Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c7b180ec authored Nov 13, 2018 by Meng Wang Committed by Gerrit - the friendly Code Review server Dec 06, 2018

asoc: Avoid usage of variable length array



chmap in msm_lsm_check_and_set_lab_controls, data in
wcd9xxx_i2c_write_device and irq_level in wcd9xxx_irq_init
are Variable Length Array (VLA). VLAs are considered unfit
when it comes to security, performance, code quality and so
on. Hence, allocate the memory dynamically.

Change-Id: I52f33e61f857a00774eb26dc1d6372f2ed3d425c
Signed-off-by: Meng Wang <mengw@codeaurora.org>

parent 61af6849

asoc/codecs/wcd9xxx-core.c

+10 −3

Original line number	Diff line number	Diff line
		@@ -844,7 +844,7 @@ static int wcd9xxx_i2c_write_device(struct wcd9xxx wcd9xxx, u16 reg, u8 value,
		struct i2c_msg *msg;
		int ret = 0;
		u8 reg_addr = 0;
		u8 data[bytes + 1];
		u8 *data = NULL;
		struct wcd9xxx_i2c *wcd9xxx_i2c;

		wcd9xxx_i2c = wcd9xxx_i2c_get_device_info(wcd9xxx, reg);
		@@ -852,6 +852,11 @@ static int wcd9xxx_i2c_write_device(struct wcd9xxx wcd9xxx, u16 reg, u8 value,
		pr_err("failed to get device info\n");
		return -ENODEV;
		}

		data = kzalloc(bytes + 1, GFP_KERNEL);
		if (!data)
		return -ENOMEM;

		reg_addr = (u8)reg;
		msg = &wcd9xxx_i2c->xfer_msg[0];
		msg->addr = wcd9xxx_i2c->client->addr;
		@@ -868,11 +873,13 @@ static int wcd9xxx_i2c_write_device(struct wcd9xxx wcd9xxx, u16 reg, u8 value,
		wcd9xxx_i2c->xfer_msg, 1);
		if (ret != 1) {
		pr_err("failed to write the device\n");
		return ret;
		goto fail;
		}
		}
		pr_debug("write success register = %x val = %x\n", reg, data[1]);
		return 0;
		fail:
		kfree(data);
		return ret;
		}

asoc/codecs/wcd9xxx-irq.c

+11 −6

Original line number	Diff line number	Diff line
		// SPDX-License-Identifier: GPL-2.0
		/* Copyright (c) 2011-2017, The Linux Foundation. All rights reserved.
		/* Copyright (c) 2011-2018, The Linux Foundation. All rights reserved.
		*/
		#include <linux/bitops.h>
		#include <linux/kernel.h>
		@@ -525,7 +525,7 @@ static int wcd9xxx_irq_setup_downstream_irq(
		int wcd9xxx_irq_init(struct wcd9xxx_core_resource *wcd9xxx_res)
		{
		int i, ret;
		u8 irq_level[wcd9xxx_res->num_irq_regs];
		u8 *irq_level = NULL;
		struct irq_domain *domain;
		struct device_node *pnode;

		@@ -555,9 +555,7 @@ int wcd9xxx_irq_init(struct wcd9xxx_core_resource *wcd9xxx_res)
		ret = wcd9xxx_irq_setup_downstream_irq(wcd9xxx_res);
		if (ret) {
		pr_err("%s: Failed to setup downstream IRQ\n", __func__);
		wcd9xxx_irq_put_upstream_irq(wcd9xxx_res);
		mutex_destroy(&wcd9xxx_res->irq_lock);
		mutex_destroy(&wcd9xxx_res->nested_irq_lock);
		goto fail_irq_level;
		return ret;
		}

		@@ -565,7 +563,11 @@ int wcd9xxx_irq_init(struct wcd9xxx_core_resource *wcd9xxx_res)
		wcd9xxx_res->irq_level_high[0] = true;

		/* mask all the interrupts */
		memset(irq_level, 0, wcd9xxx_res->num_irq_regs);
		irq_level = kzalloc(wcd9xxx_res->num_irq_regs, GFP_KERNEL);
		if (!irq_level) {
		ret = -ENOMEM;
		goto fail_irq_level;
		}
		for (i = 0; i < wcd9xxx_res->num_irqs; i++) {
		wcd9xxx_res->irq_masks_cur[BIT_BYTE(i)] \|= BYTE_BIT_MASK(i);
		wcd9xxx_res->irq_masks_cache[BIT_BYTE(i)] \|= BYTE_BIT_MASK(i);
		@@ -610,11 +612,14 @@ int wcd9xxx_irq_init(struct wcd9xxx_core_resource *wcd9xxx_res)
		if (ret)
		goto fail_irq_init;

		kfree(irq_level);
		return ret;

		fail_irq_init:
		dev_err(wcd9xxx_res->dev,
		"%s: Failed to init wcd9xxx irq\n", __func__);
		kfree(irq_level);
		fail_irq_level:
		wcd9xxx_irq_put_upstream_irq(wcd9xxx_res);
		mutex_destroy(&wcd9xxx_res->irq_lock);
		mutex_destroy(&wcd9xxx_res->nested_irq_lock);

asoc/msm-lsm-client.c

+9 −4

Original line number	Diff line number	Diff line
		@@ -729,7 +729,7 @@ static int msm_lsm_check_and_set_lab_controls(struct snd_pcm_substream *substrea
		struct lsm_priv *prtd = runtime->private_data;
		struct snd_soc_pcm_runtime *rtd = substream->private_data;
		struct lsm_hw_params *out_hw_params = &prtd->lsm_client->out_hw_params;
		u8 chmap[out_hw_params->num_chs];
		u8 *chmap = NULL;
		u32 ch_idx;
		int rc = 0, stage_idx = p_info->stage_idx;

		@@ -740,11 +740,15 @@ static int msm_lsm_check_and_set_lab_controls(struct snd_pcm_substream *substrea
		return rc;
		}

		chmap = kzalloc(out_hw_params->num_chs, GFP_KERNEL);
		if (!chmap)
		return -ENOMEM;

		rc = q6lsm_lab_control(prtd->lsm_client, enable, p_info);
		if (rc) {
		dev_err(rtd->dev, "%s: Failed to set lab_control param, err = %d\n",
		__func__, rc);
		return rc;
		goto fail;
		} else {
		if (LSM_IS_LAST_STAGE(prtd->lsm_client, stage_idx)) {
		rc = msm_lsm_lab_buffer_alloc(prtd,
		@@ -753,7 +757,7 @@ static int msm_lsm_check_and_set_lab_controls(struct snd_pcm_substream *substrea
		dev_err(rtd->dev,
		"%s: msm_lsm_lab_buffer_alloc failed rc %d for %s\n",
		__func__, rc, enable ? "ALLOC" : "DEALLOC");
		return rc;
		goto fail;
		} else {
		/* set client level flag based on last stage control */
		prtd->lsm_client->lab_enable = enable;
		@@ -763,7 +767,6 @@ static int msm_lsm_check_and_set_lab_controls(struct snd_pcm_substream *substrea
		prtd->lsm_client->stage_cfg[stage_idx].lab_enable = enable;
		}

		memset(chmap, 0, out_hw_params->num_chs);
		/*
		* First channel to be read from lab is always the
		* best channel (0xff). For second channel onwards,
		@@ -778,6 +781,8 @@ static int msm_lsm_check_and_set_lab_controls(struct snd_pcm_substream *substrea
		dev_err(rtd->dev, "%s: Failed to set lab out ch cfg %d\n",
		__func__, rc);

		fail:
		kfree(chmap);
		return rc;
		}