From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-dl1-f51.google.com (mail-dl1-f51.google.com [74.125.82.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id AFFB426B0A9
	for <linux-kernel@vger.kernel.org>; Mon, 11 May 2026 04:36:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.51
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778474208; cv=none; b=DBdcZRAoUpizmbjo4ToOFIm6P6PQTVjIzts+bqD0XvJEgoQDehMqm/OrZCqiEJfefKS4a3phkXr8jioPMT3IRAYlpS6fZJq/cIxyxWpi4iAl0RNUKcDBqDKbsK8PaPBOENRhYrBs7ocZIYYxfZCVeWeC5+dags7ePxlQsXnWqt0=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778474208; c=relaxed/simple;
	bh=xz4Q2/bvZnl47FmwyqOLbYEmF0mtTjZCnGvYrSSP7PI=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=q+LRK2WqA2Cip0LoAGdAB354O17a3GSRmDO8OC6MV9hJRS0igOiIZd0NTYda0zJZ3lC1Q4Jd+7GF7eSmCL/CBa8ba38aTOTbebz40ftY4Xn7cQ+vIq3W1CPfeZ0uGCaf1tF+EtB+2Qa+HnQyc246WGGGiewt21lf2Vwho0bY0Uc=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=pgciqqKi; arc=none smtp.client-ip=74.125.82.51
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="pgciqqKi"
Received: by mail-dl1-f51.google.com with SMTP id a92af1059eb24-130b2295ed0so10833543c88.0
        for <linux-kernel@vger.kernel.org>; Sun, 10 May 2026 21:36:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1778474207; x=1779079007; darn=vger.kernel.org;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:from:to:cc:subject:date:message-id:reply-to;
        bh=ZNmK8eiOPDvhAT6YZbtLUE/AFt3/E5twms2XcUfuzaE=;
        b=pgciqqKin6UtQWqck1Jh7ycyPoC+R+U+xeFNYyvVYotk2JBrrbz9Vr7S5Vz0tjsLcN
         Tp13d8BnHNs4WhFVW5vmnG1ogCxgb6BLbbZdlpmbu72GhPLg9O5P+1ktFwbFGQoaA53q
         IDTLn4rEcSkBqp31E2Ek749Pvmdogq5aZPVKHnN8rCARFThJGOcJZrxmNOQdoZipz3Yu
         /LxFzLkV5hjD4NOkl7CAY9uNico4hmLnpNUBSekiQ+n/STXP8/vBMPvK9NZyIZwjmN7+
         XG4QOO3Y1iq2+y8MkdAdAZh0YMUg04M9lV6VGjI+/UMXH1XmcJY5EpF6mZ9znYCh7KdO
         N4Hg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778474207; x=1779079007;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=ZNmK8eiOPDvhAT6YZbtLUE/AFt3/E5twms2XcUfuzaE=;
        b=U8tkEOTnzhAwHGLTVAnWhfiUwDGX54OGJPAb3+eGCq5F6P8+7QxZDI90eoP2Q48CtQ
         MPQ8zlzVs7Z4YABoq6k3vNTfHFetI5e7oj7wUpWcYI3IU8Mx/43+Qao7yL0JY6hzVkQJ
         jeVolnl2le+4fX04Mmoo1CTbkrReKeRh9gMzckj5hDJbIVCDQp+tA0IzVGOkeP0U2WYw
         TP3InHUvbgz0K+sndoMT/weMtyPDsWnmyqk0JR6+/ANf3rAkNVmN/N802pX1md9rFwTG
         ceZ+BIBhcj8MppZx9IzytZx6uCLV15ygnGi8tp/6R5jdGQonCnzl5qXVaKfiRcRJCi2o
         m2rA==
X-Forwarded-Encrypted: i=1; AFNElJ/6AQJWf8YnyQvigRkXkOa3BZFZRP44EZcg6vNdvlAPPH64Yw2h4XycNOcpMw3Lv6/+1wLmYjRo/XKkXgE=@vger.kernel.org
X-Gm-Message-State: AOJu0Yzo0pmZmT9CeMgKN6Hr6h9m+jrdQjJPIU/It/LMK6u3vdiNrlUl
	kpXBgLFUsZgDfHiwjKXZ64MZgmVl4UQc1xMOspFlfbc1pHk6FbK6Ww+nDPoGnMQk
X-Gm-Gg: Acq92OEJGRNY4A7AxvKPFp71ux9LgSbR4RBX5t4yiLDQEm/wiDIoYeao+GtDHQF8gCD
	UdZViD1YnfCg8kmPKl09ML3Vgk6cORFuQRwzU2X2rx2bXd7Ya72Rx2EHHnsRj1tHKRHxWQzuvW4
	UZfDootQXRjlHwZYuMCBHTaKgh8DDx5RvejDY27he0S4kRP0cpGEvwTKlCDmnQDW5Rnh3KiNVLD
	BCriNNcEjchKj4YVOMnr15tWMwoQe6pJxzorHe0VSc2UKIPXM55e+pudZ23FYuvB9Pn+QiSrLmy
	BtYrx5OCAc0U2U83YippyLIR2EDpyV1OVRa9nvPoHqcfRc8duhc+fVZ66tgeBtgd3rebSIGHwp6
	Dz8V/UtxxATkhz5bKddxKBRp8LpWGn6gRJQfPUjJVxjzPpRpSlKfitsx1mQbsD3aBT804J5ZtlK
	p4e/qHzEnm6f7Z+mLFom8pFhKlHIZSB2JYEG6PLSh9to3997dmGuJriEEDn9IlBg06lCy71jp2G
	w==
X-Received: by 2002:a05:7022:3d05:b0:11a:4016:44a5 with SMTP id a92af1059eb24-1318e917705mr10856939c88.24.1778474206475;
        Sun, 10 May 2026 21:36:46 -0700 (PDT)
Received: from [192.168.1.18] (177-4-161-87.user3p.v-tal.net.br. [177.4.161.87])
        by smtp.gmail.com with ESMTPSA id a92af1059eb24-1327865700asm12975784c88.9.2026.05.10.21.36.43
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 10 May 2026 21:36:45 -0700 (PDT)
From: =?utf-8?q?C=C3=A1ssio_Gabriel?= <cassiogabrielcontato@gmail.com>
Date: Mon, 11 May 2026 01:36:37 -0300
Subject: [PATCH RESEND] ALSA: usb-audio: qcom: Check offload mapping
 failures
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Message-Id: <20260511-alsa-usb-qcom-offload-map-errors-v1-1-6502695e58bc@gmail.com>
To: Takashi Iwai <tiwai@suse.com>, 
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>, 
 Mark Brown <broonie@kernel.org>, Wesley Cheng <quic_wcheng@quicinc.com>, 
 Arnd Bergmann <arnd@arndb.de>, Jaroslav Kysela <perex@perex.cz>
Cc: linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org, 
 stable@vger.kernel.org, 
 =?utf-8?q?C=C3=A1ssio_Gabriel?= <cassiogabrielcontato@gmail.com>
X-Mailer: b4 0.15.2
X-Developer-Signature: v=1; a=openpgp-sha256; l=3654;
 i=cassiogabrielcontato@gmail.com; h=from:subject:message-id;
 bh=xz4Q2/bvZnl47FmwyqOLbYEmF0mtTjZCnGvYrSSP7PI=;
 b=owGbwMvMwCV2IdZeKur/u2bG02pJDFmMMbe8jqiunxW+xvtLrMf7O23v5Kw3BdZIFxsm77+0b
 aLxwtbOjlIWBjEuBlkxRZbVSYss93Q9uFoft8IDZg4rE8gQBi5OAZjIZCFGhtuX84Vj9kRL8Bd8
 LxDb5Sv6bumK9celLG0CVW7fbylVVmX475r18NtVoaBph2qcd6g03Wi7YBG3/+KiuTPfGb39z5K
 0iw0A
X-Developer-Key: i=cassiogabrielcontato@gmail.com; a=openpgp;
 fpr=AB62A239BC8AE0D57F5EA848D05D3F1A5AFFEE83

uaudio_transfer_buffer_setup() calls dma_get_sgtable() and then passes
the sg_table to uaudio_iommu_map_xfer_buf() without checking whether sg
table construction succeeded. If dma_get_sgtable() fails, the sg_table
contents are not valid.

uaudio_iommu_map_pa() also ignores iommu_map() failures for the event and
transfer rings and still returns the allocated IOVA to the QMI response.
That can expose an unmapped IOVA to the audio DSP. For transfer rings,
the failed mapping also leaves the IOVA allocator state marked in use.

Check both operations. Free the coherent transfer buffer when sg table
construction fails, free the sg table when transfer-buffer IOMMU mapping
fails, and release the transfer-ring IOVA if iommu_map() fails. Also
return the existing event-ring IOVA when the event ring is already mapped,
matching the pre-split helper behavior.

Fixes: 326bbc348298 ("ALSA: usb-audio: qcom: Introduce QC USB SND offloading support")
Fixes: 44499ecb4f28 ("ALSA: usb: qcom: Fix false-positive address space check")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
---
 sound/usb/qcom/qc_audio_offload.c | 31 +++++++++++++++++++++++++------
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/sound/usb/qcom/qc_audio_offload.c b/sound/usb/qcom/qc_audio_offload.c
index 5f993b88448c..a0009503b2c5 100644
--- a/sound/usb/qcom/qc_audio_offload.c
+++ b/sound/usb/qcom/qc_audio_offload.c
@@ -565,6 +565,7 @@ static unsigned long uaudio_iommu_map_pa(enum mem_type mtype, bool dma_coherent,
 	unsigned long iova = 0;
 	bool map = true;
 	int prot = uaudio_iommu_map_prot(dma_coherent);
+	int ret;
 
 	switch (mtype) {
 	case MEM_EVENT_RING:
@@ -582,10 +583,24 @@ static unsigned long uaudio_iommu_map_pa(enum mem_type mtype, bool dma_coherent,
 		dev_err(uaudio_qdev->data->dev, "unknown mem type %d\n", mtype);
 	}
 
-	if (!iova || !map)
+	if (!iova)
 		return 0;
 
-	iommu_map(uaudio_qdev->data->domain, iova, pa, size, prot, GFP_KERNEL);
+	if (!map)
+		return iova;
+
+	ret = iommu_map(uaudio_qdev->data->domain, iova, pa, size, prot,
+			GFP_KERNEL);
+	if (ret) {
+		dev_err(uaudio_qdev->data->dev,
+			"failed to map %zu bytes at iova 0x%08lx: %d\n",
+			size, iova, ret);
+		if (mtype == MEM_XFER_RING)
+			uaudio_put_iova(iova, size,
+					&uaudio_qdev->xfer_ring_list,
+					&uaudio_qdev->xfer_ring_iova_size);
+		return 0;
+	}
 
 	return iova;
 }
@@ -1054,15 +1069,17 @@ static int uaudio_transfer_buffer_setup(struct snd_usb_substream *subs,
 	if (!xfer_buf)
 		return -ENOMEM;
 
-	dma_get_sgtable(subs->dev->bus->sysdev, &xfer_buf_sgt, xfer_buf,
-			xfer_buf_dma, len);
+	ret = dma_get_sgtable(subs->dev->bus->sysdev, &xfer_buf_sgt, xfer_buf,
+			      xfer_buf_dma, len);
+	if (ret)
+		goto free_xfer_buf;
 
 	/* map the physical buffer into sysdev as well */
 	xfer_buf_dma_sysdev = uaudio_iommu_map_xfer_buf(dma_coherent,
 							len, &xfer_buf_sgt);
 	if (!xfer_buf_dma_sysdev) {
 		ret = -ENOMEM;
-		goto unmap_sync;
+		goto free_sgt;
 	}
 
 	mem_info->dma = xfer_buf_dma;
@@ -1073,7 +1090,9 @@ static int uaudio_transfer_buffer_setup(struct snd_usb_substream *subs,
 
 	return 0;
 
-unmap_sync:
+free_sgt:
+	sg_free_table(&xfer_buf_sgt);
+free_xfer_buf:
 	usb_free_coherent(subs->dev, len, xfer_buf, xfer_buf_dma);
 
 	return ret;

---
base-commit: ab4a88fdef2813446e3af179a708d024622ff4fa
change-id: 20260422-alsa-usb-qcom-offload-map-errors-ddbb6dbf758a

Best regards,
--
Cássio Gabriel <cassiogabrielcontato@gmail.com>
-- 
Cássio Gabriel <cassiogabrielcontato@gmail.com>