Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2979224imu; Sun, 9 Dec 2018 14:10:18 -0800 (PST) X-Google-Smtp-Source: AFSGD/Vwz9Y2NXAK1fK1dAu0o0TEYv6EJ72e9mZW/MqjDJ2Pmj3c1U2t16woPCf2DHMRd+oU/LTU X-Received: by 2002:a62:2606:: with SMTP id m6mr9827629pfm.133.1544393418896; Sun, 09 Dec 2018 14:10:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544393418; cv=none; d=google.com; s=arc-20160816; b=F1zHbSjV9ElyD+CL3ImXGb+idzqzQ33ZZUkUSQwMyFOuUJclnVeWj4kxfgK6/oNhjv eyQFctWHjotM/krITxLI7HHoVqVjnlMAI5+y8ItRl4d8qduZReWN7d1cX/lj2QCtehnB ydlfIetrhU7vt+u3bhS34LKF4qUgHq5ePMDZJjywFcVq0s6cRvT9Io4Hf1uIA7Qdm7/I ROco3zjSzfJLA0mtbOv2fmaFesiX4qc4SLxFu6JeFoWcTCTtUfSmAwgIzVPN55DWkTPL nJGHG7FTDMZz2bU/0Hb8cHuv7/ART0eQQSymHK37ajYNVU4YJ2fZR9Zio5QiX30h0a1M S1JQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=L01ET7jLlEuAmeaYKH1J91TdTw2xWWJI31h9g6hLcOY=; b=zVn/AKZS/38TYbThuE2DXEJls90g7fDLTZFMmfTGScw1q8IwIAn4t65IXcxrKleaKN MhkBOFcUj33roNMT+a/ZPXGJ0FcBjK2bSRjWjvE0EzFeiPhkgW9v1TEvs5RNjBUMD+2Q zmEmaajr1A9DzlRjJ8mh8klRH1MRUOsNK5lCrfsP05moyCzouUJ/rILbz9/0eJhjzJbI NQocBDKP9HcMHDkt+vvp0Cg3LwDZP/un2Fhe3YJe7M0M91R85DpGA49rXeJHEKUjt8K0 Qr1QFm0AFFJd4WW/5pnQUT2vVrm2EZxtwTEireeyGM1S/4GXQHMOYHYWhgedh5/BDTON VSJQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p8si8560302pls.83.2018.12.09.14.10.03; Sun, 09 Dec 2018 14:10:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727897AbeLIWH3 (ORCPT + 99 others); Sun, 9 Dec 2018 17:07:29 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:37212 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727887AbeLIWH0 (ORCPT ); Sun, 9 Dec 2018 17:07:26 -0500 Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gW73L-0002if-II; Sun, 09 Dec 2018 21:55:55 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gW72a-0003HU-GG; Sun, 09 Dec 2018 21:55:08 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Takashi Iwai" Date: Sun, 09 Dec 2018 21:50:33 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 067/328] ALSA: vx: Fix possible transfer overflow In-Reply-To: X-SA-Exim-Connect-IP: 81.174.156.145 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.62-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit 874e1f6fad9a5184b67f4cee37c1335cd2cc5677 upstream. The pseudo DMA transfer codes in VX222 and VX-pocket driver have a slight bug where they check the buffer boundary wrongly, and may overflow. Also, the zero sample count might be handled badly for the playback (although it shouldn't happen in theory). This patch addresses these issues. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=141541 Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings --- sound/drivers/vx/vx_pcm.c | 6 ++++-- sound/pci/vx222/vx222_ops.c | 12 ++++++------ sound/pcmcia/vx/vxp_ops.c | 12 ++++++------ 3 files changed, 16 insertions(+), 14 deletions(-) --- a/sound/drivers/vx/vx_pcm.c +++ b/sound/drivers/vx/vx_pcm.c @@ -1071,8 +1071,10 @@ static void vx_pcm_capture_update(struct /* ok, let's accelerate! */ int align = pipe->align * 3; space = (count / align) * align; - vx_pseudo_dma_read(chip, runtime, pipe, space); - count -= space; + if (space > 0) { + vx_pseudo_dma_read(chip, runtime, pipe, space); + count -= space; + } } /* read the rest of bytes */ while (count > 0) { --- a/sound/pci/vx222/vx222_ops.c +++ b/sound/pci/vx222/vx222_ops.c @@ -264,12 +264,12 @@ static void vx2_dma_write(struct vx_core /* Transfer using pseudo-dma. */ - if (offset + count > pipe->buffer_bytes) { + if (offset + count >= pipe->buffer_bytes) { int length = pipe->buffer_bytes - offset; count -= length; length >>= 2; /* in 32bit words */ /* Transfer using pseudo-dma. */ - while (length-- > 0) { + for (; length > 0; length--) { outl(cpu_to_le32(*addr), port); addr++; } @@ -279,7 +279,7 @@ static void vx2_dma_write(struct vx_core pipe->hw_ptr += count; count >>= 2; /* in 32bit words */ /* Transfer using pseudo-dma. */ - while (count-- > 0) { + for (; count > 0; count--) { outl(cpu_to_le32(*addr), port); addr++; } @@ -302,12 +302,12 @@ static void vx2_dma_read(struct vx_core vx2_setup_pseudo_dma(chip, 0); /* Transfer using pseudo-dma. */ - if (offset + count > pipe->buffer_bytes) { + if (offset + count >= pipe->buffer_bytes) { int length = pipe->buffer_bytes - offset; count -= length; length >>= 2; /* in 32bit words */ /* Transfer using pseudo-dma. */ - while (length-- > 0) + for (; length > 0; length--) *addr++ = le32_to_cpu(inl(port)); addr = (u32 *)runtime->dma_area; pipe->hw_ptr = 0; @@ -315,7 +315,7 @@ static void vx2_dma_read(struct vx_core pipe->hw_ptr += count; count >>= 2; /* in 32bit words */ /* Transfer using pseudo-dma. */ - while (count-- > 0) + for (; count > 0; count--) *addr++ = le32_to_cpu(inl(port)); vx2_release_pseudo_dma(chip); --- a/sound/pcmcia/vx/vxp_ops.c +++ b/sound/pcmcia/vx/vxp_ops.c @@ -369,12 +369,12 @@ static void vxp_dma_write(struct vx_core unsigned short *addr = (unsigned short *)(runtime->dma_area + offset); vx_setup_pseudo_dma(chip, 1); - if (offset + count > pipe->buffer_bytes) { + if (offset + count >= pipe->buffer_bytes) { int length = pipe->buffer_bytes - offset; count -= length; length >>= 1; /* in 16bit words */ /* Transfer using pseudo-dma. */ - while (length-- > 0) { + for (; length > 0; length--) { outw(cpu_to_le16(*addr), port); addr++; } @@ -384,7 +384,7 @@ static void vxp_dma_write(struct vx_core pipe->hw_ptr += count; count >>= 1; /* in 16bit words */ /* Transfer using pseudo-dma. */ - while (count-- > 0) { + for (; count > 0; count--) { outw(cpu_to_le16(*addr), port); addr++; } @@ -411,12 +411,12 @@ static void vxp_dma_read(struct vx_core if (snd_BUG_ON(count % 2)) return; vx_setup_pseudo_dma(chip, 0); - if (offset + count > pipe->buffer_bytes) { + if (offset + count >= pipe->buffer_bytes) { int length = pipe->buffer_bytes - offset; count -= length; length >>= 1; /* in 16bit words */ /* Transfer using pseudo-dma. */ - while (length-- > 0) + for (; length > 0; length--) *addr++ = le16_to_cpu(inw(port)); addr = (unsigned short *)runtime->dma_area; pipe->hw_ptr = 0; @@ -424,7 +424,7 @@ static void vxp_dma_read(struct vx_core pipe->hw_ptr += count; count >>= 1; /* in 16bit words */ /* Transfer using pseudo-dma. */ - while (count-- > 1) + for (; count > 1; count--) *addr++ = le16_to_cpu(inw(port)); /* Disable DMA */ pchip->regDIALOG &= ~VXP_DLG_DMAREAD_SEL_MASK;