From patchwork Sat Feb 21 14:54:57 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Takashi Sakamoto <o-takashi@sakamocchi.jp>
X-Patchwork-Id: 5859741
Return-Path: <alsa-devel-bounces@alsa-project.org>
X-Original-To: patchwork-alsa-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 4F5D7BF440
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Sat, 21 Feb 2015 14:57:19 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 2CCA820544
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Sat, 21 Feb 2015 14:57:18 +0000 (UTC)
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
	by mail.kernel.org (Postfix) with ESMTP id C45822053A
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Sat, 21 Feb 2015 14:57:16 +0000 (UTC)
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id 0C58626512F; Sat, 21 Feb 2015 15:57:06 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, UNPARSEABLE_RELAY
	autolearn=unavailable version=3.3.1
Received: from alsa0.perex.cz (localhost [IPv6:::1])
	by alsa0.perex.cz (Postfix) with ESMTP id 6865B265015;
	Sat, 21 Feb 2015 15:55:19 +0100 (CET)
X-Original-To: alsa-devel@alsa-project.org
Delivered-To: alsa-devel@alsa-project.org
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id 9BCD7264F2D; Sat, 21 Feb 2015 15:55:13 +0100 (CET)
Received: from smtp310.phy.lolipop.jp (smtp310.phy.lolipop.jp
	[210.157.22.78])
	by alsa0.perex.cz (Postfix) with ESMTP id 9FAAE264F07
	for <alsa-devel@alsa-project.org>;
	Sat, 21 Feb 2015 15:55:04 +0100 (CET)
Received: from smtp310.phy.lolipop.lan (HELO smtp310.phy.lolipop.jp)
	(172.17.1.10)
	(smtp-auth username m12129643-o-takashi, mechanism plain)
	by smtp310.phy.lolipop.jp (qpsmtpd/0.82) with ESMTPA;
	Sat, 21 Feb 2015 23:55:02 +0900
Received: from 127.0.0.1 (127.0.0.1)
	by smtp310.phy.lolipop.jp (LOLIPOP-Fsecure);
	Sat, 21 Feb 2015 23:55:00 +0900 (JST)
X-Virus-Status: clean(LOLIPOP-Fsecure)
From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
To: clemens@ladisch.de,
	tiwai@suse.de
Date: Sat, 21 Feb 2015 23:54:57 +0900
Message-Id: <1424530500-9116-2-git-send-email-o-takashi@sakamocchi.jp>
X-Mailer: git-send-email 2.1.0
In-Reply-To: <1424530500-9116-1-git-send-email-o-takashi@sakamocchi.jp>
References: <1424530500-9116-1-git-send-email-o-takashi@sakamocchi.jp>
Cc: alsa-devel@alsa-project.org, linux1394-devel@lists.sourceforge.net,
	ffado-devel@lists.sf.net
Subject: [alsa-devel] [PATCH 1/4] ALSA: fireworks/bebob/dice/oxfw: add
	reference-counting for FireWire unit
X-BeenThere: alsa-devel@alsa-project.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
	http://www.alsa-project.org" <alsa-devel.alsa-project.org>
List-Unsubscribe: 
 <http://mailman.alsa-project.org/mailman/options/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe>
List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel/>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Subscribe: <http://mailman.alsa-project.org/mailman/listinfo/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: alsa-devel-bounces@alsa-project.org
X-Virus-Scanned: ClamAV using ClamSMTP

Fireworks and Dice drivers try to touch instances of FireWire unit after
sound card object is released, while references to the unit is decremented
in .remove(). When unplugging during streaming, sound card object is
released after .remove(), thus Fireworks and Dice drivers causes GPF or
Null-pointer-dereferencing to application processes because an instance of
FireWire unit was already released.

This commit adds reference-counting for FireWire unit in drivers to allow
them to touch an instance of FireWire unit after .remove(). In most case,
any operations after .remove() may be failed safely.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
---
 sound/firewire/bebob/bebob.c         | 12 +++++++++++-
 sound/firewire/dice/dice.c           | 11 ++++++++++-
 sound/firewire/fireworks/fireworks.c | 12 +++++++++++-
 sound/firewire/oxfw/oxfw.c           | 11 ++++++++++-
 4 files changed, 42 insertions(+), 4 deletions(-)

diff --git a/sound/firewire/bebob/bebob.c b/sound/firewire/bebob/bebob.c
index fc19c99..b612599 100644
--- a/sound/firewire/bebob/bebob.c
+++ b/sound/firewire/bebob/bebob.c
@@ -116,11 +116,19 @@ end:
 	return err;
 }
 
+/*
+ * This module releases the FireWire unit data after all ALSA character devices
+ * are released by applications. This is for releasing stream data or finishing
+ * transactions safely. Thus at returning from .remove(), this module still keep
+ * references for the unit.
+ */
 static void
 bebob_card_free(struct snd_card *card)
 {
 	struct snd_bebob *bebob = card->private_data;
 
+	fw_unit_put(bebob->unit);
+
 	if (bebob->card_index >= 0) {
 		mutex_lock(&devices_mutex);
 		clear_bit(bebob->card_index, devices_used);
@@ -205,7 +213,7 @@ bebob_probe(struct fw_unit *unit,
 	card->private_free = bebob_card_free;
 
 	bebob->card = card;
-	bebob->unit = unit;
+	bebob->unit = fw_unit_get(unit);
 	bebob->spec = spec;
 	mutex_init(&bebob->mutex);
 	spin_lock_init(&bebob->lock);
@@ -310,6 +318,8 @@ static void bebob_remove(struct fw_unit *unit)
 
 	snd_bebob_stream_destroy_duplex(bebob);
 	snd_card_disconnect(bebob->card);
+
+	/* No need to wait for releasing card object in this context. */
 	snd_card_free_when_closed(bebob->card);
 }
 
diff --git a/sound/firewire/dice/dice.c b/sound/firewire/dice/dice.c
index 90d8f40..797f072 100644
--- a/sound/firewire/dice/dice.c
+++ b/sound/firewire/dice/dice.c
@@ -226,11 +226,19 @@ static void dice_card_strings(struct snd_dice *dice)
 	strcpy(card->mixername, "DICE");
 }
 
+/*
+ * This module releases the FireWire unit data after all ALSA character devices
+ * are released by applications. This is for releasing stream data or finishing
+ * transactions safely. Thus at returning from .remove(), this module still keep
+ * references for the unit.
+ */
 static void dice_card_free(struct snd_card *card)
 {
 	struct snd_dice *dice = card->private_data;
 
 	snd_dice_transaction_destroy(dice);
+	fw_unit_put(dice->unit);
+
 	mutex_destroy(&dice->mutex);
 }
 
@@ -251,7 +259,7 @@ static int dice_probe(struct fw_unit *unit, const struct ieee1394_device_id *id)
 
 	dice = card->private_data;
 	dice->card = card;
-	dice->unit = unit;
+	dice->unit = fw_unit_get(unit);
 	card->private_free = dice_card_free;
 
 	spin_lock_init(&dice->lock);
@@ -309,6 +317,7 @@ static void dice_remove(struct fw_unit *unit)
 
 	snd_dice_stream_destroy_duplex(dice);
 
+	/* No need to wait for releasing card object in this context. */
 	snd_card_free_when_closed(dice->card);
 }
 
diff --git a/sound/firewire/fireworks/fireworks.c b/sound/firewire/fireworks/fireworks.c
index 3e2ed8e..1e33394 100644
--- a/sound/firewire/fireworks/fireworks.c
+++ b/sound/firewire/fireworks/fireworks.c
@@ -173,11 +173,19 @@ end:
 	return err;
 }
 
+/*
+ * This module releases the FireWire unit data after all ALSA character devices
+ * are released by applications. This is for releasing stream data or finishing
+ * transactions safely. Thus at returning from .remove(), this module still keep
+ * references for the unit.
+ */
 static void
 efw_card_free(struct snd_card *card)
 {
 	struct snd_efw *efw = card->private_data;
 
+	fw_unit_put(efw->unit);
+
 	if (efw->card_index >= 0) {
 		mutex_lock(&devices_mutex);
 		clear_bit(efw->card_index, devices_used);
@@ -218,7 +226,7 @@ efw_probe(struct fw_unit *unit,
 	card->private_free = efw_card_free;
 
 	efw->card = card;
-	efw->unit = unit;
+	efw->unit = fw_unit_get(unit);
 	mutex_init(&efw->mutex);
 	spin_lock_init(&efw->lock);
 	init_waitqueue_head(&efw->hwdep_wait);
@@ -293,6 +301,8 @@ static void efw_remove(struct fw_unit *unit)
 	snd_efw_transaction_remove_instance(efw);
 
 	snd_card_disconnect(efw->card);
+
+	/* No need to wait for releasing card object in this context. */
 	snd_card_free_when_closed(efw->card);
 }
 
diff --git a/sound/firewire/oxfw/oxfw.c b/sound/firewire/oxfw/oxfw.c
index 60e5cad..1607b26 100644
--- a/sound/firewire/oxfw/oxfw.c
+++ b/sound/firewire/oxfw/oxfw.c
@@ -104,11 +104,19 @@ end:
 	return err;
 }
 
+/*
+ * This module releases the FireWire unit data after all ALSA character devices
+ * are released by applications. This is for releasing stream data or finishing
+ * transactions safely. Thus at returning from .remove(), this module still keep
+ * references for the unit.
+ */
 static void oxfw_card_free(struct snd_card *card)
 {
 	struct snd_oxfw *oxfw = card->private_data;
 	unsigned int i;
 
+	fw_unit_put(oxfw->unit);
+
 	for (i = 0; i < SND_OXFW_STREAM_FORMAT_ENTRIES; i++) {
 		kfree(oxfw->tx_stream_formats[i]);
 		kfree(oxfw->rx_stream_formats[i]);
@@ -136,7 +144,7 @@ static int oxfw_probe(struct fw_unit *unit,
 	oxfw = card->private_data;
 	oxfw->card = card;
 	mutex_init(&oxfw->mutex);
-	oxfw->unit = unit;
+	oxfw->unit = fw_unit_get(unit);
 	oxfw->device_info = (const struct device_info *)id->driver_data;
 	spin_lock_init(&oxfw->lock);
 	init_waitqueue_head(&oxfw->hwdep_wait);
@@ -218,6 +226,7 @@ static void oxfw_remove(struct fw_unit *unit)
 	if (oxfw->has_output)
 		snd_oxfw_stream_destroy_simplex(oxfw, &oxfw->tx_stream);
 
+	/* No need to wait for releasing card object in this context. */
 	snd_card_free_when_closed(oxfw->card);
 }