]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - sound/core/seq/seq_ports.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ALSA: seq: Fix use-after-free at creating a port
[mirror_ubuntu-artful-kernel.git] / sound / core / seq / seq_ports.c
1 /*
2 * ALSA sequencer Ports
3 * Copyright (c) 1998 by Frank van de Pol <fvdpol@coil.demon.nl>
4 * Jaroslav Kysela <perex@perex.cz>
5 *
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 *
21 */
22
23 #include <sound/core.h>
24 #include <linux/slab.h>
25 #include <linux/module.h>
26 #include "seq_system.h"
27 #include "seq_ports.h"
28 #include "seq_clientmgr.h"
29
30 /*
31
32 registration of client ports
33
34 */
35
36
37 /*
38
39 NOTE: the current implementation of the port structure as a linked list is
40 not optimal for clients that have many ports. For sending messages to all
41 subscribers of a port we first need to find the address of the port
42 structure, which means we have to traverse the list. A direct access table
43 (array) would be better, but big preallocated arrays waste memory.
44
45 Possible actions:
46
47 1) leave it this way, a client does normaly does not have more than a few
48 ports
49
50 2) replace the linked list of ports by a array of pointers which is
51 dynamicly kmalloced. When a port is added or deleted we can simply allocate
52 a new array, copy the corresponding pointers, and delete the old one. We
53 then only need a pointer to this array, and an integer that tells us how
54 much elements are in array.
55
56 */
57
58 /* return pointer to port structure - port is locked if found */
59 struct snd_seq_client_port *snd_seq_port_use_ptr(struct snd_seq_client *client,
60 int num)
61 {
62 struct snd_seq_client_port *port;
63
64 if (client == NULL)
65 return NULL;
66 read_lock(&client->ports_lock);
67 list_for_each_entry(port, &client->ports_list_head, list) {
68 if (port->addr.port == num) {
69 if (port->closing)
70 break; /* deleting now */
71 snd_use_lock_use(&port->use_lock);
72 read_unlock(&client->ports_lock);
73 return port;
74 }
75 }
76 read_unlock(&client->ports_lock);
77 return NULL; /* not found */
78 }
79
80
81 /* search for the next port - port is locked if found */
82 struct snd_seq_client_port *snd_seq_port_query_nearest(struct snd_seq_client *client,
83 struct snd_seq_port_info *pinfo)
84 {
85 int num;
86 struct snd_seq_client_port *port, *found;
87
88 num = pinfo->addr.port;
89 found = NULL;
90 read_lock(&client->ports_lock);
91 list_for_each_entry(port, &client->ports_list_head, list) {
92 if (port->addr.port < num)
93 continue;
94 if (port->addr.port == num) {
95 found = port;
96 break;
97 }
98 if (found == NULL || port->addr.port < found->addr.port)
99 found = port;
100 }
101 if (found) {
102 if (found->closing)
103 found = NULL;
104 else
105 snd_use_lock_use(&found->use_lock);
106 }
107 read_unlock(&client->ports_lock);
108 return found;
109 }
110
111
112 /* initialize snd_seq_port_subs_info */
113 static void port_subs_info_init(struct snd_seq_port_subs_info *grp)
114 {
115 INIT_LIST_HEAD(&grp->list_head);
116 grp->count = 0;
117 grp->exclusive = 0;
118 rwlock_init(&grp->list_lock);
119 init_rwsem(&grp->list_mutex);
120 grp->open = NULL;
121 grp->close = NULL;
122 }
123
124
125 /* create a port, port number is returned (-1 on failure);
126 * the caller needs to unref the port via snd_seq_port_unlock() appropriately
127 */
128 struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
129 int port)
130 {
131 unsigned long flags;
132 struct snd_seq_client_port *new_port, *p;
133 int num = -1;
134
135 /* sanity check */
136 if (snd_BUG_ON(!client))
137 return NULL;
138
139 if (client->num_ports >= SNDRV_SEQ_MAX_PORTS) {
140 pr_warn("ALSA: seq: too many ports for client %d\n", client->number);
141 return NULL;
142 }
143
144 /* create a new port */
145 new_port = kzalloc(sizeof(*new_port), GFP_KERNEL);
146 if (!new_port)
147 return NULL; /* failure, out of memory */
148 /* init port data */
149 new_port->addr.client = client->number;
150 new_port->addr.port = -1;
151 new_port->owner = THIS_MODULE;
152 sprintf(new_port->name, "port-%d", num);
153 snd_use_lock_init(&new_port->use_lock);
154 port_subs_info_init(&new_port->c_src);
155 port_subs_info_init(&new_port->c_dest);
156 snd_use_lock_use(&new_port->use_lock);
157
158 num = port >= 0 ? port : 0;
159 mutex_lock(&client->ports_mutex);
160 write_lock_irqsave(&client->ports_lock, flags);
161 list_for_each_entry(p, &client->ports_list_head, list) {
162 if (p->addr.port > num)
163 break;
164 if (port < 0) /* auto-probe mode */
165 num = p->addr.port + 1;
166 }
167 /* insert the new port */
168 list_add_tail(&new_port->list, &p->list);
169 client->num_ports++;
170 new_port->addr.port = num; /* store the port number in the port */
171 sprintf(new_port->name, "port-%d", num);
172 write_unlock_irqrestore(&client->ports_lock, flags);
173 mutex_unlock(&client->ports_mutex);
174
175 return new_port;
176 }
177
178 /* */
179 static int subscribe_port(struct snd_seq_client *client,
180 struct snd_seq_client_port *port,
181 struct snd_seq_port_subs_info *grp,
182 struct snd_seq_port_subscribe *info, int send_ack);
183 static int unsubscribe_port(struct snd_seq_client *client,
184 struct snd_seq_client_port *port,
185 struct snd_seq_port_subs_info *grp,
186 struct snd_seq_port_subscribe *info, int send_ack);
187
188
189 static struct snd_seq_client_port *get_client_port(struct snd_seq_addr *addr,
190 struct snd_seq_client **cp)
191 {
192 struct snd_seq_client_port *p;
193 *cp = snd_seq_client_use_ptr(addr->client);
194 if (*cp) {
195 p = snd_seq_port_use_ptr(*cp, addr->port);
196 if (! p) {
197 snd_seq_client_unlock(*cp);
198 *cp = NULL;
199 }
200 return p;
201 }
202 return NULL;
203 }
204
205 static void delete_and_unsubscribe_port(struct snd_seq_client *client,
206 struct snd_seq_client_port *port,
207 struct snd_seq_subscribers *subs,
208 bool is_src, bool ack);
209
210 static inline struct snd_seq_subscribers *
211 get_subscriber(struct list_head *p, bool is_src)
212 {
213 if (is_src)
214 return list_entry(p, struct snd_seq_subscribers, src_list);
215 else
216 return list_entry(p, struct snd_seq_subscribers, dest_list);
217 }
218
219 /*
220 * remove all subscribers on the list
221 * this is called from port_delete, for each src and dest list.
222 */
223 static void clear_subscriber_list(struct snd_seq_client *client,
224 struct snd_seq_client_port *port,
225 struct snd_seq_port_subs_info *grp,
226 int is_src)
227 {
228 struct list_head *p, *n;
229
230 list_for_each_safe(p, n, &grp->list_head) {
231 struct snd_seq_subscribers *subs;
232 struct snd_seq_client *c;
233 struct snd_seq_client_port *aport;
234
235 subs = get_subscriber(p, is_src);
236 if (is_src)
237 aport = get_client_port(&subs->info.dest, &c);
238 else
239 aport = get_client_port(&subs->info.sender, &c);
240 delete_and_unsubscribe_port(client, port, subs, is_src, false);
241
242 if (!aport) {
243 /* looks like the connected port is being deleted.
244 * we decrease the counter, and when both ports are deleted
245 * remove the subscriber info
246 */
247 if (atomic_dec_and_test(&subs->ref_count))
248 kfree(subs);
249 continue;
250 }
251
252 /* ok we got the connected port */
253 delete_and_unsubscribe_port(c, aport, subs, !is_src, true);
254 kfree(subs);
255 snd_seq_port_unlock(aport);
256 snd_seq_client_unlock(c);
257 }
258 }
259
260 /* delete port data */
261 static int port_delete(struct snd_seq_client *client,
262 struct snd_seq_client_port *port)
263 {
264 /* set closing flag and wait for all port access are gone */
265 port->closing = 1;
266 snd_use_lock_sync(&port->use_lock);
267
268 /* clear subscribers info */
269 clear_subscriber_list(client, port, &port->c_src, true);
270 clear_subscriber_list(client, port, &port->c_dest, false);
271
272 if (port->private_free)
273 port->private_free(port->private_data);
274
275 snd_BUG_ON(port->c_src.count != 0);
276 snd_BUG_ON(port->c_dest.count != 0);
277
278 kfree(port);
279 return 0;
280 }
281
282
283 /* delete a port with the given port id */
284 int snd_seq_delete_port(struct snd_seq_client *client, int port)
285 {
286 unsigned long flags;
287 struct snd_seq_client_port *found = NULL, *p;
288
289 mutex_lock(&client->ports_mutex);
290 write_lock_irqsave(&client->ports_lock, flags);
291 list_for_each_entry(p, &client->ports_list_head, list) {
292 if (p->addr.port == port) {
293 /* ok found. delete from the list at first */
294 list_del(&p->list);
295 client->num_ports--;
296 found = p;
297 break;
298 }
299 }
300 write_unlock_irqrestore(&client->ports_lock, flags);
301 mutex_unlock(&client->ports_mutex);
302 if (found)
303 return port_delete(client, found);
304 else
305 return -ENOENT;
306 }
307
308 /* delete the all ports belonging to the given client */
309 int snd_seq_delete_all_ports(struct snd_seq_client *client)
310 {
311 unsigned long flags;
312 struct list_head deleted_list;
313 struct snd_seq_client_port *port, *tmp;
314
315 /* move the port list to deleted_list, and
316 * clear the port list in the client data.
317 */
318 mutex_lock(&client->ports_mutex);
319 write_lock_irqsave(&client->ports_lock, flags);
320 if (! list_empty(&client->ports_list_head)) {
321 list_add(&deleted_list, &client->ports_list_head);
322 list_del_init(&client->ports_list_head);
323 } else {
324 INIT_LIST_HEAD(&deleted_list);
325 }
326 client->num_ports = 0;
327 write_unlock_irqrestore(&client->ports_lock, flags);
328
329 /* remove each port in deleted_list */
330 list_for_each_entry_safe(port, tmp, &deleted_list, list) {
331 list_del(&port->list);
332 snd_seq_system_client_ev_port_exit(port->addr.client, port->addr.port);
333 port_delete(client, port);
334 }
335 mutex_unlock(&client->ports_mutex);
336 return 0;
337 }
338
339 /* set port info fields */
340 int snd_seq_set_port_info(struct snd_seq_client_port * port,
341 struct snd_seq_port_info * info)
342 {
343 if (snd_BUG_ON(!port || !info))
344 return -EINVAL;
345
346 /* set port name */
347 if (info->name[0])
348 strlcpy(port->name, info->name, sizeof(port->name));
349
350 /* set capabilities */
351 port->capability = info->capability;
352
353 /* get port type */
354 port->type = info->type;
355
356 /* information about supported channels/voices */
357 port->midi_channels = info->midi_channels;
358 port->midi_voices = info->midi_voices;
359 port->synth_voices = info->synth_voices;
360
361 /* timestamping */
362 port->timestamping = (info->flags & SNDRV_SEQ_PORT_FLG_TIMESTAMP) ? 1 : 0;
363 port->time_real = (info->flags & SNDRV_SEQ_PORT_FLG_TIME_REAL) ? 1 : 0;
364 port->time_queue = info->time_queue;
365
366 return 0;
367 }
368
369 /* get port info fields */
370 int snd_seq_get_port_info(struct snd_seq_client_port * port,
371 struct snd_seq_port_info * info)
372 {
373 if (snd_BUG_ON(!port || !info))
374 return -EINVAL;
375
376 /* get port name */
377 strlcpy(info->name, port->name, sizeof(info->name));
378
379 /* get capabilities */
380 info->capability = port->capability;
381
382 /* get port type */
383 info->type = port->type;
384
385 /* information about supported channels/voices */
386 info->midi_channels = port->midi_channels;
387 info->midi_voices = port->midi_voices;
388 info->synth_voices = port->synth_voices;
389
390 /* get subscriber counts */
391 info->read_use = port->c_src.count;
392 info->write_use = port->c_dest.count;
393
394 /* timestamping */
395 info->flags = 0;
396 if (port->timestamping) {
397 info->flags |= SNDRV_SEQ_PORT_FLG_TIMESTAMP;
398 if (port->time_real)
399 info->flags |= SNDRV_SEQ_PORT_FLG_TIME_REAL;
400 info->time_queue = port->time_queue;
401 }
402
403 return 0;
404 }
405
406
407
408 /*
409 * call callback functions (if any):
410 * the callbacks are invoked only when the first (for connection) or
411 * the last subscription (for disconnection) is done. Second or later
412 * subscription results in increment of counter, but no callback is
413 * invoked.
414 * This feature is useful if these callbacks are associated with
415 * initialization or termination of devices (see seq_midi.c).
416 */
417
418 static int subscribe_port(struct snd_seq_client *client,
419 struct snd_seq_client_port *port,
420 struct snd_seq_port_subs_info *grp,
421 struct snd_seq_port_subscribe *info,
422 int send_ack)
423 {
424 int err = 0;
425
426 if (!try_module_get(port->owner))
427 return -EFAULT;
428 grp->count++;
429 if (grp->open && grp->count == 1) {
430 err = grp->open(port->private_data, info);
431 if (err < 0) {
432 module_put(port->owner);
433 grp->count--;
434 }
435 }
436 if (err >= 0 && send_ack && client->type == USER_CLIENT)
437 snd_seq_client_notify_subscription(port->addr.client, port->addr.port,
438 info, SNDRV_SEQ_EVENT_PORT_SUBSCRIBED);
439
440 return err;
441 }
442
443 static int unsubscribe_port(struct snd_seq_client *client,
444 struct snd_seq_client_port *port,
445 struct snd_seq_port_subs_info *grp,
446 struct snd_seq_port_subscribe *info,
447 int send_ack)
448 {
449 int err = 0;
450
451 if (! grp->count)
452 return -EINVAL;
453 grp->count--;
454 if (grp->close && grp->count == 0)
455 err = grp->close(port->private_data, info);
456 if (send_ack && client->type == USER_CLIENT)
457 snd_seq_client_notify_subscription(port->addr.client, port->addr.port,
458 info, SNDRV_SEQ_EVENT_PORT_UNSUBSCRIBED);
459 module_put(port->owner);
460 return err;
461 }
462
463
464
465 /* check if both addresses are identical */
466 static inline int addr_match(struct snd_seq_addr *r, struct snd_seq_addr *s)
467 {
468 return (r->client == s->client) && (r->port == s->port);
469 }
470
471 /* check the two subscribe info match */
472 /* if flags is zero, checks only sender and destination addresses */
473 static int match_subs_info(struct snd_seq_port_subscribe *r,
474 struct snd_seq_port_subscribe *s)
475 {
476 if (addr_match(&r->sender, &s->sender) &&
477 addr_match(&r->dest, &s->dest)) {
478 if (r->flags && r->flags == s->flags)
479 return r->queue == s->queue;
480 else if (! r->flags)
481 return 1;
482 }
483 return 0;
484 }
485
486 static int check_and_subscribe_port(struct snd_seq_client *client,
487 struct snd_seq_client_port *port,
488 struct snd_seq_subscribers *subs,
489 bool is_src, bool exclusive, bool ack)
490 {
491 struct snd_seq_port_subs_info *grp;
492 struct list_head *p;
493 struct snd_seq_subscribers *s;
494 int err;
495
496 grp = is_src ? &port->c_src : &port->c_dest;
497 err = -EBUSY;
498 down_write(&grp->list_mutex);
499 if (exclusive) {
500 if (!list_empty(&grp->list_head))
501 goto __error;
502 } else {
503 if (grp->exclusive)
504 goto __error;
505 /* check whether already exists */
506 list_for_each(p, &grp->list_head) {
507 s = get_subscriber(p, is_src);
508 if (match_subs_info(&subs->info, &s->info))
509 goto __error;
510 }
511 }
512
513 err = subscribe_port(client, port, grp, &subs->info, ack);
514 if (err < 0) {
515 grp->exclusive = 0;
516 goto __error;
517 }
518
519 /* add to list */
520 write_lock_irq(&grp->list_lock);
521 if (is_src)
522 list_add_tail(&subs->src_list, &grp->list_head);
523 else
524 list_add_tail(&subs->dest_list, &grp->list_head);
525 grp->exclusive = exclusive;
526 atomic_inc(&subs->ref_count);
527 write_unlock_irq(&grp->list_lock);
528 err = 0;
529
530 __error:
531 up_write(&grp->list_mutex);
532 return err;
533 }
534
535 static void delete_and_unsubscribe_port(struct snd_seq_client *client,
536 struct snd_seq_client_port *port,
537 struct snd_seq_subscribers *subs,
538 bool is_src, bool ack)
539 {
540 struct snd_seq_port_subs_info *grp;
541 struct list_head *list;
542 bool empty;
543
544 grp = is_src ? &port->c_src : &port->c_dest;
545 list = is_src ? &subs->src_list : &subs->dest_list;
546 down_write(&grp->list_mutex);
547 write_lock_irq(&grp->list_lock);
548 empty = list_empty(list);
549 if (!empty)
550 list_del_init(list);
551 grp->exclusive = 0;
552 write_unlock_irq(&grp->list_lock);
553 up_write(&grp->list_mutex);
554
555 if (!empty)
556 unsubscribe_port(client, port, grp, &subs->info, ack);
557 }
558
559 /* connect two ports */
560 int snd_seq_port_connect(struct snd_seq_client *connector,
561 struct snd_seq_client *src_client,
562 struct snd_seq_client_port *src_port,
563 struct snd_seq_client *dest_client,
564 struct snd_seq_client_port *dest_port,
565 struct snd_seq_port_subscribe *info)
566 {
567 struct snd_seq_subscribers *subs;
568 bool exclusive;
569 int err;
570
571 subs = kzalloc(sizeof(*subs), GFP_KERNEL);
572 if (!subs)
573 return -ENOMEM;
574
575 subs->info = *info;
576 atomic_set(&subs->ref_count, 0);
577 INIT_LIST_HEAD(&subs->src_list);
578 INIT_LIST_HEAD(&subs->dest_list);
579
580 exclusive = !!(info->flags & SNDRV_SEQ_PORT_SUBS_EXCLUSIVE);
581
582 err = check_and_subscribe_port(src_client, src_port, subs, true,
583 exclusive,
584 connector->number != src_client->number);
585 if (err < 0)
586 goto error;
587 err = check_and_subscribe_port(dest_client, dest_port, subs, false,
588 exclusive,
589 connector->number != dest_client->number);
590 if (err < 0)
591 goto error_dest;
592
593 return 0;
594
595 error_dest:
596 delete_and_unsubscribe_port(src_client, src_port, subs, true,
597 connector->number != src_client->number);
598 error:
599 kfree(subs);
600 return err;
601 }
602
603 /* remove the connection */
604 int snd_seq_port_disconnect(struct snd_seq_client *connector,
605 struct snd_seq_client *src_client,
606 struct snd_seq_client_port *src_port,
607 struct snd_seq_client *dest_client,
608 struct snd_seq_client_port *dest_port,
609 struct snd_seq_port_subscribe *info)
610 {
611 struct snd_seq_port_subs_info *src = &src_port->c_src;
612 struct snd_seq_subscribers *subs;
613 int err = -ENOENT;
614
615 down_write(&src->list_mutex);
616 /* look for the connection */
617 list_for_each_entry(subs, &src->list_head, src_list) {
618 if (match_subs_info(info, &subs->info)) {
619 atomic_dec(&subs->ref_count); /* mark as not ready */
620 err = 0;
621 break;
622 }
623 }
624 up_write(&src->list_mutex);
625 if (err < 0)
626 return err;
627
628 delete_and_unsubscribe_port(src_client, src_port, subs, true,
629 connector->number != src_client->number);
630 delete_and_unsubscribe_port(dest_client, dest_port, subs, false,
631 connector->number != dest_client->number);
632 kfree(subs);
633 return 0;
634 }
635
636
637 /* get matched subscriber */
638 struct snd_seq_subscribers *snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp,
639 struct snd_seq_addr *dest_addr)
640 {
641 struct snd_seq_subscribers *s, *found = NULL;
642
643 down_read(&src_grp->list_mutex);
644 list_for_each_entry(s, &src_grp->list_head, src_list) {
645 if (addr_match(dest_addr, &s->info.dest)) {
646 found = s;
647 break;
648 }
649 }
650 up_read(&src_grp->list_mutex);
651 return found;
652 }
653
654 /*
655 * Attach a device driver that wants to receive events from the
656 * sequencer. Returns the new port number on success.
657 * A driver that wants to receive the events converted to midi, will
658 * use snd_seq_midisynth_register_port().
659 */
660 /* exported */
661 int snd_seq_event_port_attach(int client,
662 struct snd_seq_port_callback *pcbp,
663 int cap, int type, int midi_channels,
664 int midi_voices, char *portname)
665 {
666 struct snd_seq_port_info portinfo;
667 int ret;
668
669 /* Set up the port */
670 memset(&portinfo, 0, sizeof(portinfo));
671 portinfo.addr.client = client;
672 strlcpy(portinfo.name, portname ? portname : "Unamed port",
673 sizeof(portinfo.name));
674
675 portinfo.capability = cap;
676 portinfo.type = type;
677 portinfo.kernel = pcbp;
678 portinfo.midi_channels = midi_channels;
679 portinfo.midi_voices = midi_voices;
680
681 /* Create it */
682 ret = snd_seq_kernel_client_ctl(client,
683 SNDRV_SEQ_IOCTL_CREATE_PORT,
684 &portinfo);
685
686 if (ret >= 0)
687 ret = portinfo.addr.port;
688
689 return ret;
690 }
691 EXPORT_SYMBOL(snd_seq_event_port_attach);
692
693 /*
694 * Detach the driver from a port.
695 */
696 /* exported */
697 int snd_seq_event_port_detach(int client, int port)
698 {
699 struct snd_seq_port_info portinfo;
700 int err;
701
702 memset(&portinfo, 0, sizeof(portinfo));
703 portinfo.addr.client = client;
704 portinfo.addr.port = port;
705 err = snd_seq_kernel_client_ctl(client,
706 SNDRV_SEQ_IOCTL_DELETE_PORT,
707 &portinfo);
708
709 return err;
710 }
711 EXPORT_SYMBOL(snd_seq_event_port_detach);
Ubuntu Artful kernel mirror