| From dfef01e150824b0e6da750cacda8958188d29aea Mon Sep 17 00:00:00 2001 |
| From: Takashi Iwai <tiwai@suse.de> |
| Date: Thu, 19 Jul 2018 11:01:04 +0200 |
| Subject: ALSA: memalloc: Don't exceed over the requested size |
| |
| From: Takashi Iwai <tiwai@suse.de> |
| |
| commit dfef01e150824b0e6da750cacda8958188d29aea upstream. |
| |
| snd_dma_alloc_pages_fallback() tries to allocate pages again when the |
| allocation fails with reduced size. But the first try actually |
| *increases* the size to power-of-two, which may give back a larger |
| chunk than the requested size. This confuses the callers, e.g. sgbuf |
| assumes that the size is equal or less, and it may result in a bad |
| loop due to the underflow and eventually lead to Oops. |
| |
| The code of this function seems incorrectly assuming the usage of |
| get_order(). We need to decrease at first, then align to |
| power-of-two. |
| |
| Reported-and-tested-by: he, bo <bo.he@intel.com> |
| Reported-by: zhang jun <jun.zhang@intel.com> |
| Cc: <stable@vger.kernel.org> |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| sound/core/memalloc.c | 8 ++------ |
| 1 file changed, 2 insertions(+), 6 deletions(-) |
| |
| --- a/sound/core/memalloc.c |
| +++ b/sound/core/memalloc.c |
| @@ -239,16 +239,12 @@ int snd_dma_alloc_pages_fallback(int typ |
| int err; |
| |
| while ((err = snd_dma_alloc_pages(type, device, size, dmab)) < 0) { |
| - size_t aligned_size; |
| if (err != -ENOMEM) |
| return err; |
| if (size <= PAGE_SIZE) |
| return -ENOMEM; |
| - aligned_size = PAGE_SIZE << get_order(size); |
| - if (size != aligned_size) |
| - size = aligned_size; |
| - else |
| - size >>= 1; |
| + size >>= 1; |
| + size = PAGE_SIZE << get_order(size); |
| } |
| if (! dmab->area) |
| return -ENOMEM; |
