On Sat, Apr 27, 2019 at 11:34:03AM -0400, Alan Stern wrote:
> On Sat, 27 Apr 2019, Greg KH wrote:
>
> > On Fri, Apr 26, 2019 at 11:50:14AM +0200, Christo Gouws wrote:
> > > Hi,
> > >
> > > I have a Line6 Pod Studio UX1 card, but each time I plug it in, I get
> > > the following crash in dmesg on Ubuntu 18.04
> > > Linux my-pc 4.20.8-042008-generic #201902121544 SMP Tue Feb 12
> > > 20:46:50 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
> > >
> > > I've also tested this with a Fedora 30 v5.0.6-300 kernel, but still
> > > seems to happen (using liveCD).
> > >
> > >
> > > The output on the card seems to work, but none of the inputs work.
> > >
> > > I've also now tested with latest kernel available on Arch Linux
> > > Linux my-pc 5.0.9-arch1-1-ARCH #1 SMP PREEMPT Sat Apr 20 15:00:46 UTC
> > > 2019 x86_64 GNU/Linux
> > >
> > > After some further testing, I found that this issue cropped in beween
> > > v4.8.17 and v4.9-rc1.
> > >
> > > v4.8.17 - Works fine.
> > > v4.9-rc1+ - Produces crash
> >
> > Any chance you can use 'git bisect' to find the exact commit that caused
> > the failure?
>
> No need. The bug is in line6_read_data() in sound/usb/line6/driver.c.
> That routine passes an invalid buffer to usb_control_message().
> Instead it should allocate its own buffer for the USB transfer and then
> copy the value to the caller's buffer.
>
> There is a similar problem in line6_write_data(). Furthermore, both
> routines do DMA to/from a buffer on the stack.
I have an old patch in my local tree for the dma buffer on the stack
issue, it's below. I should clean it up and send it correctly one of
these days :)
>From e2c743d1f900135c3e560cd9ea1647e4a1ebce7a Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 23 Jan 2019 11:01:46 +0100
Subject: [PATCH 3/3] toneport fixes
---
sound/usb/line6/toneport.c | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
--- a/sound/usb/line6/toneport.c
+++ b/sound/usb/line6/toneport.c
@@ -365,16 +365,21 @@ static bool toneport_has_source_select(s
/*
Setup Toneport device.
*/
-static void toneport_setup(struct usb_line6_toneport *toneport)
+static int toneport_setup(struct usb_line6_toneport *toneport)
{
- u32 ticks;
+ u32 *ticks;
struct usb_line6 *line6 = &toneport->line6;
struct usb_device *usbdev = line6->usbdev;
+ ticks = kmalloc(sizeof(*ticks), GFP_KERNEL);
+ if (!ticks)
+ return -ENOMEM;
+
/* sync time on device with host: */
/* note: 32-bit timestamps overflow in year 2106 */
- ticks = (u32)ktime_get_real_seconds();
- line6_write_data(line6, 0x80c6, &ticks, 4);
+ *ticks = (u32)ktime_get_real_seconds();
+ line6_write_data(line6, 0x80c6, ticks, 4);
+ kfree(ticks);
/* enable device: */
toneport_send_cmd(usbdev, 0x0301, 0x0000);
@@ -451,7 +456,9 @@ static int toneport_init(struct usb_line
return err;
}
- toneport_setup(toneport);
+ err = toneport_setup(toneport);
+ if (err)
+ return err;
/* register audio system: */
return snd_card_register(line6->card);
@@ -463,7 +470,11 @@ static int toneport_init(struct usb_line
*/
static int toneport_reset_resume(struct usb_interface *interface)
{
- toneport_setup(usb_get_intfdata(interface));
+ int err;
+
+ err = toneport_setup(usb_get_intfdata(interface));
+ if (err)
+ return err;
return line6_resume(interface);
}
#endif
