Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit 3f9414c0 authored by Michael Bestas's avatar Michael Bestas
Browse files

Merge tag 'LA.UM.9.12.r1-15600-SMxx50.0' of... 

Merge tag 'LA.UM.9.12.r1-15600-SMxx50.0' of https://git.codelinaro.org/clo/la/platform/vendor/opensource/audio-kernel into android13-4.19-kona

"LA.UM.9.12.r1-15600-SMxx50.0"

* tag 'LA.UM.9.12.r1-15600-SMxx50.0' of https://git.codelinaro.org/clo/la/platform/vendor/opensource/audio-kernel:
  ASoC: msm-pcm-host-voice: Check validity of session idx
  dsp: q6lsm: Address use after free for mmap handle
  dsp: q6lsm: Add check for payload buffer
  ASoC: Resolve use after free in listen sound client
  ASoC: dsp: q6core: Avoid use after free
  ASoC: msm-pcm-q6-v2: Add dsp buf check
  ASoC: dsp: q6core: Avoid use after free
  ASoC: msm-pcm-host-voice: Address buffer overflow in hpcm copy
  ASoC: msm-pcm-q6-v2: Add dsp buf check
  dsp: q6core: Avoid OOB access in q6core
  ASoC: msm-pcm-host-voice: Handle OOB access in hpcm_start
  dsp: afe: Add check for num_channels
  dsp: asm: validate payload size before access
  dsp: afe: Add check for sidetone iir config copy size
  dsp: q6voice: Add buf size check for cvs cal data
  ASoC: msm-pcm-voip: Avoid interger underflow
  dsp: afe: check for param size before copying
  dsp: q6core: validate payload size before access for AVCS

Change-Id: I586bec33dde9200927e0d6226237aa932a5f7531
parents c96f3c8d 4561ac47

techpack/audio/asoc/msm-lsm-client.c

+6 −0
Original line number Diff line number Diff line
@@ -2112,6 +2112,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
	case SNDRV_LSM_GET_MODULE_PARAMS_32: {

		struct lsm_params_get_info_32 p_info_32, *param_info_rsp = NULL;

		struct lsm_params_get_info *p_info = NULL;

		prtd->lsm_client->get_param_payload = NULL;



		memset(&p_info_32, 0 , sizeof(p_info_32));

		if (!prtd->lsm_client->use_topology) {
@@ -2162,6 +2163,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
				__func__, err);

			kfree(p_info);

			kfree(prtd->lsm_client->get_param_payload);

			prtd->lsm_client->get_param_payload = NULL;

			goto done;

		}
@@ -2172,6 +2174,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
			err = -ENOMEM;

			kfree(p_info);

			kfree(prtd->lsm_client->get_param_payload);

			prtd->lsm_client->get_param_payload = NULL;

			goto done;

		}
@@ -2196,6 +2199,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
		kfree(p_info);

		kfree(param_info_rsp);

		kfree(prtd->lsm_client->get_param_payload);

		prtd->lsm_client->get_param_payload = NULL;

		break;

	}

	case SNDRV_LSM_REG_SND_MODEL_V2:
@@ -2407,6 +2411,7 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, 


	case SNDRV_LSM_GET_MODULE_PARAMS: {

		struct lsm_params_get_info temp_p_info, *p_info = NULL;

		prtd->lsm_client->get_param_payload = NULL;



		memset(&temp_p_info, 0, sizeof(temp_p_info));

		if (!prtd->lsm_client->use_topology) {
@@ -2478,6 +2483,7 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, 
free:

		kfree(p_info);

		kfree(prtd->lsm_client->get_param_payload);

		prtd->lsm_client->get_param_payload = NULL;

		break;

	}

	case SNDRV_LSM_EVENT_STATUS:

techpack/audio/asoc/msm-pcm-host-voice-v2.c

+25 −0
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/* Copyright (c) 2013-2019, The Linux Foundation. All rights reserved.

 * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.

 */



#include <linux/init.h>
@@ -626,6 +627,12 @@ static int hpcm_start_vocpcm(char *pcm_id, struct hpcm_drv *prtd, 
		}

	}



	if (*no_of_tp != no_of_tp_req && *no_of_tp > 2) {

		pr_err("%s:: Invalid hpcm start request\n", __func__);

		memset(&prtd->start_cmd, 0, sizeof(struct start_cmd));

		return -EINVAL;

	}



	if ((prtd->mixer_conf.tx.enable || prtd->mixer_conf.rx.enable) &&

	    *no_of_tp == no_of_tp_req) {

		voc_send_cvp_start_vocpcm(voc_get_session_id(sess_name),
@@ -656,6 +663,11 @@ static void hpcm_copy_playback_data_from_queue(struct dai_data *dai_data, 
				struct hpcm_buf_node, list);

		list_del(&buf_node->list);

		*len = buf_node->frame.len;

		if (*len > HPCM_MAX_VOC_PKT_SIZE) {

			pr_err("%s: Playback data len %d overflow\n",

					__func__, *len);

			return;

		}

		memcpy((u8 *)dai_data->vocpcm_ion_buffer.kvaddr,

		       &buf_node->frame.voc_pkt[0],

		       buf_node->frame.len);
@@ -683,6 +695,12 @@ static void hpcm_copy_capture_data_to_queue(struct dai_data *dai_data, 
	if (dai_data->substream == NULL)

		return;



	if (len > HPCM_MAX_VOC_PKT_SIZE) {

		pr_err("%s: Copy capture data len %d overflow\n",

			__func__, len);

		return;

	}



	/* Copy out buffer packet into free_queue */

	spin_lock_irqsave(&dai_data->dsp_lock, dsp_flags);
@@ -725,6 +743,13 @@ void hpcm_notify_evt_processing(uint8_t *data, char *session, 
		return;

	}



	if (prtd->mixer_conf.sess_indx < VOICE_INDEX ||

		prtd->mixer_conf.sess_indx >= MAX_SESSION) {

		pr_err("%s:: Invalid session idx %d\n",

			__func__, prtd->mixer_conf.sess_indx);

		return;

	}



	if (notify_evt->tap_point == VSS_IVPCM_TAP_POINT_TX_DEFAULT) {

		tp = &prtd->session[prtd->mixer_conf.sess_indx].tx_tap_point;

		tmd = &prtd->mixer_conf.tx;

techpack/audio/asoc/msm-pcm-q6-v2.c

+1 −1
Original line number Diff line number Diff line
@@ -1016,7 +1016,7 @@ static int msm_pcm_capture_copy(struct snd_pcm_substream *substream, 
			goto fail;

		}



		if (size == 0 || size < prtd->pcm_count) {

		if ((size == 0 || size < prtd->pcm_count) && ((offset + size) < prtd->pcm_count)) {

			memset(bufptr + offset + size, 0, prtd->pcm_count - size);

			if (fbytes > prtd->pcm_count)

				size = xfer = prtd->pcm_count;

techpack/audio/dsp/q6afe.c

+11 −0
Original line number Diff line number Diff line
@@ -1288,6 +1288,9 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv) 
				    sizeof(struct afe_port_mod_evt_rsp_hdr));

				uint32_t *dc_presence_flag = num_channels + 1;



				if (*num_channels < 1 || *num_channels > 4)

					return -EINVAL;



				for (i = 0; i < *num_channels; i++) {

					if (dc_presence_flag[i] == 1)

						dc_detected = true;
@@ -8050,6 +8053,14 @@ static int afe_sidetone_iir(u16 tx_port_id) 
		pr_debug("%s: adding 2 to size:%d\n", __func__, size);

		size = size + 2;

	}



	if (size > MAX_SIDETONE_IIR_DATA_SIZE) {

		pr_err("%s: iir_config size is out of bounds:%d\n", __func__, size);

		mutex_unlock(&this_afe.cal_data[cal_index]->lock);

		ret = -EINVAL;

		goto done;

	}



	memcpy(&filter_data.iir_config, &st_iir_cal_info->iir_config, size);

	mutex_unlock(&this_afe.cal_data[cal_index]->lock);

techpack/audio/dsp/q6asm.c

+10 −0
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/*

 * Copyright (c) 2012-2020, The Linux Foundation. All rights reserved.

 * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.

 * Author: Brian Swetland <swetland@google.com>

 *

 * This software is licensed under the terms of the GNU General Public
@@ -2289,6 +2290,15 @@ static int32_t q6asm_callback(struct apr_client_data *data, void *priv) 


		config_debug_fs_read_cb();



		if (data->payload_size != (READDONE_IDX_SEQ_ID + 1) * sizeof(uint32_t)) {

			pr_err("%s:  payload size of %d is less than expected %d.\n",

					__func__, data->payload_size,

					((READDONE_IDX_SEQ_ID + 1) * sizeof(uint32_t)));

			spin_unlock_irqrestore(

				&(session[session_id].session_lock),

				flags);

			return -EINVAL;

		}

		dev_vdbg(ac->dev, "%s: ReadDone: status=%d buff_add=0x%x act_size=%d offset=%d\n",

				__func__, payload[READDONE_IDX_STATUS],

				payload[READDONE_IDX_BUFADD_LSW],