]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blob - sound/pci/asihpi/hpioctl.c
projects / mirror_ubuntu-bionic-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ALSA: asihpi: Hardening for potential Spectre v1
[mirror_ubuntu-bionic-kernel.git] / sound / pci / asihpi / hpioctl.c
1 /*******************************************************************************
2 AudioScience HPI driver
3 Common Linux HPI ioctl and module probe/remove functions
4
5 Copyright (C) 1997-2014 AudioScience Inc. <support@audioscience.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of version 2 of the GNU General Public License as
9 published by the Free Software Foundation;
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 *******************************************************************************/
17 #define SOURCEFILE_NAME "hpioctl.c"
18
19 #include "hpi_internal.h"
20 #include "hpi_version.h"
21 #include "hpimsginit.h"
22 #include "hpidebug.h"
23 #include "hpimsgx.h"
24 #include "hpioctl.h"
25 #include "hpicmn.h"
26
27 #include <linux/fs.h>
28 #include <linux/interrupt.h>
29 #include <linux/slab.h>
30 #include <linux/moduleparam.h>
31 #include <linux/uaccess.h>
32 #include <linux/pci.h>
33 #include <linux/stringify.h>
34 #include <linux/module.h>
35 #include <linux/vmalloc.h>
36 #include <linux/nospec.h>
37
38 #ifdef MODULE_FIRMWARE
39 MODULE_FIRMWARE("asihpi/dsp5000.bin");
40 MODULE_FIRMWARE("asihpi/dsp6200.bin");
41 MODULE_FIRMWARE("asihpi/dsp6205.bin");
42 MODULE_FIRMWARE("asihpi/dsp6400.bin");
43 MODULE_FIRMWARE("asihpi/dsp6600.bin");
44 MODULE_FIRMWARE("asihpi/dsp8700.bin");
45 MODULE_FIRMWARE("asihpi/dsp8900.bin");
46 #endif
47
48 static int prealloc_stream_buf;
49 module_param(prealloc_stream_buf, int, S_IRUGO);
50 MODULE_PARM_DESC(prealloc_stream_buf,
51 "Preallocate size for per-adapter stream buffer");
52
53 /* Allow the debug level to be changed after module load.
54 E.g. echo 2 > /sys/module/asihpi/parameters/hpiDebugLevel
55 */
56 module_param(hpi_debug_level, int, S_IRUGO | S_IWUSR);
57 MODULE_PARM_DESC(hpi_debug_level, "debug verbosity 0..5");
58
59 /* List of adapters found */
60 static struct hpi_adapter adapters[HPI_MAX_ADAPTERS];
61
62 /* Wrapper function to HPI_Message to enable dumping of the
63 message and response types.
64 */
65 static void hpi_send_recv_f(struct hpi_message *phm, struct hpi_response *phr,
66 struct file *file)
67 {
68 if ((phm->adapter_index >= HPI_MAX_ADAPTERS)
69 && (phm->object != HPI_OBJ_SUBSYSTEM))
70 phr->error = HPI_ERROR_INVALID_OBJ_INDEX;
71 else
72 hpi_send_recv_ex(phm, phr, file);
73 }
74
75 /* This is called from hpifunc.c functions, called by ALSA
76 * (or other kernel process) In this case there is no file descriptor
77 * available for the message cache code
78 */
79 void hpi_send_recv(struct hpi_message *phm, struct hpi_response *phr)
80 {
81 hpi_send_recv_f(phm, phr, HOWNER_KERNEL);
82 }
83
84 EXPORT_SYMBOL(hpi_send_recv);
85 /* for radio-asihpi */
86
87 int asihpi_hpi_release(struct file *file)
88 {
89 struct hpi_message hm;
90 struct hpi_response hr;
91
92 /* HPI_DEBUG_LOG(INFO,"hpi_release file %p, pid %d\n", file, current->pid); */
93 /* close the subsystem just in case the application forgot to. */
94 hpi_init_message_response(&hm, &hr, HPI_OBJ_SUBSYSTEM,
95 HPI_SUBSYS_CLOSE);
96 hpi_send_recv_ex(&hm, &hr, file);
97 return 0;
98 }
99
100 long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
101 {
102 struct hpi_ioctl_linux __user *phpi_ioctl_data;
103 void __user *puhm;
104 void __user *puhr;
105 union hpi_message_buffer_v1 *hm;
106 union hpi_response_buffer_v1 *hr;
107 u16 msg_size;
108 u16 res_max_size;
109 u32 uncopied_bytes;
110 int err = 0;
111
112 if (cmd != HPI_IOCTL_LINUX)
113 return -EINVAL;
114
115 hm = kmalloc(sizeof(*hm), GFP_KERNEL);
116 hr = kzalloc(sizeof(*hr), GFP_KERNEL);
117 if (!hm || !hr) {
118 err = -ENOMEM;
119 goto out;
120 }
121
122 phpi_ioctl_data = (struct hpi_ioctl_linux __user *)arg;
123
124 /* Read the message and response pointers from user space. */
125 if (get_user(puhm, &phpi_ioctl_data->phm)
126 || get_user(puhr, &phpi_ioctl_data->phr)) {
127 err = -EFAULT;
128 goto out;
129 }
130
131 /* Now read the message size and data from user space. */
132 if (get_user(msg_size, (u16 __user *)puhm)) {
133 err = -EFAULT;
134 goto out;
135 }
136 if (msg_size > sizeof(*hm))
137 msg_size = sizeof(*hm);
138
139 /* printk(KERN_INFO "message size %d\n", hm->h.wSize); */
140
141 uncopied_bytes = copy_from_user(hm, puhm, msg_size);
142 if (uncopied_bytes) {
143 HPI_DEBUG_LOG(ERROR, "uncopied bytes %d\n", uncopied_bytes);
144 err = -EFAULT;
145 goto out;
146 }
147
148 /* Override h.size in case it is changed between two userspace fetches */
149 hm->h.size = msg_size;
150
151 if (get_user(res_max_size, (u16 __user *)puhr)) {
152 err = -EFAULT;
153 goto out;
154 }
155 /* printk(KERN_INFO "user response size %d\n", res_max_size); */
156 if (res_max_size < sizeof(struct hpi_response_header)) {
157 HPI_DEBUG_LOG(WARNING, "small res size %d\n", res_max_size);
158 err = -EFAULT;
159 goto out;
160 }
161
162 res_max_size = min_t(size_t, res_max_size, sizeof(*hr));
163
164 switch (hm->h.function) {
165 case HPI_SUBSYS_CREATE_ADAPTER:
166 case HPI_ADAPTER_DELETE:
167 /* Application must not use these functions! */
168 hr->h.size = sizeof(hr->h);
169 hr->h.error = HPI_ERROR_INVALID_OPERATION;
170 hr->h.function = hm->h.function;
171 uncopied_bytes = copy_to_user(puhr, hr, hr->h.size);
172 if (uncopied_bytes)
173 err = -EFAULT;
174 else
175 err = 0;
176 goto out;
177 }
178
179 hr->h.size = res_max_size;
180 if (hm->h.object == HPI_OBJ_SUBSYSTEM) {
181 hpi_send_recv_f(&hm->m0, &hr->r0, file);
182 } else {
183 u16 __user *ptr = NULL;
184 u32 size = 0;
185 /* -1=no data 0=read from user mem, 1=write to user mem */
186 int wrflag = -1;
187 struct hpi_adapter *pa = NULL;
188
189 if (hm->h.adapter_index < ARRAY_SIZE(adapters))
190 pa = &adapters[array_index_nospec(hm->h.adapter_index,
191 ARRAY_SIZE(adapters))];
192
193 if (!pa || !pa->adapter || !pa->adapter->type) {
194 hpi_init_response(&hr->r0, hm->h.object,
195 hm->h.function, HPI_ERROR_BAD_ADAPTER_NUMBER);
196
197 uncopied_bytes =
198 copy_to_user(puhr, hr, sizeof(hr->h));
199 if (uncopied_bytes)
200 err = -EFAULT;
201 else
202 err = 0;
203 goto out;
204 }
205
206 if (mutex_lock_interruptible(&pa->mutex)) {
207 err = -EINTR;
208 goto out;
209 }
210
211 /* Dig out any pointers embedded in the message. */
212 switch (hm->h.function) {
213 case HPI_OSTREAM_WRITE:
214 case HPI_ISTREAM_READ:{
215 /* Yes, sparse, this is correct. */
216 ptr = (u16 __user *)hm->m0.u.d.u.data.pb_data;
217 size = hm->m0.u.d.u.data.data_size;
218
219 /* Allocate buffer according to application request.
220 ?Is it better to alloc/free for the duration
221 of the transaction?
222 */
223 if (pa->buffer_size < size) {
224 HPI_DEBUG_LOG(DEBUG,
225 "Realloc adapter %d stream "
226 "buffer from %zd to %d\n",
227 hm->h.adapter_index,
228 pa->buffer_size, size);
229 if (pa->p_buffer) {
230 pa->buffer_size = 0;
231 vfree(pa->p_buffer);
232 }
233 pa->p_buffer = vmalloc(size);
234 if (pa->p_buffer)
235 pa->buffer_size = size;
236 else {
237 HPI_DEBUG_LOG(ERROR,
238 "HPI could not allocate "
239 "stream buffer size %d\n",
240 size);
241
242 mutex_unlock(&pa->mutex);
243 err = -EINVAL;
244 goto out;
245 }
246 }
247
248 hm->m0.u.d.u.data.pb_data = pa->p_buffer;
249 if (hm->h.function == HPI_ISTREAM_READ)
250 /* from card, WRITE to user mem */
251 wrflag = 1;
252 else
253 wrflag = 0;
254 break;
255 }
256
257 default:
258 size = 0;
259 break;
260 }
261
262 if (size && (wrflag == 0)) {
263 uncopied_bytes =
264 copy_from_user(pa->p_buffer, ptr, size);
265 if (uncopied_bytes)
266 HPI_DEBUG_LOG(WARNING,
267 "Missed %d of %d "
268 "bytes from user\n", uncopied_bytes,
269 size);
270 }
271
272 hpi_send_recv_f(&hm->m0, &hr->r0, file);
273
274 if (size && (wrflag == 1)) {
275 uncopied_bytes =
276 copy_to_user(ptr, pa->p_buffer, size);
277 if (uncopied_bytes)
278 HPI_DEBUG_LOG(WARNING,
279 "Missed %d of %d " "bytes to user\n",
280 uncopied_bytes, size);
281 }
282
283 mutex_unlock(&pa->mutex);
284 }
285
286 /* on return response size must be set */
287 /*printk(KERN_INFO "response size %d\n", hr->h.wSize); */
288
289 if (!hr->h.size) {
290 HPI_DEBUG_LOG(ERROR, "response zero size\n");
291 err = -EFAULT;
292 goto out;
293 }
294
295 if (hr->h.size > res_max_size) {
296 HPI_DEBUG_LOG(ERROR, "response too big %d %d\n", hr->h.size,
297 res_max_size);
298 hr->h.error = HPI_ERROR_RESPONSE_BUFFER_TOO_SMALL;
299 hr->h.specific_error = hr->h.size;
300 hr->h.size = sizeof(hr->h);
301 }
302
303 uncopied_bytes = copy_to_user(puhr, hr, hr->h.size);
304 if (uncopied_bytes) {
305 HPI_DEBUG_LOG(ERROR, "uncopied bytes %d\n", uncopied_bytes);
306 err = -EFAULT;
307 goto out;
308 }
309
310 out:
311 kfree(hm);
312 kfree(hr);
313 return err;
314 }
315
316 static int asihpi_irq_count;
317
318 static irqreturn_t asihpi_isr(int irq, void *dev_id)
319 {
320 struct hpi_adapter *a = dev_id;
321 int handled;
322
323 if (!a->adapter->irq_query_and_clear) {
324 pr_err("asihpi_isr ASI%04X:%d no handler\n", a->adapter->type,
325 a->adapter->index);
326 return IRQ_NONE;
327 }
328
329 handled = a->adapter->irq_query_and_clear(a->adapter, 0);
330
331 if (!handled)
332 return IRQ_NONE;
333
334 asihpi_irq_count++;
335 /* printk(KERN_INFO "asihpi_isr %d ASI%04X:%d irq handled\n",
336 asihpi_irq_count, a->adapter->type, a->adapter->index); */
337
338 if (a->interrupt_callback)
339 a->interrupt_callback(a);
340
341 return IRQ_HANDLED;
342 }
343
344 int asihpi_adapter_probe(struct pci_dev *pci_dev,
345 const struct pci_device_id *pci_id)
346 {
347 int idx, nm, low_latency_mode = 0, irq_supported = 0;
348 int adapter_index;
349 unsigned int memlen;
350 struct hpi_message hm;
351 struct hpi_response hr;
352 struct hpi_adapter adapter;
353 struct hpi_pci pci;
354
355 memset(&adapter, 0, sizeof(adapter));
356
357 dev_printk(KERN_DEBUG, &pci_dev->dev,
358 "probe %04x:%04x,%04x:%04x,%04x\n", pci_dev->vendor,
359 pci_dev->device, pci_dev->subsystem_vendor,
360 pci_dev->subsystem_device, pci_dev->devfn);
361
362 if (pci_enable_device(pci_dev) < 0) {
363 dev_err(&pci_dev->dev,
364 "pci_enable_device failed, disabling device\n");
365 return -EIO;
366 }
367
368 pci_set_master(pci_dev); /* also sets latency timer if < 16 */
369
370 hpi_init_message_response(&hm, &hr, HPI_OBJ_SUBSYSTEM,
371 HPI_SUBSYS_CREATE_ADAPTER);
372 hpi_init_response(&hr, HPI_OBJ_SUBSYSTEM, HPI_SUBSYS_CREATE_ADAPTER,
373 HPI_ERROR_PROCESSING_MESSAGE);
374
375 hm.adapter_index = HPI_ADAPTER_INDEX_INVALID;
376
377 nm = HPI_MAX_ADAPTER_MEM_SPACES;
378
379 for (idx = 0; idx < nm; idx++) {
380 HPI_DEBUG_LOG(INFO, "resource %d %pR\n", idx,
381 &pci_dev->resource[idx]);
382
383 if (pci_resource_flags(pci_dev, idx) & IORESOURCE_MEM) {
384 memlen = pci_resource_len(pci_dev, idx);
385 pci.ap_mem_base[idx] =
386 ioremap(pci_resource_start(pci_dev, idx),
387 memlen);
388 if (!pci.ap_mem_base[idx]) {
389 HPI_DEBUG_LOG(ERROR,
390 "ioremap failed, aborting\n");
391 /* unmap previously mapped pci mem space */
392 goto err;
393 }
394 }
395 }
396
397 pci.pci_dev = pci_dev;
398 hm.u.s.resource.bus_type = HPI_BUS_PCI;
399 hm.u.s.resource.r.pci = &pci;
400
401 /* call CreateAdapterObject on the relevant hpi module */
402 hpi_send_recv_ex(&hm, &hr, HOWNER_KERNEL);
403 if (hr.error)
404 goto err;
405
406 adapter_index = hr.u.s.adapter_index;
407 adapter.adapter = hpi_find_adapter(adapter_index);
408
409 if (prealloc_stream_buf) {
410 adapter.p_buffer = vmalloc(prealloc_stream_buf);
411 if (!adapter.p_buffer) {
412 HPI_DEBUG_LOG(ERROR,
413 "HPI could not allocate "
414 "kernel buffer size %d\n",
415 prealloc_stream_buf);
416 goto err;
417 }
418 }
419
420 hpi_init_message_response(&hm, &hr, HPI_OBJ_ADAPTER,
421 HPI_ADAPTER_OPEN);
422 hm.adapter_index = adapter.adapter->index;
423 hpi_send_recv_ex(&hm, &hr, HOWNER_KERNEL);
424
425 if (hr.error) {
426 HPI_DEBUG_LOG(ERROR, "HPI_ADAPTER_OPEN failed, aborting\n");
427 goto err;
428 }
429
430 /* Check if current mode == Low Latency mode */
431 hpi_init_message_response(&hm, &hr, HPI_OBJ_ADAPTER,
432 HPI_ADAPTER_GET_MODE);
433 hm.adapter_index = adapter.adapter->index;
434 hpi_send_recv_ex(&hm, &hr, HOWNER_KERNEL);
435
436 if (!hr.error
437 && hr.u.ax.mode.adapter_mode == HPI_ADAPTER_MODE_LOW_LATENCY)
438 low_latency_mode = 1;
439 else
440 dev_info(&pci_dev->dev,
441 "Adapter at index %d is not in low latency mode\n",
442 adapter.adapter->index);
443
444 /* Check if IRQs are supported */
445 hpi_init_message_response(&hm, &hr, HPI_OBJ_ADAPTER,
446 HPI_ADAPTER_GET_PROPERTY);
447 hm.adapter_index = adapter.adapter->index;
448 hm.u.ax.property_set.property = HPI_ADAPTER_PROPERTY_SUPPORTS_IRQ;
449 hpi_send_recv_ex(&hm, &hr, HOWNER_KERNEL);
450 if (hr.error || !hr.u.ax.property_get.parameter1) {
451 dev_info(&pci_dev->dev,
452 "IRQs not supported by adapter at index %d\n",
453 adapter.adapter->index);
454 } else {
455 irq_supported = 1;
456 }
457
458 /* WARNING can't init mutex in 'adapter'
459 * and then copy it to adapters[] ?!?!
460 */
461 adapters[adapter_index] = adapter;
462 mutex_init(&adapters[adapter_index].mutex);
463 pci_set_drvdata(pci_dev, &adapters[adapter_index]);
464
465 if (low_latency_mode && irq_supported) {
466 if (!adapter.adapter->irq_query_and_clear) {
467 dev_err(&pci_dev->dev,
468 "no IRQ handler for adapter %d, aborting\n",
469 adapter.adapter->index);
470 goto err;
471 }
472
473 /* Disable IRQ generation on DSP side by setting the rate to 0 */
474 hpi_init_message_response(&hm, &hr, HPI_OBJ_ADAPTER,
475 HPI_ADAPTER_SET_PROPERTY);
476 hm.adapter_index = adapter.adapter->index;
477 hm.u.ax.property_set.property = HPI_ADAPTER_PROPERTY_IRQ_RATE;
478 hm.u.ax.property_set.parameter1 = 0;
479 hm.u.ax.property_set.parameter2 = 0;
480 hpi_send_recv_ex(&hm, &hr, HOWNER_KERNEL);
481 if (hr.error) {
482 HPI_DEBUG_LOG(ERROR,
483 "HPI_ADAPTER_GET_MODE failed, aborting\n");
484 goto err;
485 }
486
487 /* Note: request_irq calls asihpi_isr here */
488 if (request_irq(pci_dev->irq, asihpi_isr, IRQF_SHARED,
489 "asihpi", &adapters[adapter_index])) {
490 dev_err(&pci_dev->dev, "request_irq(%d) failed\n",
491 pci_dev->irq);
492 goto err;
493 }
494
495 adapters[adapter_index].interrupt_mode = 1;
496
497 dev_info(&pci_dev->dev, "using irq %d\n", pci_dev->irq);
498 adapters[adapter_index].irq = pci_dev->irq;
499 } else {
500 dev_info(&pci_dev->dev, "using polled mode\n");
501 }
502
503 dev_info(&pci_dev->dev, "probe succeeded for ASI%04X HPI index %d\n",
504 adapter.adapter->type, adapter_index);
505
506 return 0;
507
508 err:
509 for (idx = 0; idx < HPI_MAX_ADAPTER_MEM_SPACES; idx++) {
510 if (pci.ap_mem_base[idx]) {
511 iounmap(pci.ap_mem_base[idx]);
512 pci.ap_mem_base[idx] = NULL;
513 }
514 }
515
516 if (adapter.p_buffer) {
517 adapter.buffer_size = 0;
518 vfree(adapter.p_buffer);
519 }
520
521 HPI_DEBUG_LOG(ERROR, "adapter_probe failed\n");
522 return -ENODEV;
523 }
524
525 void asihpi_adapter_remove(struct pci_dev *pci_dev)
526 {
527 int idx;
528 struct hpi_message hm;
529 struct hpi_response hr;
530 struct hpi_adapter *pa;
531 struct hpi_pci pci;
532
533 pa = pci_get_drvdata(pci_dev);
534 pci = pa->adapter->pci;
535
536 /* Disable IRQ generation on DSP side */
537 hpi_init_message_response(&hm, &hr, HPI_OBJ_ADAPTER,
538 HPI_ADAPTER_SET_PROPERTY);
539 hm.adapter_index = pa->adapter->index;
540 hm.u.ax.property_set.property = HPI_ADAPTER_PROPERTY_IRQ_RATE;
541 hm.u.ax.property_set.parameter1 = 0;
542 hm.u.ax.property_set.parameter2 = 0;
543 hpi_send_recv_ex(&hm, &hr, HOWNER_KERNEL);
544
545 hpi_init_message_response(&hm, &hr, HPI_OBJ_ADAPTER,
546 HPI_ADAPTER_DELETE);
547 hm.adapter_index = pa->adapter->index;
548 hpi_send_recv_ex(&hm, &hr, HOWNER_KERNEL);
549
550 /* unmap PCI memory space, mapped during device init. */
551 for (idx = 0; idx < HPI_MAX_ADAPTER_MEM_SPACES; ++idx)
552 iounmap(pci.ap_mem_base[idx]);
553
554 if (pa->irq)
555 free_irq(pa->irq, pa);
556
557 vfree(pa->p_buffer);
558
559 if (1)
560 dev_info(&pci_dev->dev,
561 "remove %04x:%04x,%04x:%04x,%04x, HPI index %d\n",
562 pci_dev->vendor, pci_dev->device,
563 pci_dev->subsystem_vendor, pci_dev->subsystem_device,
564 pci_dev->devfn, pa->adapter->index);
565
566 memset(pa, 0, sizeof(*pa));
567 }
568
569 void __init asihpi_init(void)
570 {
571 struct hpi_message hm;
572 struct hpi_response hr;
573
574 memset(adapters, 0, sizeof(adapters));
575
576 printk(KERN_INFO "ASIHPI driver " HPI_VER_STRING "\n");
577
578 hpi_init_message_response(&hm, &hr, HPI_OBJ_SUBSYSTEM,
579 HPI_SUBSYS_DRIVER_LOAD);
580 hpi_send_recv_ex(&hm, &hr, HOWNER_KERNEL);
581 }
582
583 void asihpi_exit(void)
584 {
585 struct hpi_message hm;
586 struct hpi_response hr;
587
588 hpi_init_message_response(&hm, &hr, HPI_OBJ_SUBSYSTEM,
589 HPI_SUBSYS_DRIVER_UNLOAD);
590 hpi_send_recv_ex(&hm, &hr, HOWNER_KERNEL);
591 }
ubuntu-bionic-kernel mirror