ipc: apr: Fix apr buffer override issue

// SPDX-License-Identifier: GPL-2.0-only

/*

 * Copyright (c) 2010-2014, 2016-2020 The Linux Foundation. All rights reserved.

* Copyright (c) 2010-2014, 2016-2021 The Linux Foundation. All rights reserved.

*/

#include <linux/kernel.h>

 *    apr handle and store in svc tbl.

 */

static struct mutex m_lock_tbl_qdsp6;

static struct apr_svc_table svc_tbl_qdsp6[] = {

	{

	},

};

static struct mutex m_lock_tbl_voice;

static struct apr_svc_table svc_tbl_voice[] = {

	{

	int i;

	int size;

	struct apr_svc_table *tbl;

	struct mutex *lock;

	struct aprv2_vm_cmd_register_rsp_t apr_rsp;

	uint32_t apr_len;

	int ret = 0;

	unsigned long flags;

	struct {

		uint32_t cmd_id;

		struct aprv2_vm_cmd_register_t reg_cmd;

	if (domain_id == APR_DOMAIN_ADSP) {

		tbl = svc_tbl_qdsp6;

		size = ARRAY_SIZE(svc_tbl_qdsp6);

		lock = &m_lock_tbl_qdsp6;

	} else {

		tbl = svc_tbl_voice;

		size = ARRAY_SIZE(svc_tbl_voice);

		lock = &m_lock_tbl_voice;

	}

	mutex_lock(lock);

	spin_lock_irqsave(&hab_tx_lock, flags);

	for (i = 0; i < size; i++) {

		if (!strcmp(svc_name, tbl[i].name)) {

			*client_id = tbl[i].client_id;

				if (ret) {

					pr_err("%s: habmm_socket_send failed %d\n",

						__func__, ret);

					mutex_unlock(lock);

					spin_unlock_irqrestore(&hab_tx_lock, flags);

					return ret;

				}

				/* wait for response */

				if (ret) {

					pr_err("%s: apr_vm_nb_receive failed %d\n",

						__func__, ret);

					mutex_unlock(lock);

					spin_unlock_irqrestore(&hab_tx_lock, flags);

					return ret;

				}

				if (apr_rsp.status) {

					pr_err("%s: apr_vm_nb_receive status %d\n",

						__func__, apr_rsp.status);

					ret = apr_rsp.status;

					mutex_unlock(lock);

					spin_unlock_irqrestore(&hab_tx_lock, flags);

					return ret;

				}

				/* update svc table */

			break;

		}

	}

	mutex_unlock(lock);

	spin_unlock_irqrestore(&hab_tx_lock, flags);

	pr_debug("%s: svc_name = %s client_id = %d domain_id = %d\n",

		 __func__, svc_name, *client_id, domain_id);

	int i;

	int size;

	struct apr_svc_table *tbl;

	struct mutex *lock;

	struct aprv2_vm_cmd_deregister_rsp_t apr_rsp;

	uint32_t apr_len;

	int ret = 0;

	unsigned long flags;

	struct {

		uint32_t cmd_id;

		struct aprv2_vm_cmd_deregister_t dereg_cmd;

	if (domain_id == APR_DOMAIN_ADSP) {

		tbl = svc_tbl_qdsp6;

		size = ARRAY_SIZE(svc_tbl_qdsp6);

		lock = &m_lock_tbl_qdsp6;

	} else {

		tbl = svc_tbl_voice;

		size = ARRAY_SIZE(svc_tbl_voice);

		lock = &m_lock_tbl_voice;

	}

	mutex_lock(lock);

	spin_lock_irqsave(&hab_tx_lock, flags);

	for (i = 0; i < size; i++) {

		if (tbl[i].id == svc_id && tbl[i].handle == handle) {

			/* need to deregister a service */

			break;

		}

	}

	mutex_unlock(lock);

	spin_unlock_irqrestore(&hab_tx_lock, flags);

	if (i == size) {

		pr_err("%s: APR: Wrong svc id %d handle %d\n",

				__func__, svc_id, handle);

		return -ENETRESET;

	}

	spin_lock_irqsave(&svc->w_lock, flags);

	spin_lock_irqsave(&hab_tx_lock, flags);

	if (!svc->id || !svc->vm_handle) {

		pr_err("APR: Still service is not yet opened\n");

		ret = -EINVAL;

	ret = hdr->pkt_size;

done:

	spin_unlock_irqrestore(&svc->w_lock, flags);

	spin_unlock_irqrestore(&hab_tx_lock, flags);

	return ret;

}

EXPORT_SYMBOL(apr_send_pkt);

			mutex_init(&client[i][j].m_lock);

			for (k = 0; k < APR_SVC_MAX; k++) {

				mutex_init(&client[i][j].svc[k].m_lock);

				spin_lock_init(&client[i][j].svc[k].w_lock);

			}

		}

	spin_lock(&apr_priv->apr_lock);