Commit b03a7e3f authored by Takashi Iwai's avatar Takashi Iwai Committed by Yu Kuai
Browse files

ALSA: caiaq: Use snd_card_free_when_closed() at disconnection 

stable inclusion
from stable-v4.19.325
commit 3993edf44d3df7b6e8c753eac6ac8783473fcbab
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAFS
CVE: CVE-2024-56531

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3993edf44d3df7b6e8c753eac6ac8783473fcbab



--------------------------------

[ Upstream commit b04dcbb7f7b1908806b7dc22671cdbe78ff2b82c ]

The USB disconnect callback is supposed to be short and not too-long
waiting.  OTOH, the current code uses snd_card_free() at
disconnection, but this waits for the close of all used fds, hence it
can take long.  It eventually blocks the upper layer USB ioctls, which
may trigger a soft lockup.

An easy workaround is to replace snd_card_free() with
snd_card_free_when_closed().  This variant returns immediately while
the release of resources is done asynchronously by the card device
release at the last close.

This patch also splits the code to the disconnect and the free phases;
the former is called immediately at the USB disconnect callback while
the latter is called from the card destructor.

Fixes: 523f1dce ("[ALSA] Add Native Instrument usb audio device support")
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20241113111042.15058-5-tiwai@suse.de


Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarYu Kuai <yukuai3@huawei.com>
Reviewed-by: default avatarYang Erkun <yangerkun@huawei.com>
parent 21eb7b92

sound/usb/caiaq/audio.c

+8 −2
Original line number Diff line number Diff line
@@ -890,14 +890,20 @@ int snd_usb_caiaq_audio_init(struct snd_usb_caiaqdev *cdev) 
	return 0;

}



void snd_usb_caiaq_audio_free(struct snd_usb_caiaqdev *cdev)

void snd_usb_caiaq_audio_disconnect(struct snd_usb_caiaqdev *cdev)

{

	struct device *dev = caiaqdev_to_dev(cdev);



	dev_dbg(dev, "%s(%p)\n", __func__, cdev);

	stream_stop(cdev);

}



void snd_usb_caiaq_audio_free(struct snd_usb_caiaqdev *cdev)

{

	struct device *dev = caiaqdev_to_dev(cdev);



	dev_dbg(dev, "%s(%p)\n", __func__, cdev);

	free_urbs(cdev->data_urbs_in);

	free_urbs(cdev->data_urbs_out);

	kfree(cdev->data_cb_info);

}

sound/usb/caiaq/audio.h

+1 −0
Original line number Diff line number Diff line
@@ -3,6 +3,7 @@ 
#define CAIAQ_AUDIO_H



int snd_usb_caiaq_audio_init(struct snd_usb_caiaqdev *cdev);

void snd_usb_caiaq_audio_disconnect(struct snd_usb_caiaqdev *cdev);

void snd_usb_caiaq_audio_free(struct snd_usb_caiaqdev *cdev);



#endif /* CAIAQ_AUDIO_H */

sound/usb/caiaq/device.c

+15 −4
Original line number Diff line number Diff line
@@ -402,6 +402,17 @@ static void setup_card(struct snd_usb_caiaqdev *cdev) 
		dev_err(dev, "Unable to set up control system (ret=%d)\n", ret);

}



static void card_free(struct snd_card *card)

{

	struct snd_usb_caiaqdev *cdev = caiaqdev(card);



#ifdef CONFIG_SND_USB_CAIAQ_INPUT

	snd_usb_caiaq_input_free(cdev);

#endif

	snd_usb_caiaq_audio_free(cdev);

	usb_reset_device(cdev->chip.dev);

}



static int create_card(struct usb_device *usb_dev,

		       struct usb_interface *intf,

		       struct snd_card **cardp)
@@ -515,6 +526,7 @@ static int init_card(struct snd_usb_caiaqdev *cdev) 
		       cdev->vendor_name, cdev->product_name, usbpath);



	setup_card(cdev);

	card->private_free = card_free;

	return 0;



 err_kill_urb:
@@ -560,15 +572,14 @@ static void snd_disconnect(struct usb_interface *intf) 
	snd_card_disconnect(card);



#ifdef CONFIG_SND_USB_CAIAQ_INPUT

	snd_usb_caiaq_input_free(cdev);

	snd_usb_caiaq_input_disconnect(cdev);

#endif

	snd_usb_caiaq_audio_free(cdev);

	snd_usb_caiaq_audio_disconnect(cdev);



	usb_kill_urb(&cdev->ep1_in_urb);

	usb_kill_urb(&cdev->midi_out_urb);



	snd_card_free(card);

	usb_reset_device(interface_to_usbdev(intf));

	snd_card_free_when_closed(card);

}

sound/usb/caiaq/input.c

+9 −3
Original line number Diff line number Diff line
@@ -841,15 +841,21 @@ int snd_usb_caiaq_input_init(struct snd_usb_caiaqdev *cdev) 
	return ret;

}



void snd_usb_caiaq_input_free(struct snd_usb_caiaqdev *cdev)

void snd_usb_caiaq_input_disconnect(struct snd_usb_caiaqdev *cdev)

{

	if (!cdev || !cdev->input_dev)

		return;



	usb_kill_urb(cdev->ep4_in_urb);

	input_unregister_device(cdev->input_dev);

}



void snd_usb_caiaq_input_free(struct snd_usb_caiaqdev *cdev)

{

	if (!cdev || !cdev->input_dev)

		return;



	usb_free_urb(cdev->ep4_in_urb);

	cdev->ep4_in_urb = NULL;



	input_unregister_device(cdev->input_dev);

	cdev->input_dev = NULL;

}

sound/usb/caiaq/input.h

+1 −0
Original line number Diff line number Diff line
@@ -4,6 +4,7 @@ 


void snd_usb_caiaq_input_dispatch(struct snd_usb_caiaqdev *cdev, char *buf, unsigned int len);

int snd_usb_caiaq_input_init(struct snd_usb_caiaqdev *cdev);

void snd_usb_caiaq_input_disconnect(struct snd_usb_caiaqdev *cdev);

void snd_usb_caiaq_input_free(struct snd_usb_caiaqdev *cdev);



#endif