Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit 78c145b6 authored by Michael Bestas's avatar Michael Bestas
Browse files

Merge tag 'LA.UM.9.12.r1-15500-SMxx50.QSSI13.0' of... 

Merge tag 'LA.UM.9.12.r1-15500-SMxx50.QSSI13.0' of https://git.codelinaro.org/clo/la/platform/vendor/opensource/audio-kernel into android13-4.19-kona

"LA.UM.9.12.r1-15500-SMxx50.QSSI13.0"

* tag 'LA.UM.9.12.r1-15500-SMxx50.QSSI13.0' of https://git.codelinaro.org/clo/la/platform/vendor/opensource/audio-kernel:
  ASoC: msm-pcm-voip: Avoid interger underflow
  dsp: afe: check for param size before copying
  dsp: q6core: validate payload size before access for AVCS

 Conflicts:
	techpack/audio/dsp/q6afe.c
	techpack/audio/dsp/q6core.c

Change-Id: I652a534f1fc03ebb9f912a9400eed83bc2abf49a
parents 1a352c10 3589efc7

techpack/audio/asoc/msm-pcm-voip-v2.c

+29 −0
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/* Copyright (c) 2012-2019, The Linux Foundation. All rights reserved.

 * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved.

 */



#include <linux/init.h>
@@ -365,6 +366,13 @@ static void voip_process_ul_pkt(uint8_t *voc_pkt, 
		switch (prtd->mode) {

		case MODE_AMR_WB:

		case MODE_AMR: {

			if (pkt_len <= DSP_FRAME_HDR_LEN) {

				pr_err("%s: pkt_len %d is < required len\n",

						__func__, pkt_len);

				spin_unlock_irqrestore(&prtd->dsp_ul_lock,

							dsp_flags);

				return;

			}

			/* Remove the DSP frame info header. Header format:

			 * Bits 0-3: Frame rate

			 * Bits 4-7: Frame type
@@ -385,6 +393,13 @@ static void voip_process_ul_pkt(uint8_t *voc_pkt, 
		case MODE_4GV_NB:

		case MODE_4GV_WB:

		case MODE_4GV_NW: {

			if (pkt_len <= DSP_FRAME_HDR_LEN) {

				pr_err("%s: pkt_len %d is < required len\n",

						__func__, pkt_len);

				spin_unlock_irqrestore(&prtd->dsp_ul_lock,

							dsp_flags);

				return;

			}

			/* Remove the DSP frame info header.

			 * Header format:

			 * Bits 0-3: frame rate
@@ -422,6 +437,13 @@ static void voip_process_ul_pkt(uint8_t *voc_pkt, 
			buf_node->frame.frm_hdr.timestamp = timestamp;

			voc_pkt = voc_pkt + DSP_FRAME_HDR_LEN;



			if (pkt_len <= 2 * DSP_FRAME_HDR_LEN) {

				pr_err("%s: pkt_len %d is < required len\n",

						__func__, pkt_len);

				spin_unlock_irqrestore(&prtd->dsp_ul_lock,

							dsp_flags);

				return;

			}

			/* There are two frames in the buffer. Length of the

			 * first frame:

			 */
@@ -457,6 +479,13 @@ static void voip_process_ul_pkt(uint8_t *voc_pkt, 
				buf_node->frame.frm_hdr.timestamp = timestamp;

				voc_pkt = voc_pkt + DSP_FRAME_HDR_LEN;



				if (pkt_len <= 2 * DSP_FRAME_HDR_LEN) {

					pr_err("%s: pkt_len %d is < required len\n",

							__func__, pkt_len);

					spin_unlock_irqrestore(&prtd->dsp_ul_lock,

								dsp_flags);

					return;

				}

				/* There are two frames in the buffer. Length

				 * of the second frame:

				 */

techpack/audio/dsp/q6afe.c

+79 −0
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/* Copyright (c) 2012-2021, The Linux Foundation. All rights reserved.

 * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved.

 */

#include <linux/slab.h>

#include <linux/debugfs.h>
@@ -751,32 +752,74 @@ static int32_t sp_make_afe_callback(uint32_t opcode, uint32_t *payload, 
	switch (param_hdr.param_id) {

	case AFE_PARAM_ID_CALIB_RES_CFG_V2:

		expected_size += sizeof(struct asm_calib_res_cfg);

		if (param_hdr.param_size != sizeof(struct asm_calib_res_cfg)) {

			pr_err("%s: Error: param_size %d is greater than expected\n",

				__func__,param_hdr.param_size);

			return -EINVAL;

		}

		data_dest = (u32 *) &this_afe.calib_data;

		break;

	case AFE_PARAM_ID_SP_V2_TH_VI_FTM_PARAMS:

		expected_size += sizeof(struct afe_sp_th_vi_ftm_params);

		if (param_hdr.param_size != sizeof(struct afe_sp_th_vi_ftm_params)) {

			pr_err("%s: Error: param_size %d is greater than expected\n",

				__func__,param_hdr.param_size);

			return -EINVAL;

		}

		data_dest = (u32 *) &this_afe.th_vi_resp;

		break;

	case AFE_PARAM_ID_SP_V2_TH_VI_V_VALI_PARAMS:

		expected_size += sizeof(struct afe_sp_th_vi_v_vali_params);

		if (param_hdr.param_size != sizeof(struct afe_sp_th_vi_v_vali_params)) {

			pr_err("%s: Error: param_size %d is greater than expected\n",

				__func__,param_hdr.param_size);

			return -EINVAL;

		}

		data_dest = (u32 *) &this_afe.th_vi_v_vali_resp;

		break;

	case AFE_PARAM_ID_SP_V2_EX_VI_FTM_PARAMS:

		expected_size += sizeof(struct afe_sp_ex_vi_ftm_params);

		if (param_hdr.param_size != sizeof(struct afe_sp_ex_vi_ftm_params)) {

			pr_err("%s: Error: param_size %d is greater than expected\n",

				__func__,param_hdr.param_size);

			return -EINVAL;

		}

		data_dest = (u32 *) &this_afe.ex_vi_resp;

		break;

	case AFE_PARAM_ID_SP_RX_TMAX_XMAX_LOGGING:

		expected_size += sizeof(

				struct afe_sp_rx_tmax_xmax_logging_param);

		if (param_hdr.param_size != sizeof(struct afe_sp_rx_tmax_xmax_logging_param)) {

			pr_err("%s: Error: param_size %d is greater than expected\n",

				__func__,param_hdr.param_size);

			return -EINVAL;

		}

		data_dest = (u32 *) &this_afe.xt_logging_resp;

		break;

	case AFE_PARAM_ID_SP_V4_CALIB_RES_CFG:

		expected_size += sizeof(

				struct afe_sp_v4_param_th_vi_calib_res_cfg);

		if (param_hdr.param_size != sizeof(

				struct afe_sp_v4_param_th_vi_calib_res_cfg)) {

			pr_err("%s: Error: param_size %d is greater than expected\n",

				__func__,param_hdr.param_size);

			return -EINVAL;

		}

		data_dest = (u32 *) &this_afe.spv4_calib_data;

		break;

	case AFE_PARAM_ID_SP_V4_TH_VI_FTM_PARAMS:

		num_ch = data_start[0];

		if (num_ch > SP_V2_NUM_MAX_SPKRS) {

			pr_err("%s: Error: num_ch %d is greater than expected\n",

				__func__,num_ch);

			return -EINVAL;

		}

		if (param_hdr.param_size != (sizeof(struct afe_sp_v4_param_th_vi_ftm_params) +

			(num_ch * sizeof(struct afe_sp_v4_channel_ftm_params)))) {

			pr_err("%s: Error: param_size %d is greater than expected\n",

				__func__,param_hdr.param_size);

			return -EINVAL;

		}

		this_afe.spv4_th_vi_ftm_rcvd_param_size = param_hdr.param_size;

		data_dest = (u32 *)&this_afe.spv4_th_vi_ftm_resp;

		expected_size +=
@@ -785,6 +828,18 @@ static int32_t sp_make_afe_callback(uint32_t opcode, uint32_t *payload, 
		break;

	case AFE_PARAM_ID_SP_V4_TH_VI_V_VALI_PARAMS:

		num_ch = data_start[0];

		if (num_ch > SP_V2_NUM_MAX_SPKRS) {

			pr_err("%s: Error: num_ch %d is greater than expected\n",

				__func__,num_ch);

			return -EINVAL;

		}

		if (param_hdr.param_size != (sizeof(struct afe_sp_v4_param_th_vi_v_vali_params) +

				(num_ch *

				sizeof(struct afe_sp_v4_channel_v_vali_params)))) {

			pr_err("%s: Error: param_size %d is greater than expected\n",

				__func__,param_hdr.param_size);

			return -EINVAL;

		}

		this_afe.spv4_v_vali_rcvd_param_size = param_hdr.param_size;

		data_dest = (u32 *)&this_afe.spv4_v_vali_resp;

		expected_size +=
@@ -794,6 +849,18 @@ static int32_t sp_make_afe_callback(uint32_t opcode, uint32_t *payload, 
		break;

	case AFE_PARAM_ID_SP_V4_EX_VI_FTM_PARAMS:

		num_ch = data_start[0];

		if (num_ch > SP_V2_NUM_MAX_SPKRS) {

			pr_err("%s: Error: num_ch %d is greater than expected\n",

				__func__,num_ch);

			return -EINVAL;

		}

		if (param_hdr.param_size !=  (sizeof(struct afe_sp_v4_param_ex_vi_ftm_params) +

				(num_ch *

				sizeof(struct afe_sp_v4_channel_ex_vi_ftm_params)))) {

			pr_err("%s: Error: param_size %d is greater than expected\n",

				__func__,param_hdr.param_size);

			return -EINVAL;

		}

		this_afe.spv4_ex_vi_ftm_rcvd_param_size = param_hdr.param_size;

		data_dest = (u32 *)&this_afe.spv4_ex_vi_ftm_resp;

		expected_size +=
@@ -802,6 +869,18 @@ static int32_t sp_make_afe_callback(uint32_t opcode, uint32_t *payload, 
		break;

	case AFE_PARAM_ID_SP_V4_RX_TMAX_XMAX_LOGGING:

		num_ch = data_start[0];

		if (num_ch > SP_V2_NUM_MAX_SPKRS) {

			pr_err("%s: Error: num_ch %d is greater than expected\n",

				__func__,num_ch);

			return -EINVAL;

		}

		if (param_hdr.param_size != (sizeof(struct afe_sp_v4_param_tmax_xmax_logging) +

				(num_ch *

				sizeof(struct afe_sp_v4_channel_tmax_xmax_params)))) {

			pr_err("%s: Error: param_size %d is greater than expected\n",

				__func__,param_hdr.param_size);

			return -EINVAL;

		}

		this_afe.spv4_max_log_rcvd_param_size = param_hdr.param_size;

		data_dest = (u32 *)&this_afe.spv4_max_log_resp;

		expected_size +=

techpack/audio/dsp/q6core.c

+9 −0
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/*

 * Copyright (c) 2012-2021, The Linux Foundation. All rights reserved.

 * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.

 */



#include <linux/kernel.h>
@@ -474,6 +475,12 @@ static int32_t aprv2_core_fn_q(struct apr_client_data *data, void *priv) 
	case AVCS_CMD_RSP_LOAD_MODULES:

		pr_debug("%s: Received AVCS_CMD_RSP_LOAD_MODULES\n",

			 __func__);

		if (data->payload_size != ((sizeof(struct avcs_load_unload_modules_sec_payload)

			* rsp_payload->num_modules) + sizeof(uint32_t))) {

			pr_err("%s: payload size greater than expected size %d\n",

				__func__,data->payload_size);

			return -EINVAL;

		}

		memcpy(rsp_payload, data->payload, data->payload_size);

		q6core_lcl.avcs_module_resp_received = 1;

		wake_up(&q6core_lcl.avcs_module_load_unload_wait);
@@ -1036,6 +1043,8 @@ int32_t q6core_avcs_load_unload_modules(struct avcs_load_unload_modules_payload 
		return -ENOMEM;

	}



	rsp_payload->num_modules = num_modules;



	memcpy((uint8_t *)mod + sizeof(struct apr_hdr) +

		sizeof(struct avcs_load_unload_modules_meminfo),

		payload, payload_size);