sound: Fix esoteric double free in the dummy sound driver.
[pandora-kernel.git] / sound / drivers / dummy.c
index e008f3c..4f900d8 100644 (file)
@@ -18,7 +18,6 @@
  *
  */
 
-#include <sound/driver.h>
 #include <linux/init.h>
 #include <linux/err.h>
 #include <linux/platform_device.h>
@@ -182,10 +181,10 @@ struct snd_dummy_pcm {
        struct snd_dummy *dummy;
        spinlock_t lock;
        struct timer_list timer;
-       unsigned int pcm_size;
-       unsigned int pcm_count;
+       unsigned int pcm_buffer_size;
+       unsigned int pcm_period_size;
        unsigned int pcm_bps;           /* bytes per second */
-       unsigned int pcm_jiffie;        /* bytes per one jiffie */
+       unsigned int pcm_hz;            /* HZ */
        unsigned int pcm_irq_pos;       /* IRQ position */
        unsigned int pcm_buf_pos;       /* position in buffer */
        struct snd_pcm_substream *substream;
@@ -231,19 +230,24 @@ static int snd_card_dummy_pcm_prepare(struct snd_pcm_substream *substream)
 {
        struct snd_pcm_runtime *runtime = substream->runtime;
        struct snd_dummy_pcm *dpcm = runtime->private_data;
-       unsigned int bps;
+       int bps;
+
+       bps = snd_pcm_format_width(runtime->format) * runtime->rate *
+               runtime->channels / 8;
 
-       bps = runtime->rate * runtime->channels;
-       bps *= snd_pcm_format_width(runtime->format);
-       bps /= 8;
        if (bps <= 0)
                return -EINVAL;
+
        dpcm->pcm_bps = bps;
-       dpcm->pcm_jiffie = bps / HZ;
-       dpcm->pcm_size = snd_pcm_lib_buffer_bytes(substream);
-       dpcm->pcm_count = snd_pcm_lib_period_bytes(substream);
+       dpcm->pcm_hz = HZ;
+       dpcm->pcm_buffer_size = snd_pcm_lib_buffer_bytes(substream);
+       dpcm->pcm_period_size = snd_pcm_lib_period_bytes(substream);
        dpcm->pcm_irq_pos = 0;
        dpcm->pcm_buf_pos = 0;
+
+       snd_pcm_format_set_silence(runtime->format, runtime->dma_area,
+                       bytes_to_samples(runtime, runtime->dma_bytes));
+
        return 0;
 }
 
@@ -255,11 +259,11 @@ static void snd_card_dummy_pcm_timer_function(unsigned long data)
        spin_lock_irqsave(&dpcm->lock, flags);
        dpcm->timer.expires = 1 + jiffies;
        add_timer(&dpcm->timer);
-       dpcm->pcm_irq_pos += dpcm->pcm_jiffie;
-       dpcm->pcm_buf_pos += dpcm->pcm_jiffie;
-       dpcm->pcm_buf_pos %= dpcm->pcm_size;
-       if (dpcm->pcm_irq_pos >= dpcm->pcm_count) {
-               dpcm->pcm_irq_pos %= dpcm->pcm_count;
+       dpcm->pcm_irq_pos += dpcm->pcm_bps;
+       dpcm->pcm_buf_pos += dpcm->pcm_bps;
+       dpcm->pcm_buf_pos %= dpcm->pcm_buffer_size * dpcm->pcm_hz;
+       if (dpcm->pcm_irq_pos >= dpcm->pcm_period_size * dpcm->pcm_hz) {
+               dpcm->pcm_irq_pos %= dpcm->pcm_period_size * dpcm->pcm_hz;
                spin_unlock_irqrestore(&dpcm->lock, flags);
                snd_pcm_period_elapsed(dpcm->substream);
        } else
@@ -271,7 +275,7 @@ static snd_pcm_uframes_t snd_card_dummy_pcm_pointer(struct snd_pcm_substream *su
        struct snd_pcm_runtime *runtime = substream->runtime;
        struct snd_dummy_pcm *dpcm = runtime->private_data;
 
-       return bytes_to_frames(runtime, dpcm->pcm_buf_pos);
+       return bytes_to_frames(runtime, dpcm->pcm_buf_pos / dpcm->pcm_hz);
 }
 
 static struct snd_pcm_hardware snd_card_dummy_playback =
@@ -350,6 +354,7 @@ static int snd_card_dummy_playback_open(struct snd_pcm_substream *substream)
        if ((dpcm = new_pcm_stream(substream)) == NULL)
                return -ENOMEM;
        runtime->private_data = dpcm;
+       /* makes the infrastructure responsible for freeing dpcm */
        runtime->private_free = snd_card_dummy_runtime_free;
        runtime->hw = snd_card_dummy_playback;
        if (substream->pcm->device & 1) {
@@ -358,10 +363,8 @@ static int snd_card_dummy_playback_open(struct snd_pcm_substream *substream)
        }
        if (substream->pcm->device & 2)
                runtime->hw.info &= ~(SNDRV_PCM_INFO_MMAP|SNDRV_PCM_INFO_MMAP_VALID);
-       if ((err = add_playback_constraints(runtime)) < 0) {
-               kfree(dpcm);
+       if ((err = add_playback_constraints(runtime)) < 0)
                return err;
-       }
 
        return 0;
 }
@@ -375,6 +378,7 @@ static int snd_card_dummy_capture_open(struct snd_pcm_substream *substream)
        if ((dpcm = new_pcm_stream(substream)) == NULL)
                return -ENOMEM;
        runtime->private_data = dpcm;
+       /* makes the infrastructure responsible for freeing dpcm */
        runtime->private_free = snd_card_dummy_runtime_free;
        runtime->hw = snd_card_dummy_capture;
        if (substream->pcm->device == 1) {
@@ -383,10 +387,8 @@ static int snd_card_dummy_capture_open(struct snd_pcm_substream *substream)
        }
        if (substream->pcm->device & 2)
                runtime->hw.info &= ~(SNDRV_PCM_INFO_MMAP|SNDRV_PCM_INFO_MMAP_VALID);
-       if ((err = add_capture_constraints(runtime)) < 0) {
-               kfree(dpcm);
+       if ((err = add_capture_constraints(runtime)) < 0)
                return err;
-       }
 
        return 0;
 }
@@ -561,7 +563,8 @@ static int __devinit snd_card_dummy_new_mixer(struct snd_dummy *dummy)
        unsigned int idx;
        int err;
 
-       snd_assert(dummy != NULL, return -EINVAL);
+       if (snd_BUG_ON(!dummy))
+               return -EINVAL;
        spin_lock_init(&dummy->mixer_lock);
        strcpy(card->mixername, "Dummy Mixer");