From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: Line6 podstudio UX1 - driver crash on usb_hcd_map_urb_for_dma From: Greg Kroah-Hartman Message-Id: <20190427184244.GB5213@kroah.com> Date: Sat, 27 Apr 2019 20:42:45 +0200 To: Alan Stern Cc: Christo Gouws , linux-usb@vger.kernel.org List-ID: T24gU2F0LCBBcHIgMjcsIDIwMTkgYXQgMDg6MjQ6MzJQTSArMDIwMCwgR3JlZyBLSCB3cm90ZToK PiBPbiBTYXQsIEFwciAyNywgMjAxOSBhdCAwODowNzoyOFBNICswMjAwLCBHcmVnIEtIIHdyb3Rl Ogo+ID4gT24gU2F0LCBBcHIgMjcsIDIwMTkgYXQgMTE6MzQ6MDNBTSAtMDQwMCwgQWxhbiBTdGVy biB3cm90ZToKPiA+ID4gT24gU2F0LCAyNyBBcHIgMjAxOSwgR3JlZyBLSCB3cm90ZToKPiA+ID4g Cj4gPiA+ID4gT24gRnJpLCBBcHIgMjYsIDIwMTkgYXQgMTE6NTA6MTRBTSArMDIwMCwgQ2hyaXN0 byBHb3V3cyB3cm90ZToKPiA+ID4gPiA+IEhpLAo+ID4gPiA+ID4gCj4gPiA+ID4gPiBJIGhhdmUg YSBMaW5lNiBQb2QgU3R1ZGlvIFVYMSBjYXJkLCBidXQgZWFjaCB0aW1lIEkgcGx1ZyBpdCBpbiwg SSBnZXQKPiA+ID4gPiA+IHRoZSBmb2xsb3dpbmcgY3Jhc2ggaW4gZG1lc2cgb24gVWJ1bnR1IDE4 LjA0Cj4gPiA+ID4gPiBMaW51eCBteS1wYyA0LjIwLjgtMDQyMDA4LWdlbmVyaWMgIzIwMTkwMjEy MTU0NCBTTVAgVHVlIEZlYiAxMgo+ID4gPiA+ID4gMjA6NDY6NTAgVVRDIDIwMTkgeDg2XzY0IHg4 Nl82NCB4ODZfNjQgR05VL0xpbnV4Cj4gPiA+ID4gPiAKPiA+ID4gPiA+IEkndmUgYWxzbyB0ZXN0 ZWQgdGhpcyB3aXRoIGEgRmVkb3JhIDMwIHY1LjAuNi0zMDAga2VybmVsLCBidXQgc3RpbGwKPiA+ ID4gPiA+IHNlZW1zIHRvIGhhcHBlbiAodXNpbmcgbGl2ZUNEKS4KPiA+ID4gPiA+IAo+ID4gPiA+ ID4gCj4gPiA+ID4gPiBUaGUgb3V0cHV0IG9uIHRoZSBjYXJkIHNlZW1zIHRvIHdvcmssIGJ1dCBu b25lIG9mIHRoZSBpbnB1dHMgd29yay4KPiA+ID4gPiA+IAo+ID4gPiA+ID4gSSd2ZSBhbHNvIG5v dyB0ZXN0ZWQgd2l0aCBsYXRlc3Qga2VybmVsIGF2YWlsYWJsZSBvbiBBcmNoIExpbnV4Cj4gPiA+ ID4gPiBMaW51eCBteS1wYyA1LjAuOS1hcmNoMS0xLUFSQ0ggIzEgU01QIFBSRUVNUFQgU2F0IEFw ciAyMCAxNTowMDo0NiBVVEMKPiA+ID4gPiA+IDIwMTkgeDg2XzY0IEdOVS9MaW51eAo+ID4gPiA+ ID4gCj4gPiA+ID4gPiBBZnRlciBzb21lIGZ1cnRoZXIgdGVzdGluZywgSSBmb3VuZCB0aGF0IHRo aXMgaXNzdWUgY3JvcHBlZCBpbiBiZXdlZW4KPiA+ID4gPiA+IHY0LjguMTcgYW5kIHY0LjktcmMx Lgo+ID4gPiA+ID4gCj4gPiA+ID4gPiB2NC44LjE3ICAgLSBXb3JrcyBmaW5lLgo+ID4gPiA+ID4g djQuOS1yYzErICAtIFByb2R1Y2VzIGNyYXNoCj4gPiA+ID4gCj4gPiA+ID4gQW55IGNoYW5jZSB5 b3UgY2FuIHVzZSAnZ2l0IGJpc2VjdCcgdG8gZmluZCB0aGUgZXhhY3QgY29tbWl0IHRoYXQgY2F1 c2VkCj4gPiA+ID4gdGhlIGZhaWx1cmU/Cj4gPiA+IAo+ID4gPiBObyBuZWVkLiAgVGhlIGJ1ZyBp cyBpbiBsaW5lNl9yZWFkX2RhdGEoKSBpbiBzb3VuZC91c2IvbGluZTYvZHJpdmVyLmMuICAKPiA+ ID4gVGhhdCByb3V0aW5lIHBhc3NlcyBhbiBpbnZhbGlkIGJ1ZmZlciB0byB1c2JfY29udHJvbF9t ZXNzYWdlKCkuICAKPiA+ID4gSW5zdGVhZCBpdCBzaG91bGQgYWxsb2NhdGUgaXRzIG93biBidWZm ZXIgZm9yIHRoZSBVU0IgdHJhbnNmZXIgYW5kIHRoZW4KPiA+ID4gY29weSB0aGUgdmFsdWUgdG8g dGhlIGNhbGxlcidzIGJ1ZmZlci4KPiA+ID4gCj4gPiA+IFRoZXJlIGlzIGEgc2ltaWxhciBwcm9i bGVtIGluIGxpbmU2X3dyaXRlX2RhdGEoKS4gIEZ1cnRoZXJtb3JlLCBib3RoCj4gPiA+IHJvdXRp bmVzIGRvIERNQSB0by9mcm9tIGEgYnVmZmVyIG9uIHRoZSBzdGFjay4KPiA+IAo+ID4gSSBoYXZl IGFuIG9sZCBwYXRjaCBpbiBteSBsb2NhbCB0cmVlIGZvciB0aGUgZG1hIGJ1ZmZlciBvbiB0aGUg c3RhY2sKPiA+IGlzc3VlLCBpdCdzIGJlbG93LiAgSSBzaG91bGQgY2xlYW4gaXQgdXAgYW5kIHNl bmQgaXQgY29ycmVjdGx5IG9uZSBvZgo+ID4gdGhlc2UgZGF5cyA6KQo+IAo+IEJ1dCwgaW4gcmVh ZGluZyB5b3VyIHJlc3BvbnNlLCBpdCBkb2Vzbid0IGZpeCB0aGUgcmVwb3J0ZWQgaXNzdWUgaGVy ZS4KPiBMZXQgbWUgZ28gYXVkaXQgdGhlIHdob2xlIGRyaXZlciBhbmQgZml4IGl0IHVwIGFuZCBh ZGQgaXQgdG8gbXkgb3JpZ2luYWwKPiBwYXRjaC4uLgoKT2ssIGhlcmUncyBhIHBhdGNoIHRoYXQg c2hvdWxkIGJlICJjb21wbGV0ZSIuCgpDaHJpc3RvLCBjYW4geW91IHRlc3QgdGhpcyBvdXQgYW5k IGxldCB1cyBrbm93IGlmIGl0IGZpeGVzIHRoZSBpc3N1ZSBmb3IKeW91IG9yIG5vdD8KCnRoYW5r cywKCmdyZWcgay1oCgotLS0tLS0tLS0tLS0tLS0KCkZyb20gZTJjNzQzZDFmOTAwMTM1YzNlNTYw Y2Q5ZWExNjQ3ZTRhMWViY2U3YSBNb24gU2VwIDE3IDAwOjAwOjAwIDIwMDEKRnJvbTogR3JlZyBL cm9haC1IYXJ0bWFuIDxncmVna2hAbGludXhmb3VuZGF0aW9uLm9yZz4KRGF0ZTogV2VkLCAyMyBK YW4gMjAxOSAxMTowMTo0NiArMDEwMApTdWJqZWN0OiBbUEFUQ0hdIHNvdW5kOiBVU0I6IGxpbmU2 OiB1c2UgZHluYW1pYyBidWZmZXJzCgpUaGUgbGluZTYgZHJpdmVyIHVzZXMgYSBsb3Qgb2YgVVNC IGJ1ZmZlcnMgb2ZmIG9mIHRoZSBzdGFjaywgd2hpY2ggaXMKbm90IGFsbG93ZWQgb24gbWFueSBz eXN0ZW1zLiAgRml4IHRoaXMgdXAgYnkgZHluYW1pY2FsbHkgYWxsb2NhdGluZyB0aGUKYnVmZmVy cyB3aXRoIGttYWxsb2MoKSB3aGljaCBhbGxvd3MgZm9yIHByb3BlciBETUEtYWJsZSBtZW1vcnku CgpTaWduZWQtb2ZmLWJ5OiBHcmVnIEtyb2FoLUhhcnRtYW4gPGdyZWdraEBsaW51eGZvdW5kYXRp b24ub3JnPgpDYzogc3RhYmxlIDxzdGFibGVAdmdlci5rZXJuZWwub3JnPgotLS0KIHNvdW5kL3Vz Yi9saW5lNi9kcml2ZXIuYyAgIHwgICA2MCArKysrKysrKysrKysrKysrKysrKysrKysrKy0tLS0t LS0tLS0tLS0tLS0tLS0KIHNvdW5kL3VzYi9saW5lNi9wb2RoZC5jICAgIHwgICAyMSArKysrKysr KystLS0tLS0KIHNvdW5kL3VzYi9saW5lNi90b25lcG9ydC5jIHwgICAyMyArKysrKysrKysrKyst LS0tLQogMyBmaWxlcyBjaGFuZ2VkLCA2NCBpbnNlcnRpb25zKCspLCA0MCBkZWxldGlvbnMoLSkK Ci0tLSBhL3NvdW5kL3VzYi9saW5lNi9kcml2ZXIuYworKysgYi9zb3VuZC91c2IvbGluZTYvZHJp dmVyLmMKQEAgLTM1MSwxMiArMzUxLDE2IEBAIGludCBsaW5lNl9yZWFkX2RhdGEoc3RydWN0IHVz Yl9saW5lNiAqbGkKIHsKIAlzdHJ1Y3QgdXNiX2RldmljZSAqdXNiZGV2ID0gbGluZTYtPnVzYmRl djsKIAlpbnQgcmV0OwotCXVuc2lnbmVkIGNoYXIgbGVuOworCXVuc2lnbmVkIGNoYXIgKmxlbjsK IAl1bnNpZ25lZCBjb3VudDsKIAogCWlmIChhZGRyZXNzID4gMHhmZmZmIHx8IGRhdGFsZW4gPiAw eGZmKQogCQlyZXR1cm4gLUVJTlZBTDsKIAorCWxlbiA9IGttYWxsb2Moc2l6ZW9mKCpsZW4pLCBH RlBfS0VSTkVMKTsKKwlpZiAoIWxlbikKKwkJcmV0dXJuIC1FTk9NRU07CisKIAkvKiBxdWVyeSB0 aGUgc2VyaWFsIG51bWJlcjogKi8KIAlyZXQgPSB1c2JfY29udHJvbF9tc2codXNiZGV2LCB1c2Jf c25kY3RybHBpcGUodXNiZGV2LCAwKSwgMHg2NywKIAkJCSAgICAgIFVTQl9UWVBFX1ZFTkRPUiB8 IFVTQl9SRUNJUF9ERVZJQ0UgfCBVU0JfRElSX09VVCwKQEAgLTM2NSw3ICszNjksNyBAQCBpbnQg bGluZTZfcmVhZF9kYXRhKHN0cnVjdCB1c2JfbGluZTYgKmxpCiAKIAlpZiAocmV0IDwgMCkgewog CQlkZXZfZXJyKGxpbmU2LT5pZmNkZXYsICJyZWFkIHJlcXVlc3QgZmFpbGVkIChlcnJvciAlZClc biIsIHJldCk7Ci0JCXJldHVybiByZXQ7CisJCWdvdG8gZXhpdDsKIAl9CiAKIAkvKiBXYWl0IGZv ciBkYXRhIGxlbmd0aC4gV2UnbGwgZ2V0IDB4ZmYgdW50aWwgbGVuZ3RoIGFycml2ZXMuICovCkBA IC0zNzUsMjggKzM3OSwyOSBAQCBpbnQgbGluZTZfcmVhZF9kYXRhKHN0cnVjdCB1c2JfbGluZTYg KmxpCiAJCXJldCA9IHVzYl9jb250cm9sX21zZyh1c2JkZXYsIHVzYl9yY3ZjdHJscGlwZSh1c2Jk ZXYsIDApLCAweDY3LAogCQkJCSAgICAgIFVTQl9UWVBFX1ZFTkRPUiB8IFVTQl9SRUNJUF9ERVZJ Q0UgfAogCQkJCSAgICAgIFVTQl9ESVJfSU4sCi0JCQkJICAgICAgMHgwMDEyLCAweDAwMDAsICZs ZW4sIDEsCisJCQkJICAgICAgMHgwMDEyLCAweDAwMDAsIGxlbiwgMSwKIAkJCQkgICAgICBMSU5F Nl9USU1FT1VUICogSFopOwogCQlpZiAocmV0IDwgMCkgewogCQkJZGV2X2VycihsaW5lNi0+aWZj ZGV2LAogCQkJCSJyZWNlaXZlIGxlbmd0aCBmYWlsZWQgKGVycm9yICVkKVxuIiwgcmV0KTsKLQkJ CXJldHVybiByZXQ7CisJCQlnb3RvIGV4aXQ7CiAJCX0KIAotCQlpZiAobGVuICE9IDB4ZmYpCisJ CWlmICgqbGVuICE9IDB4ZmYpCiAJCQlicmVhazsKIAl9CiAKLQlpZiAobGVuID09IDB4ZmYpIHsK KwlyZXQgPSAtRUlPOworCWlmICgqbGVuID09IDB4ZmYpIHsKIAkJZGV2X2VycihsaW5lNi0+aWZj ZGV2LCAicmVhZCBmYWlsZWQgYWZ0ZXIgJWQgcmV0cmllc1xuIiwKIAkJCWNvdW50KTsKLQkJcmV0 dXJuIC1FSU87Ci0JfSBlbHNlIGlmIChsZW4gIT0gZGF0YWxlbikgeworCQlnb3RvIGV4aXQ7CisJ fSBlbHNlIGlmICgqbGVuICE9IGRhdGFsZW4pIHsKIAkJLyogc2hvdWxkIGJlIGVxdWFsIG9yIHNv bWV0aGluZyB3ZW50IHdyb25nICovCiAJCWRldl9lcnIobGluZTYtPmlmY2RldiwKIAkJCSJsZW5n dGggbWlzbWF0Y2ggKGV4cGVjdGVkICVkLCBnb3QgJWQpXG4iLAotCQkJKGludClkYXRhbGVuLCAo aW50KWxlbik7Ci0JCXJldHVybiAtRUlPOworCQkJKGludClkYXRhbGVuLCAoaW50KSpsZW4pOwor CQlnb3RvIGV4aXQ7CiAJfQogCiAJLyogcmVjZWl2ZSB0aGUgcmVzdWx0OiAqLwpAQCAtNDA1LDEy ICs0MTAsMTIgQEAgaW50IGxpbmU2X3JlYWRfZGF0YShzdHJ1Y3QgdXNiX2xpbmU2ICpsaQogCQkJ ICAgICAgMHgwMDEzLCAweDAwMDAsIGRhdGEsIGRhdGFsZW4sCiAJCQkgICAgICBMSU5FNl9USU1F T1VUICogSFopOwogCi0JaWYgKHJldCA8IDApIHsKKwlpZiAocmV0IDwgMCkKIAkJZGV2X2Vycihs aW5lNi0+aWZjZGV2LCAicmVhZCBmYWlsZWQgKGVycm9yICVkKVxuIiwgcmV0KTsKLQkJcmV0dXJu IHJldDsKLQl9CiAKLQlyZXR1cm4gMDsKK2V4aXQ6CisJa2ZyZWUobGVuKTsKKwlyZXR1cm4gcmV0 OwogfQogRVhQT1JUX1NZTUJPTF9HUEwobGluZTZfcmVhZF9kYXRhKTsKIApAQCAtNDIyLDEyICs0 MjcsMTYgQEAgaW50IGxpbmU2X3dyaXRlX2RhdGEoc3RydWN0IHVzYl9saW5lNiAqbAogewogCXN0 cnVjdCB1c2JfZGV2aWNlICp1c2JkZXYgPSBsaW5lNi0+dXNiZGV2OwogCWludCByZXQ7Ci0JdW5z aWduZWQgY2hhciBzdGF0dXM7CisJdW5zaWduZWQgY2hhciAqc3RhdHVzOwogCWludCBjb3VudDsK IAogCWlmIChhZGRyZXNzID4gMHhmZmZmIHx8IGRhdGFsZW4gPiAweGZmZmYpCiAJCXJldHVybiAt RUlOVkFMOwogCisJc3RhdHVzID0ga21hbGxvYyhzaXplb2YoKnN0YXR1cyksIEdGUF9LRVJORUwp OworCWlmICghc3RhdHVzKQorCQlyZXR1cm4gLUVOT01FTTsKKwogCXJldCA9IHVzYl9jb250cm9s X21zZyh1c2JkZXYsIHVzYl9zbmRjdHJscGlwZSh1c2JkZXYsIDApLCAweDY3LAogCQkJICAgICAg VVNCX1RZUEVfVkVORE9SIHwgVVNCX1JFQ0lQX0RFVklDRSB8IFVTQl9ESVJfT1VULAogCQkJICAg ICAgMHgwMDIyLCBhZGRyZXNzLCBkYXRhLCBkYXRhbGVuLApAQCAtNDM2LDcgKzQ0NSw3IEBAIGlu dCBsaW5lNl93cml0ZV9kYXRhKHN0cnVjdCB1c2JfbGluZTYgKmwKIAlpZiAocmV0IDwgMCkgewog CQlkZXZfZXJyKGxpbmU2LT5pZmNkZXYsCiAJCQkid3JpdGUgcmVxdWVzdCBmYWlsZWQgKGVycm9y ICVkKVxuIiwgcmV0KTsKLQkJcmV0dXJuIHJldDsKKwkJZ290byBleGl0OwogCX0KIAogCWZvciAo Y291bnQgPSAwOyBjb3VudCA8IExJTkU2X1JFQURfV1JJVEVfTUFYX1JFVFJJRVM7IGNvdW50Kysp IHsKQEAgLTQ0NywyOCArNDU2LDI5IEBAIGludCBsaW5lNl93cml0ZV9kYXRhKHN0cnVjdCB1c2Jf bGluZTYgKmwKIAkJCQkgICAgICBVU0JfVFlQRV9WRU5ET1IgfCBVU0JfUkVDSVBfREVWSUNFIHwK IAkJCQkgICAgICBVU0JfRElSX0lOLAogCQkJCSAgICAgIDB4MDAxMiwgMHgwMDAwLAotCQkJCSAg ICAgICZzdGF0dXMsIDEsIExJTkU2X1RJTUVPVVQgKiBIWik7CisJCQkJICAgICAgc3RhdHVzLCAx LCBMSU5FNl9USU1FT1VUICogSFopOwogCiAJCWlmIChyZXQgPCAwKSB7CiAJCQlkZXZfZXJyKGxp bmU2LT5pZmNkZXYsCiAJCQkJInJlY2VpdmluZyBzdGF0dXMgZmFpbGVkIChlcnJvciAlZClcbiIs IHJldCk7Ci0JCQlyZXR1cm4gcmV0OworCQkJZ290byBleGl0OwogCQl9CiAKLQkJaWYgKHN0YXR1 cyAhPSAweGZmKQorCQlpZiAoKnN0YXR1cyAhPSAweGZmKQogCQkJYnJlYWs7CiAJfQogCi0JaWYg KHN0YXR1cyA9PSAweGZmKSB7CisJaWYgKCpzdGF0dXMgPT0gMHhmZikgewogCQlkZXZfZXJyKGxp bmU2LT5pZmNkZXYsICJ3cml0ZSBmYWlsZWQgYWZ0ZXIgJWQgcmV0cmllc1xuIiwKIAkJCWNvdW50 KTsKLQkJcmV0dXJuIC1FSU87Ci0JfSBlbHNlIGlmIChzdGF0dXMgIT0gMCkgeworCQlyZXQgPSAt RUlPOworCX0gZWxzZSBpZiAoKnN0YXR1cyAhPSAwKSB7CiAJCWRldl9lcnIobGluZTYtPmlmY2Rl diwgIndyaXRlIGZhaWxlZCAoZXJyb3IgJWQpXG4iLCByZXQpOwotCQlyZXR1cm4gLUVJTzsKKwkJ cmV0ID0gLUVJTzsKIAl9Ci0KLQlyZXR1cm4gMDsKK2V4aXQ6CisJa2ZyZWUoc3RhdHVzKTsKKwly ZXR1cm4gcmV0OwogfQogRVhQT1JUX1NZTUJPTF9HUEwobGluZTZfd3JpdGVfZGF0YSk7CiAKLS0t IGEvc291bmQvdXNiL2xpbmU2L3BvZGhkLmMKKysrIGIvc291bmQvdXNiL2xpbmU2L3BvZGhkLmMK QEAgLTIyNSwyOCArMjI1LDMyIEBAIHN0YXRpYyB2b2lkIHBvZGhkX3N0YXJ0dXBfc3RhcnRfd29y a3F1ZXUKIHN0YXRpYyBpbnQgcG9kaGRfZGV2X3N0YXJ0KHN0cnVjdCB1c2JfbGluZTZfcG9kaGQg KnBvZCkKIHsKIAlpbnQgcmV0OwotCXU4IGluaXRfYnl0ZXNbOF07CisJdTggKmluaXRfYnl0ZXM7 CiAJaW50IGk7CiAJc3RydWN0IHVzYl9kZXZpY2UgKnVzYmRldiA9IHBvZC0+bGluZTYudXNiZGV2 OwogCisJaW5pdF9ieXRlcyA9IGttYWxsb2MoOCwgR0ZQX0tFUk5FTCk7CisJaWYgKCFpbml0X2J5 dGVzKQorCQlyZXR1cm4gLUVOT01FTTsKKwogCXJldCA9IHVzYl9jb250cm9sX21zZyh1c2JkZXYs IHVzYl9zbmRjdHJscGlwZSh1c2JkZXYsIDApLAogCQkJCQkweDY3LCBVU0JfVFlQRV9WRU5ET1Ig fCBVU0JfUkVDSVBfREVWSUNFIHwgVVNCX0RJUl9PVVQsCiAJCQkJCTB4MTEsIDAsCiAJCQkJCU5V TEwsIDAsIExJTkU2X1RJTUVPVVQgKiBIWik7CiAJaWYgKHJldCA8IDApIHsKIAkJZGV2X2Vycihw b2QtPmxpbmU2LmlmY2RldiwgInJlYWQgcmVxdWVzdCBmYWlsZWQgKGVycm9yICVkKVxuIiwgcmV0 KTsKLQkJcmV0dXJuIHJldDsKKwkJZ290byBleGl0OwogCX0KIAogCS8qIE5PVEU6IGxvb2tzIGxp a2Ugc29tZSBraW5kIG9mIHBpbmcgbWVzc2FnZSAqLwogCXJldCA9IHVzYl9jb250cm9sX21zZyh1 c2JkZXYsIHVzYl9yY3ZjdHJscGlwZSh1c2JkZXYsIDApLCAweDY3LAogCQkJCQlVU0JfVFlQRV9W RU5ET1IgfCBVU0JfUkVDSVBfREVWSUNFIHwgVVNCX0RJUl9JTiwKIAkJCQkJMHgxMSwgMHgwLAot CQkJCQkmaW5pdF9ieXRlcywgMywgTElORTZfVElNRU9VVCAqIEhaKTsKKwkJCQkJaW5pdF9ieXRl cywgMywgTElORTZfVElNRU9VVCAqIEhaKTsKIAlpZiAocmV0IDwgMCkgewogCQlkZXZfZXJyKHBv ZC0+bGluZTYuaWZjZGV2LAogCQkJInJlY2VpdmUgbGVuZ3RoIGZhaWxlZCAoZXJyb3IgJWQpXG4i LCByZXQpOwotCQlyZXR1cm4gcmV0OworCQlnb3RvIGV4aXQ7CiAJfQogCiAJcG9kLT5maXJtd2Fy ZV92ZXJzaW9uID0KQEAgLTI1NSw3ICsyNTksNyBAQCBzdGF0aWMgaW50IHBvZGhkX2Rldl9zdGFy dChzdHJ1Y3QgdXNiX2xpCiAJZm9yIChpID0gMDsgaSA8PSAxNjsgaSsrKSB7CiAJCXJldCA9IGxp bmU2X3JlYWRfZGF0YSgmcG9kLT5saW5lNiwgMHhmMDAwICsgMHgwOCAqIGksIGluaXRfYnl0ZXMs IDgpOwogCQlpZiAocmV0IDwgMCkKLQkJCXJldHVybiByZXQ7CisJCQlnb3RvIGV4aXQ7CiAJfQog CiAJcmV0ID0gdXNiX2NvbnRyb2xfbXNnKHVzYmRldiwgdXNiX3NuZGN0cmxwaXBlKHVzYmRldiwg MCksCkBAIC0yNjMsMTAgKzI2Nyw5IEBAIHN0YXRpYyBpbnQgcG9kaGRfZGV2X3N0YXJ0KHN0cnVj dCB1c2JfbGkKIAkJCQkJVVNCX1RZUEVfU1RBTkRBUkQgfCBVU0JfUkVDSVBfREVWSUNFIHwgVVNC X0RJUl9PVVQsCiAJCQkJCTEsIDAsCiAJCQkJCU5VTEwsIDAsIExJTkU2X1RJTUVPVVQgKiBIWik7 Ci0JaWYgKHJldCA8IDApCi0JCXJldHVybiByZXQ7Ci0KLQlyZXR1cm4gMDsKK2V4aXQ6CisJa2Zy ZWUoaW5pdF9ieXRlcyk7CisJcmV0dXJuIHJldDsKIH0KIAogc3RhdGljIHZvaWQgcG9kaGRfc3Rh cnR1cF93b3JrcXVldWUoc3RydWN0IHdvcmtfc3RydWN0ICp3b3JrKQotLS0gYS9zb3VuZC91c2Iv bGluZTYvdG9uZXBvcnQuYworKysgYi9zb3VuZC91c2IvbGluZTYvdG9uZXBvcnQuYwpAQCAtMzY1 LDE2ICszNjUsMjEgQEAgc3RhdGljIGJvb2wgdG9uZXBvcnRfaGFzX3NvdXJjZV9zZWxlY3Qocwog LyoKIAlTZXR1cCBUb25lcG9ydCBkZXZpY2UuCiAqLwotc3RhdGljIHZvaWQgdG9uZXBvcnRfc2V0 dXAoc3RydWN0IHVzYl9saW5lNl90b25lcG9ydCAqdG9uZXBvcnQpCitzdGF0aWMgaW50IHRvbmVw b3J0X3NldHVwKHN0cnVjdCB1c2JfbGluZTZfdG9uZXBvcnQgKnRvbmVwb3J0KQogewotCXUzMiB0 aWNrczsKKwl1MzIgKnRpY2tzOwogCXN0cnVjdCB1c2JfbGluZTYgKmxpbmU2ID0gJnRvbmVwb3J0 LT5saW5lNjsKIAlzdHJ1Y3QgdXNiX2RldmljZSAqdXNiZGV2ID0gbGluZTYtPnVzYmRldjsKIAor CXRpY2tzID0ga21hbGxvYyhzaXplb2YoKnRpY2tzKSwgR0ZQX0tFUk5FTCk7CisJaWYgKCF0aWNr cykKKwkJcmV0dXJuIC1FTk9NRU07CisKIAkvKiBzeW5jIHRpbWUgb24gZGV2aWNlIHdpdGggaG9z dDogKi8KIAkvKiBub3RlOiAzMi1iaXQgdGltZXN0YW1wcyBvdmVyZmxvdyBpbiB5ZWFyIDIxMDYg Ki8KLQl0aWNrcyA9ICh1MzIpa3RpbWVfZ2V0X3JlYWxfc2Vjb25kcygpOwotCWxpbmU2X3dyaXRl X2RhdGEobGluZTYsIDB4ODBjNiwgJnRpY2tzLCA0KTsKKwkqdGlja3MgPSAodTMyKWt0aW1lX2dl dF9yZWFsX3NlY29uZHMoKTsKKwlsaW5lNl93cml0ZV9kYXRhKGxpbmU2LCAweDgwYzYsIHRpY2tz LCA0KTsKKwlrZnJlZSh0aWNrcyk7CiAKIAkvKiBlbmFibGUgZGV2aWNlOiAqLwogCXRvbmVwb3J0 X3NlbmRfY21kKHVzYmRldiwgMHgwMzAxLCAweDAwMDApOwpAQCAtNDUxLDcgKzQ1Niw5IEBAIHN0 YXRpYyBpbnQgdG9uZXBvcnRfaW5pdChzdHJ1Y3QgdXNiX2xpbmUKIAkJCXJldHVybiBlcnI7CiAJ fQogCi0JdG9uZXBvcnRfc2V0dXAodG9uZXBvcnQpOworCWVyciA9IHRvbmVwb3J0X3NldHVwKHRv bmVwb3J0KTsKKwlpZiAoZXJyKQorCQlyZXR1cm4gZXJyOwogCiAJLyogcmVnaXN0ZXIgYXVkaW8g c3lzdGVtOiAqLwogCXJldHVybiBzbmRfY2FyZF9yZWdpc3RlcihsaW5lNi0+Y2FyZCk7CkBAIC00 NjMsNyArNDcwLDExIEBAIHN0YXRpYyBpbnQgdG9uZXBvcnRfaW5pdChzdHJ1Y3QgdXNiX2xpbmUK ICovCiBzdGF0aWMgaW50IHRvbmVwb3J0X3Jlc2V0X3Jlc3VtZShzdHJ1Y3QgdXNiX2ludGVyZmFj ZSAqaW50ZXJmYWNlKQogewotCXRvbmVwb3J0X3NldHVwKHVzYl9nZXRfaW50ZmRhdGEoaW50ZXJm YWNlKSk7CisJaW50IGVycjsKKworCWVyciA9IHRvbmVwb3J0X3NldHVwKHVzYl9nZXRfaW50ZmRh dGEoaW50ZXJmYWNlKSk7CisJaWYgKGVycikKKwkJcmV0dXJuIGVycjsKIAlyZXR1cm4gbGluZTZf cmVzdW1lKGludGVyZmFjZSk7CiB9CiAjZW5kaWYK From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.4 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS, T_DKIMWL_WL_HIGH,URIBL_BLOCKED,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BC190C43219 for ; Sat, 27 Apr 2019 18:42:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 76C0B2077B for ; Sat, 27 Apr 2019 18:42:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556390569; bh=7NMLdWoxtqzcp0l7l4+pUVrqawmbID1jO3l4m0VehDY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=Hwv+lbsmsokhzRXLnMjWX0B427AIPrasPtzI9tv/iimrV1TSF2uY1RHY94i10/8fN Bh3fopHmVrwYw6W2MjNUf8sn3yICQ61UWaopdBSPK9iLIcEWrfMOoJS5PzNwHGh+rn qah4n18EpIYvmWhRhA3kebLnqGgmx03BS18gel7g= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726374AbfD0Sms (ORCPT ); Sat, 27 Apr 2019 14:42:48 -0400 Received: from mail.kernel.org ([198.145.29.99]:49582 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725942AbfD0Sms (ORCPT ); Sat, 27 Apr 2019 14:42:48 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BBE252077B; Sat, 27 Apr 2019 18:42:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556390567; bh=7NMLdWoxtqzcp0l7l4+pUVrqawmbID1jO3l4m0VehDY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=0kyEzuTZH763NNi85kGRLH/8X3103Eoyvc89OjOrGzjDnXP4cwv7VYdF3ftagbCSJ vUbEFyfZ5ixEzHG149j9RsKEFFwQmhCKITMw8SPKu+gm/DbsgvwQjLgP4R5/6ca9wZ 9xkiQzz+0AlOQkXxeGnnlhy33b6Kl3jeUOg5Rjhc= Date: Sat, 27 Apr 2019 20:42:45 +0200 From: Greg KH To: Alan Stern Cc: Christo Gouws , linux-usb@vger.kernel.org Subject: Re: Line6 podstudio UX1 - driver crash on usb_hcd_map_urb_for_dma Message-ID: <20190427184244.GB5213@kroah.com> References: <20190427070136.GE28250@kroah.com> <20190427180728.GA3200@kroah.com> <20190427182432.GA5213@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline In-Reply-To: <20190427182432.GA5213@kroah.com> User-Agent: Mutt/1.11.4 (2019-03-13) Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Message-ID: <20190427184245.b5pPRoPuiGqqjKh4zYvU_XaJsQV5MQT5DsiTIaoIgx0@z> On Sat, Apr 27, 2019 at 08:24:32PM +0200, Greg KH wrote: > On Sat, Apr 27, 2019 at 08:07:28PM +0200, Greg KH wrote: > > On Sat, Apr 27, 2019 at 11:34:03AM -0400, Alan Stern wrote: > > > On Sat, 27 Apr 2019, Greg KH wrote: > > > > > > > On Fri, Apr 26, 2019 at 11:50:14AM +0200, Christo Gouws wrote: > > > > > Hi, > > > > > > > > > > I have a Line6 Pod Studio UX1 card, but each time I plug it in, I get > > > > > the following crash in dmesg on Ubuntu 18.04 > > > > > Linux my-pc 4.20.8-042008-generic #201902121544 SMP Tue Feb 12 > > > > > 20:46:50 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux > > > > > > > > > > I've also tested this with a Fedora 30 v5.0.6-300 kernel, but still > > > > > seems to happen (using liveCD). > > > > > > > > > > > > > > > The output on the card seems to work, but none of the inputs work. > > > > > > > > > > I've also now tested with latest kernel available on Arch Linux > > > > > Linux my-pc 5.0.9-arch1-1-ARCH #1 SMP PREEMPT Sat Apr 20 15:00:46 UTC > > > > > 2019 x86_64 GNU/Linux > > > > > > > > > > After some further testing, I found that this issue cropped in beween > > > > > v4.8.17 and v4.9-rc1. > > > > > > > > > > v4.8.17 - Works fine. > > > > > v4.9-rc1+ - Produces crash > > > > > > > > Any chance you can use 'git bisect' to find the exact commit that caused > > > > the failure? > > > > > > No need. The bug is in line6_read_data() in sound/usb/line6/driver.c. > > > That routine passes an invalid buffer to usb_control_message(). > > > Instead it should allocate its own buffer for the USB transfer and then > > > copy the value to the caller's buffer. > > > > > > There is a similar problem in line6_write_data(). Furthermore, both > > > routines do DMA to/from a buffer on the stack. > > > > I have an old patch in my local tree for the dma buffer on the stack > > issue, it's below. I should clean it up and send it correctly one of > > these days :) > > But, in reading your response, it doesn't fix the reported issue here. > Let me go audit the whole driver and fix it up and add it to my original > patch... Ok, here's a patch that should be "complete". Christo, can you test this out and let us know if it fixes the issue for you or not? thanks, greg k-h --------------- >From e2c743d1f900135c3e560cd9ea1647e4a1ebce7a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 23 Jan 2019 11:01:46 +0100 Subject: [PATCH] sound: USB: line6: use dynamic buffers The line6 driver uses a lot of USB buffers off of the stack, which is not allowed on many systems. Fix this up by dynamically allocating the buffers with kmalloc() which allows for proper DMA-able memory. Signed-off-by: Greg Kroah-Hartman Cc: stable --- sound/usb/line6/driver.c | 60 ++++++++++++++++++++++++++------------------- sound/usb/line6/podhd.c | 21 +++++++++------ sound/usb/line6/toneport.c | 23 ++++++++++++----- 3 files changed, 64 insertions(+), 40 deletions(-) --- a/sound/usb/line6/driver.c +++ b/sound/usb/line6/driver.c @@ -351,12 +351,16 @@ int line6_read_data(struct usb_line6 *li { struct usb_device *usbdev = line6->usbdev; int ret; - unsigned char len; + unsigned char *len; unsigned count; if (address > 0xffff || datalen > 0xff) return -EINVAL; + len = kmalloc(sizeof(*len), GFP_KERNEL); + if (!len) + return -ENOMEM; + /* query the serial number: */ ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67, USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, @@ -365,7 +369,7 @@ int line6_read_data(struct usb_line6 *li if (ret < 0) { dev_err(line6->ifcdev, "read request failed (error %d)\n", ret); - return ret; + goto exit; } /* Wait for data length. We'll get 0xff until length arrives. */ @@ -375,28 +379,29 @@ int line6_read_data(struct usb_line6 *li ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), 0x67, USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, - 0x0012, 0x0000, &len, 1, + 0x0012, 0x0000, len, 1, LINE6_TIMEOUT * HZ); if (ret < 0) { dev_err(line6->ifcdev, "receive length failed (error %d)\n", ret); - return ret; + goto exit; } - if (len != 0xff) + if (*len != 0xff) break; } - if (len == 0xff) { + ret = -EIO; + if (*len == 0xff) { dev_err(line6->ifcdev, "read failed after %d retries\n", count); - return -EIO; - } else if (len != datalen) { + goto exit; + } else if (*len != datalen) { /* should be equal or something went wrong */ dev_err(line6->ifcdev, "length mismatch (expected %d, got %d)\n", - (int)datalen, (int)len); - return -EIO; + (int)datalen, (int)*len); + goto exit; } /* receive the result: */ @@ -405,12 +410,12 @@ int line6_read_data(struct usb_line6 *li 0x0013, 0x0000, data, datalen, LINE6_TIMEOUT * HZ); - if (ret < 0) { + if (ret < 0) dev_err(line6->ifcdev, "read failed (error %d)\n", ret); - return ret; - } - return 0; +exit: + kfree(len); + return ret; } EXPORT_SYMBOL_GPL(line6_read_data); @@ -422,12 +427,16 @@ int line6_write_data(struct usb_line6 *l { struct usb_device *usbdev = line6->usbdev; int ret; - unsigned char status; + unsigned char *status; int count; if (address > 0xffff || datalen > 0xffff) return -EINVAL; + status = kmalloc(sizeof(*status), GFP_KERNEL); + if (!status) + return -ENOMEM; + ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67, USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, 0x0022, address, data, datalen, @@ -436,7 +445,7 @@ int line6_write_data(struct usb_line6 *l if (ret < 0) { dev_err(line6->ifcdev, "write request failed (error %d)\n", ret); - return ret; + goto exit; } for (count = 0; count < LINE6_READ_WRITE_MAX_RETRIES; count++) { @@ -447,28 +456,29 @@ int line6_write_data(struct usb_line6 *l USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, 0x0012, 0x0000, - &status, 1, LINE6_TIMEOUT * HZ); + status, 1, LINE6_TIMEOUT * HZ); if (ret < 0) { dev_err(line6->ifcdev, "receiving status failed (error %d)\n", ret); - return ret; + goto exit; } - if (status != 0xff) + if (*status != 0xff) break; } - if (status == 0xff) { + if (*status == 0xff) { dev_err(line6->ifcdev, "write failed after %d retries\n", count); - return -EIO; - } else if (status != 0) { + ret = -EIO; + } else if (*status != 0) { dev_err(line6->ifcdev, "write failed (error %d)\n", ret); - return -EIO; + ret = -EIO; } - - return 0; +exit: + kfree(status); + return ret; } EXPORT_SYMBOL_GPL(line6_write_data); --- a/sound/usb/line6/podhd.c +++ b/sound/usb/line6/podhd.c @@ -225,28 +225,32 @@ static void podhd_startup_start_workqueu static int podhd_dev_start(struct usb_line6_podhd *pod) { int ret; - u8 init_bytes[8]; + u8 *init_bytes; int i; struct usb_device *usbdev = pod->line6.usbdev; + init_bytes = kmalloc(8, GFP_KERNEL); + if (!init_bytes) + return -ENOMEM; + ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67, USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, 0x11, 0, NULL, 0, LINE6_TIMEOUT * HZ); if (ret < 0) { dev_err(pod->line6.ifcdev, "read request failed (error %d)\n", ret); - return ret; + goto exit; } /* NOTE: looks like some kind of ping message */ ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), 0x67, USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, 0x11, 0x0, - &init_bytes, 3, LINE6_TIMEOUT * HZ); + init_bytes, 3, LINE6_TIMEOUT * HZ); if (ret < 0) { dev_err(pod->line6.ifcdev, "receive length failed (error %d)\n", ret); - return ret; + goto exit; } pod->firmware_version = @@ -255,7 +259,7 @@ static int podhd_dev_start(struct usb_li for (i = 0; i <= 16; i++) { ret = line6_read_data(&pod->line6, 0xf000 + 0x08 * i, init_bytes, 8); if (ret < 0) - return ret; + goto exit; } ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), @@ -263,10 +267,9 @@ static int podhd_dev_start(struct usb_li USB_TYPE_STANDARD | USB_RECIP_DEVICE | USB_DIR_OUT, 1, 0, NULL, 0, LINE6_TIMEOUT * HZ); - if (ret < 0) - return ret; - - return 0; +exit: + kfree(init_bytes); + return ret; } static void podhd_startup_workqueue(struct work_struct *work) --- a/sound/usb/line6/toneport.c +++ b/sound/usb/line6/toneport.c @@ -365,16 +365,21 @@ static bool toneport_has_source_select(s /* Setup Toneport device. */ -static void toneport_setup(struct usb_line6_toneport *toneport) +static int toneport_setup(struct usb_line6_toneport *toneport) { - u32 ticks; + u32 *ticks; struct usb_line6 *line6 = &toneport->line6; struct usb_device *usbdev = line6->usbdev; + ticks = kmalloc(sizeof(*ticks), GFP_KERNEL); + if (!ticks) + return -ENOMEM; + /* sync time on device with host: */ /* note: 32-bit timestamps overflow in year 2106 */ - ticks = (u32)ktime_get_real_seconds(); - line6_write_data(line6, 0x80c6, &ticks, 4); + *ticks = (u32)ktime_get_real_seconds(); + line6_write_data(line6, 0x80c6, ticks, 4); + kfree(ticks); /* enable device: */ toneport_send_cmd(usbdev, 0x0301, 0x0000); @@ -451,7 +456,9 @@ static int toneport_init(struct usb_line return err; } - toneport_setup(toneport); + err = toneport_setup(toneport); + if (err) + return err; /* register audio system: */ return snd_card_register(line6->card); @@ -463,7 +470,11 @@ static int toneport_init(struct usb_line */ static int toneport_reset_resume(struct usb_interface *interface) { - toneport_setup(usb_get_intfdata(interface)); + int err; + + err = toneport_setup(usb_get_intfdata(interface)); + if (err) + return err; return line6_resume(interface); } #endif