0x00, HDA_INPUT), @@ -7855,10 +7855,9 @@ static struct hda_verb alc885_mb5_init_verbs[] = { {0x15, AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_IN}, {0x15, AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE}, - {0x24, AC_VERB_SET_AMP_GAIN_MUTE, AMP_IN_UNMUTE(1)}, - {0x24, AC_VERB_SET_AMP_GAIN_MUTE, AMP_IN_MUTE(3)}, - {0x24, AC_VERB_SET_AMP_GAIN_MUTE, AMP_IN_MUTE(2)}, - {0x24, AC_VERB_SET_AMP_GAIN_MUTE, AMP_IN_MUTE(4)}, + {0x24, AC_VERB_SET_AMP_GAIN_MUTE, AMP_IN_UNMUTE(0x1)}, + {0x24, AC_VERB_SET_AMP_GAIN_MUTE, AMP_IN_MUTE(0x7)}, + {0x24, AC_VERB_SET_AMP_GAIN_MUTE, AMP_IN_MUTE(0x4)}, { } }; From 5b61ea499727f22ebdaaeedb9801b12ed6eb59c7 Mon Sep 17 00:00:00 2001 From: Sudhakar Rajashekhara Date: Fri, 11 Jun 2010 19:24:51 +0530 Subject: [PATCH 7/9] ASoC: DaVinci: Fix McASP hardware FIFO configuration On DA830/OMAP-L137 and DA850/OMAP-L138 SoCs, the McASP peripheral has FIFO support. This FIFO provides additional data buffering. It also provides tolerance to variation in host/DMA controller response times. More details of the FIFO operation can be found at http://focus.ti.com/general/docs/lit/getliterature.tsp?literatureNumber=sprufm1&fileType=pdf Existing sequence of steps for audio playback/capture are: a. DMA configuration b. McASP configuration (configures and enables FIFO) c. Start DMA d. Start McASP (enables FIFO) During McASP configuration, while FIFO was being configured, FIFO was being enabled in davinci_hw_common_param() function of sound/soc/davinci/davinci-mcasp.c file. This generated a transmit DMA event, which gets serviced when DMA is started. https://patchwork.kernel.org/patch/84611/ patch clears the DMA events before starting DMA, which is the right thing to do. But this resulted in a state where DMA was waiting for an event from McASP (after step c above), but the event which was already there, has got cleared (because of step b above). The fix is not to enable the FIFO during McASP configuration as FIFO was being enabled as part of McASP start. Signed-off-by: Sudhakar Rajashekhara Acked-by: Liam Girdwood Signed-off-by: Mark Brown --- sound/soc/davinci/davinci-mcasp.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/sound/soc/davinci/davinci-mcasp.c b/sound/soc/davinci/davinci-mcasp.c index 79f0f4ad242c..d3955096d872 100644 --- a/sound/soc/davinci/davinci-mcasp.c +++ b/sound/soc/davinci/davinci-mcasp.c @@ -612,7 +612,6 @@ static void davinci_hw_common_param(struct davinci_audio_dev *dev, int stream) NUMDMA_MASK); mcasp_mod_bits(dev->base + DAVINCI_MCASP_WFIFOCTL, ((dev->txnumevt * tx_ser) << 8), NUMEVT_MASK); - mcasp_set_bits(dev->base + DAVINCI_MCASP_WFIFOCTL, FIFO_ENABLE); } if (dev->rxnumevt && stream == SNDRV_PCM_STREAM_CAPTURE) { @@ -623,7 +622,6 @@ static void davinci_hw_common_param(struct davinci_audio_dev *dev, int stream) NUMDMA_MASK); mcasp_mod_bits(dev->base + DAVINCI_MCASP_RFIFOCTL, ((dev->rxnumevt * rx_ser) << 8), NUMEVT_MASK); - mcasp_set_bits(dev->base + DAVINCI_MCASP_RFIFOCTL, FIFO_ENABLE); } } From 2a383cb3f1a571b281c2e1ace4c8491f0370e866 Mon Sep 17 00:00:00 2001 From: Eliot Blennerhassett Date: Thu, 17 Jun 2010 17:08:36 +1200 Subject: [PATCH 8/9] ALSA: asihpi - Get rid of incorrect "long" types and casts. These give incorrect results for index wrap on 64 bit. Signed-off-by: Eliot Blennerhassett Signed-off-by: Takashi Iwai --- sound/pci/asihpi/hpi6205.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/sound/pci/asihpi/hpi6205.c b/sound/pci/asihpi/hpi6205.c index e89991ea3543..3b4413448226 100644 --- a/sound/pci/asihpi/hpi6205.c +++ b/sound/pci/asihpi/hpi6205.c @@ -941,11 +941,11 @@ static void outstream_host_buffer_free(struct hpi_adapter_obj *pao, } -static long outstream_get_space_available(struct hpi_hostbuffer_status +static u32 outstream_get_space_available(struct hpi_hostbuffer_status *status) { - return status->size_in_bytes - ((long)(status->host_index) - - (long)(status->dSP_index)); + return status->size_in_bytes - (status->host_index - + status->dSP_index); } static void outstream_write(struct hpi_adapter_obj *pao, @@ -954,7 +954,7 @@ static void outstream_write(struct hpi_adapter_obj *pao, struct hpi_hw_obj *phw = pao->priv; struct bus_master_interface *interface = phw->p_interface_buffer; struct hpi_hostbuffer_status *status; - long space_available; + u32 space_available; if (!phw->outstream_host_buffer_size[phm->obj_index]) { /* there is no BBM buffer, write via message */ @@ -1007,7 +1007,7 @@ static void outstream_write(struct hpi_adapter_obj *pao, } space_available = outstream_get_space_available(status); - if (space_available < (long)phm->u.d.u.data.data_size) { + if (space_available < phm->u.d.u.data.data_size) { phr->error = HPI_ERROR_INVALID_DATASIZE; return; } @@ -1018,7 +1018,7 @@ static void outstream_write(struct hpi_adapter_obj *pao, && hpios_locked_mem_valid(&phw->outstream_host_buffers[phm-> obj_index])) { u8 *p_bbm_data; - long l_first_write; + u32 l_first_write; u8 *p_app_data = (u8 *)phm->u.d.u.data.pb_data; if (hpios_locked_mem_get_virt_addr(&phw-> @@ -1248,9 +1248,9 @@ static void instream_start(struct hpi_adapter_obj *pao, hw_message(pao, phm, phr); } -static long instream_get_bytes_available(struct hpi_hostbuffer_status *status) +static u32 instream_get_bytes_available(struct hpi_hostbuffer_status *status) { - return (long)(status->dSP_index) - (long)(status->host_index); + return status->dSP_index - status->host_index; } static void instream_read(struct hpi_adapter_obj *pao, @@ -1259,9 +1259,9 @@ static void instream_read(struct hpi_adapter_obj *pao, struct hpi_hw_obj *phw = pao->priv; struct bus_master_interface *interface = phw->p_interface_buffer; struct hpi_hostbuffer_status *status; - long data_available; + u32 data_available; u8 *p_bbm_data; - long l_first_read; + u32 l_first_read; u8 *p_app_data = (u8 *)phm->u.d.u.data.pb_data; if (!phw->instream_host_buffer_size[phm->obj_index]) { @@ -1272,7 +1272,7 @@ static void instream_read(struct hpi_adapter_obj *pao, status = &interface->instream_host_buffer_status[phm->obj_index]; data_available = instream_get_bytes_available(status); - if (data_available < (long)phm->u.d.u.data.data_size) { + if (data_available < phm->u.d.u.data.data_size) { phr->error = HPI_ERROR_INVALID_DATASIZE; return; } From 272cbc98cfbdd30cff37a35f8ad8f1b737288e88 Mon Sep 17 00:00:00 2001 From: Jiri Slaby Date: Mon, 21 Jun 2010 17:03:21 +0200 Subject: [PATCH 9/9] ALSA: usb/endpoint, fix dangling pointer use Stanse found that in snd_usb_parse_audio_endpoints, there is a dangling pointer dereference. When snd_usb_parse_audio_format fails, fp is freed, and continue invoked. On the next loop, there is "fp && fp->altsetting == 1 && fp->channels == 1" test, but fp is set from the last iteration (but is bogus) and thus ilegally dereferenced. Set fp to NULL before "continue". Signed-off-by: Jiri Slaby Acked-by: Daniel Mack Signed-off-by: Takashi Iwai --- sound/usb/endpoint.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c index 9593b91452b9..6f6596cf2b19 100644 --- a/sound/usb/endpoint.c +++ b/sound/usb/endpoint.c @@ -427,6 +427,7 @@ int snd_usb_parse_audio_endpoints(struct snd_usb_audio *chip, int iface_no) if (snd_usb_parse_audio_format(chip, fp, format, fmt, stream, alts) < 0) { kfree(fp->rate_table); kfree(fp); + fp = NULL; continue; }