On Wed, 02 Sep 2020 13:01:09 +0200, Greg Kroah-Hartman wrote:
The usb_control_msg_send() and usb_control_msg_recv() calls can return an error if a "short" write/read happens, so move the driver over to using those calls instead, saving some logic in the wrapper functions that were being used in this driver.
This also resolves a long-staging bug where data on the stack was being sent in a USB control message, which was not allowed.
Cc: Jaroslav Kysela perex@perex.cz Cc: Takashi Iwai tiwai@suse.com Cc: alsa-devel@alsa-project.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Reviewed-by: Takashi Iwai tiwai@suse.de
thanks,
Takashi
sound/usb/6fire/firmware.c | 38 +++++++++++++------------------------- 1 file changed, 13 insertions(+), 25 deletions(-)
diff --git a/sound/usb/6fire/firmware.c b/sound/usb/6fire/firmware.c index 69137c14d0dc..5b8994070c96 100644 --- a/sound/usb/6fire/firmware.c +++ b/sound/usb/6fire/firmware.c @@ -158,29 +158,17 @@ static int usb6fire_fw_ihex_init(const struct firmware *fw, static int usb6fire_fw_ezusb_write(struct usb_device *device, int type, int value, char *data, int len) {
- int ret;
- ret = usb_control_msg(device, usb_sndctrlpipe(device, 0), type,
USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,value, 0, data, len, HZ);- if (ret < 0)
return ret;- else if (ret != len)
return -EIO;- return 0;
- return usb_control_msg_send(device, 0, type,
USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,value, 0, data, len, HZ);}
static int usb6fire_fw_ezusb_read(struct usb_device *device, int type, int value, char *data, int len) {
- int ret = usb_control_msg(device, usb_rcvctrlpipe(device, 0), type,
USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, value,0, data, len, HZ);- if (ret < 0)
return ret;- else if (ret != len)
return -EIO;- return 0;
- return usb_control_msg_recv(device, 0, type,
USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,value, 0, data, len, HZ);}
static int usb6fire_fw_fpga_write(struct usb_device *device, @@ -230,7 +218,7 @@ static int usb6fire_fw_ezusb_upload( /* upload firmware image */ data = 0x01; /* stop ezusb cpu */ ret = usb6fire_fw_ezusb_write(device, 0xa0, 0xe600, &data, 1);
- if (ret < 0) {
- if (ret) { kfree(rec); release_firmware(fw); dev_err(&intf->dev,
@@ -242,7 +230,7 @@ static int usb6fire_fw_ezusb_upload( while (usb6fire_fw_ihex_next_record(rec)) { /* write firmware */ ret = usb6fire_fw_ezusb_write(device, 0xa0, rec->address, rec->data, rec->len);
if (ret < 0) {
if (ret) { kfree(rec); release_firmware(fw); dev_err(&intf->dev,@@ -257,7 +245,7 @@ static int usb6fire_fw_ezusb_upload( if (postdata) { /* write data after firmware has been uploaded */ ret = usb6fire_fw_ezusb_write(device, 0xa0, postaddr, postdata, postlen);
if (ret < 0) {
if (ret) { dev_err(&intf->dev, "unable to upload ezusb firmware %s: post urb.\n", fwname);@@ -267,7 +255,7 @@ static int usb6fire_fw_ezusb_upload(
data = 0x00; /* resume ezusb cpu */ ret = usb6fire_fw_ezusb_write(device, 0xa0, 0xe600, &data, 1);
- if (ret < 0) {
- if (ret) { dev_err(&intf->dev, "unable to upload ezusb firmware %s: end message.\n", fwname);
@@ -302,7 +290,7 @@ static int usb6fire_fw_fpga_upload( end = fw->data + fw->size;
ret = usb6fire_fw_ezusb_write(device, 8, 0, NULL, 0);
- if (ret < 0) {
- if (ret) { kfree(buffer); release_firmware(fw); dev_err(&intf->dev,
@@ -327,7 +315,7 @@ static int usb6fire_fw_fpga_upload( kfree(buffer);
ret = usb6fire_fw_ezusb_write(device, 9, 0, NULL, 0);
- if (ret < 0) {
- if (ret) { dev_err(&intf->dev, "unable to upload fpga firmware: end urb.\n"); return ret;
@@ -363,7 +351,7 @@ int usb6fire_fw_init(struct usb_interface *intf) u8 buffer[12];
ret = usb6fire_fw_ezusb_read(device, 1, 0, buffer, 8);
- if (ret < 0) {
- if (ret) { dev_err(&intf->dev, "unable to receive device firmware state.\n"); return ret;
-- 2.28.0