Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 79871700 authored by Yeleswarapu Nagaradhesh's avatar Yeleswarapu Nagaradhesh
Browse files

ASoC: msm: acquire lock in ioctl 



If two ioctls are triggered with different commands,
there is a possibility to access freed confidence level
memory. To resolve this acquire lock in ioctl.
Also release mutex lock properly in error cases.

CRs-Fixed: 1103085
Change-Id: I7d6b2eff21c8297e5f0755a0c141254be32f777d
Signed-off-by: default avatarYeleswarapu Nagaradhesh <nagaradh@codeaurora.org>
parent a66dbe84

sound/soc/msm/msm-cpe-lsm.c

+41 −20
Original line number Diff line number Diff line
@@ -2152,7 +2152,8 @@ static int msm_cpe_lsm_ioctl(struct snd_pcm_substream *substream, 
			dev_err(rtd->dev,

				"%s: %s: not supported if using topology\n",

				__func__, "LSM_REG_SND_MODEL_V2");

			return -EINVAL;

			err = -EINVAL;

			goto done;

		}



		if (copy_from_user(&snd_model, (void *)arg,
@@ -2285,7 +2286,8 @@ static int msm_cpe_lsm_ioctl(struct snd_pcm_substream *substream, 
			dev_err(rtd->dev,

				"%s: %s: not supported if using topology\n",

				__func__, "SNDRV_LSM_SET_PARAMS");

			return -EINVAL;

			err = -EINVAL;

			goto done;

		}



		if (copy_from_user(&det_params, (void *) arg,
@@ -2312,14 +2314,16 @@ static int msm_cpe_lsm_ioctl(struct snd_pcm_substream *substream, 
			dev_err(rtd->dev,

				"%s: %s: not supported if not using topology\n",

				__func__, "SET_MODULE_PARAMS");

			return -EINVAL;

			err = -EINVAL;

			goto done;

		}



		if (!arg) {

			dev_err(rtd->dev,

				"%s: %s: No Param data to set\n",

				__func__, "SET_MODULE_PARAMS");

			return -EINVAL;

			err = -EINVAL;

			goto done;

		}



		if (copy_from_user(&p_data, arg,
@@ -2327,7 +2331,8 @@ static int msm_cpe_lsm_ioctl(struct snd_pcm_substream *substream, 
			dev_err(rtd->dev,

				"%s: %s: copy_from_user failed, size = %zd\n",

				__func__, "p_data", sizeof(p_data));

			return -EFAULT;

			err = -EFAULT;

			goto done;

		}



		if (p_data.num_params > LSM_PARAMS_MAX) {
@@ -2335,7 +2340,8 @@ static int msm_cpe_lsm_ioctl(struct snd_pcm_substream *substream, 
				"%s: %s: Invalid num_params %d\n",

				__func__, "SET_MODULE_PARAMS",

				p_data.num_params);

			return -EINVAL;

			err = -EINVAL;

			goto done;

		}



		p_size = p_data.num_params *
@@ -2346,12 +2352,15 @@ static int msm_cpe_lsm_ioctl(struct snd_pcm_substream *substream, 
				"%s: %s: Invalid size %zd\n",

				__func__, "SET_MODULE_PARAMS", p_size);



			return -EFAULT;

			err = -EFAULT;

			goto done;

		}



		params = kzalloc(p_size, GFP_KERNEL);

		if (!params)

			return -ENOMEM;

		if (!params) {

			err = -ENOMEM;

			goto done;

		}



		if (copy_from_user(params, p_data.params,

				   p_data.data_size)) {
@@ -2359,7 +2368,8 @@ static int msm_cpe_lsm_ioctl(struct snd_pcm_substream *substream, 
				"%s: %s: copy_from_user failed, size = %d\n",

				__func__, "params", p_data.data_size);

			kfree(params);

			return -EFAULT;

			err = -EFAULT;

			goto done;

		}



		err = msm_cpe_lsm_process_params(substream, &p_data, params);
@@ -2470,7 +2480,8 @@ static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
			dev_err(rtd->dev,

				"%s: %s: not supported if using topology\n",

				__func__, "LSM_REG_SND_MODEL_V2_32");

			return -EINVAL;

			err = -EINVAL;

			goto done;

		}



		dev_dbg(rtd->dev,
@@ -2690,7 +2701,9 @@ static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
			dev_err(rtd->dev,

				"%s: %s: not supported if using topology\n",

				__func__, "SNDRV_LSM_SET_PARAMS32");

			return -EINVAL;



			err = -EINVAL;

			goto done;

		}



		if (copy_from_user(&det_params32, arg,
@@ -2734,7 +2747,8 @@ static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
			dev_err(rtd->dev,

				"%s: %s: not supported if not using topology\n",

				__func__, "SET_MODULE_PARAMS_32");

			return -EINVAL;

			err = -EINVAL;

			goto done;

		}



		if (copy_from_user(&p_data_32, arg,
@@ -2743,7 +2757,8 @@ static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
				"%s: %s: copy_from_user failed, size = %zd\n",

				__func__, "SET_MODULE_PARAMS_32",

				sizeof(p_data_32));

			return -EFAULT;

			err = -EFAULT;

			goto done;

		}



		p_data.params = compat_ptr(p_data_32.params);
@@ -2755,7 +2770,8 @@ static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
				"%s: %s: Invalid num_params %d\n",

				__func__, "SET_MODULE_PARAMS_32",

				p_data.num_params);

			return -EINVAL;

			err = -EINVAL;

			goto done;

		}



		if (p_data.data_size !=
@@ -2764,21 +2780,25 @@ static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
				"%s: %s: Invalid size %d\n",

				__func__, "SET_MODULE_PARAMS_32",

				p_data.data_size);

			return -EINVAL;

			err = -EINVAL;

			goto done;

		}



		p_size = sizeof(struct lsm_params_info_32) *

			 p_data.num_params;



		params32 = kzalloc(p_size, GFP_KERNEL);

		if (!params32)

			return -ENOMEM;

		if (!params32) {

			err = -ENOMEM;

			goto done;

		}



		p_size = sizeof(struct lsm_params_info) * p_data.num_params;

		params = kzalloc(p_size, GFP_KERNEL);

		if (!params) {

			kfree(params32);

			return -ENOMEM;

			err = -ENOMEM;

			goto done;

		}



		if (copy_from_user(params32, p_data.params,
@@ -2788,7 +2808,8 @@ static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
				__func__, "params32", p_data.data_size);

			kfree(params32);

			kfree(params);

			return -EFAULT;

			err = -EFAULT;

			goto done;

		}



		p_info_32 = (struct lsm_params_info_32 *) params32;

sound/soc/msm/qdsp6v2/msm-lsm-client.c

+66 −25
Original line number Diff line number Diff line
@@ -86,6 +86,7 @@ struct lsm_priv { 
	atomic_t buf_count;

	atomic_t read_abort;

	wait_queue_head_t period_wait;

	struct mutex lsm_api_lock;

	int appl_cnt;

	int dma_write;

};
@@ -954,10 +955,18 @@ static int msm_lsm_ioctl_shared(struct snd_pcm_substream *substream, 


		dev_dbg(rtd->dev, "%s: Get event status\n", __func__);

		atomic_set(&prtd->event_wait_stop, 0);



		/*

		 * Release the api lock before wait to allow

		 * other IOCTLs to be invoked while waiting

		 * for event

		 */

		mutex_unlock(&prtd->lsm_api_lock);

		rc = wait_event_freezable(prtd->event_wait,

				(cmpxchg(&prtd->event_avail, 1, 0) ||

				 (xchg = atomic_cmpxchg(&prtd->event_wait_stop,

							1, 0))));

		mutex_lock(&prtd->lsm_api_lock);

		dev_dbg(rtd->dev, "%s: wait_event_freezable %d event_wait_stop %d\n",

			 __func__, rc, xchg);

		if (!rc && !xchg) {
@@ -1281,6 +1290,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
	rtd = substream->private_data;

	prtd = runtime->private_data;



	mutex_lock(&prtd->lsm_api_lock);



	switch (cmd) {

	case SNDRV_LSM_EVENT_STATUS: {

		struct snd_lsm_event_status *user = NULL, userarg32;
@@ -1288,7 +1299,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
		if (copy_from_user(&userarg32, arg, sizeof(userarg32))) {

			dev_err(rtd->dev, "%s: err copyuser ioctl %s\n",

				__func__, "SNDRV_LSM_EVENT_STATUS");

			return -EFAULT;

			err = -EFAULT;

			goto done;

		}



		if (userarg32.payload_size >
@@ -1296,7 +1308,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
			pr_err("%s: payload_size %d is invalid, max allowed = %d\n",

				__func__, userarg32.payload_size,

				LISTEN_MAX_STATUS_PAYLOAD_SIZE);

			return -EINVAL;

			err = -EINVAL;

			goto done;

		}



		size = sizeof(*user) + userarg32.payload_size;
@@ -1305,7 +1318,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
			dev_err(rtd->dev,

				"%s: Allocation failed event status size %d\n",

				__func__, size);

			return -EFAULT;

			err = -EFAULT;

			goto done;

		} else {

			cmd = SNDRV_LSM_EVENT_STATUS;

			user->payload_size = userarg32.payload_size;
@@ -1421,7 +1435,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
			dev_err(rtd->dev,

				"%s: %s: not supported if using topology\n",

				__func__, "REG_SND_MODEL_V2");

			return -EINVAL;

			err = -EINVAL;

			goto done;

		}



		if (copy_from_user(&snd_modelv232, arg,
@@ -1462,7 +1477,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
			dev_err(rtd->dev,

				"%s: %s: not supported if using topology\n",

				__func__, "SET_PARAMS_32");

			return -EINVAL;

			err = -EINVAL;

		}



		if (copy_from_user(&det_params32, arg,
@@ -1505,7 +1520,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
			dev_err(rtd->dev,

				"%s: %s: not supported if not using topology\n",

				__func__, "SET_MODULE_PARAMS_32");

			return -EINVAL;

			err = -EINVAL;

			goto done;

		}



		if (copy_from_user(&p_data_32, arg,
@@ -1514,7 +1530,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
				"%s: %s: copy_from_user failed, size = %zd\n",

				__func__, "SET_MODULE_PARAMS_32",

				sizeof(p_data_32));

			return -EFAULT;

			err = -EFAULT;

			goto done;

		}



		p_data.params = compat_ptr(p_data_32.params);
@@ -1526,7 +1543,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
				"%s: %s: Invalid num_params %d\n",

				__func__, "SET_MODULE_PARAMS_32",

				p_data.num_params);

			return -EINVAL;

			err = -EINVAL;

			goto done;

		}



		if (p_data.data_size !=
@@ -1535,7 +1553,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
				"%s: %s: Invalid size %d\n",

				__func__, "SET_MODULE_PARAMS_32",

				p_data.data_size);

			return -EINVAL;

			err = -EINVAL;

			goto done;

		}



		p_size = sizeof(struct lsm_params_info_32) *
@@ -1546,7 +1565,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
			dev_err(rtd->dev,

				"%s: no memory for params32, size = %zd\n",

				__func__, p_size);

			return -ENOMEM;

			err = -ENOMEM;

			goto done;

		}



		p_size = sizeof(struct lsm_params_info) * p_data.num_params;
@@ -1556,7 +1576,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
				"%s: no memory for params, size = %zd\n",

				__func__, p_size);

			kfree(params32);

			return -ENOMEM;

			err = -ENOMEM;

			goto done;

		}



		if (copy_from_user(params32, p_data.params,
@@ -1566,7 +1587,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
				__func__, "params32", p_data.data_size);

			kfree(params32);

			kfree(params);

			return -EFAULT;

			err = -EFAULT;

			goto done;

		}



		p_info_32 = (struct lsm_params_info_32 *) params32;
@@ -1609,6 +1631,8 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
		err = msm_lsm_ioctl_shared(substream, cmd, arg);

		break;

	}

done:

	mutex_unlock(&prtd->lsm_api_lock);

	return err;

}

#else
@@ -1633,6 +1657,7 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, 
	prtd = runtime->private_data;

	rtd = substream->private_data;



	mutex_lock(&prtd->lsm_api_lock);

	switch (cmd) {

	case SNDRV_LSM_REG_SND_MODEL_V2: {

		struct snd_lsm_sound_model_v2 snd_model_v2;
@@ -1641,7 +1666,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, 
			dev_err(rtd->dev,

				"%s: %s: not supported if using topology\n",

				__func__, "REG_SND_MODEL_V2");

			return -EINVAL;

			err = -EINVAL;

			goto done;

		}



		if (copy_from_user(&snd_model_v2, arg, sizeof(snd_model_v2))) {
@@ -1668,7 +1694,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, 
			dev_err(rtd->dev,

				"%s: %s: not supported if using topology\n",

				__func__, "SET_PARAMS");

			return -EINVAL;

			err = -EINVAL;

			goto done;

		}



		pr_debug("%s: SNDRV_LSM_SET_PARAMS\n", __func__);
@@ -1689,7 +1716,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, 
			dev_err(rtd->dev,

				"%s: LSM_SET_PARAMS failed, err %d\n",

				__func__, err);

		return err;



		goto done;

	}



	case SNDRV_LSM_SET_MODULE_PARAMS: {
@@ -1701,7 +1729,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, 
			dev_err(rtd->dev,

				"%s: %s: not supported if not using topology\n",

				__func__, "SET_MODULE_PARAMS");

			return -EINVAL;

			err = -EINVAL;

			goto done;

		}



		if (copy_from_user(&p_data, arg,
@@ -1709,7 +1738,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, 
			dev_err(rtd->dev,

				"%s: %s: copy_from_user failed, size = %zd\n",

				__func__, "p_data", sizeof(p_data));

			return -EFAULT;

			err = -EFAULT;

			goto done;

		}



		if (p_data.num_params > LSM_PARAMS_MAX) {
@@ -1717,7 +1747,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, 
				"%s: %s: Invalid num_params %d\n",

				__func__, "SET_MODULE_PARAMS",

				p_data.num_params);

			return -EINVAL;

			err = -EINVAL;

			goto done;

		}



		p_size = p_data.num_params *
@@ -1728,7 +1759,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, 
				"%s: %s: Invalid size %zd\n",

				__func__, "SET_MODULE_PARAMS", p_size);



			return -EFAULT;

			err = -EFAULT;

			goto done;

		}



		params = kzalloc(p_size, GFP_KERNEL);
@@ -1736,7 +1768,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, 
			dev_err(rtd->dev,

				"%s: no memory for params\n",

				__func__);

			return -ENOMEM;

			err = -ENOMEM;

			goto done;

		}



		if (copy_from_user(params, p_data.params,
@@ -1745,7 +1778,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, 
				"%s: %s: copy_from_user failed, size = %d\n",

				__func__, "params", p_data.data_size);

			kfree(params);

			return -EFAULT;

			err = -EFAULT;

			goto done;

		}



		err = msm_lsm_process_params(substream, &p_data, params);
@@ -1765,7 +1799,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, 
			dev_err(rtd->dev,

				"%s: err copyuser event_status\n",

				__func__);

			return -EFAULT;

			err = -EFAULT;

			goto done;

		}



		if (userarg.payload_size >
@@ -1773,7 +1808,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, 
			pr_err("%s: payload_size %d is invalid, max allowed = %d\n",

				__func__, userarg.payload_size,

				LISTEN_MAX_STATUS_PAYLOAD_SIZE);

			return -EINVAL;

			err = -EINVAL;

			goto done;

		}



		size = sizeof(struct snd_lsm_event_status) +
@@ -1783,7 +1819,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, 
			dev_err(rtd->dev,

				"%s: Allocation failed event status size %d\n",

				__func__, size);

			return -EFAULT;

			err = -EFAULT;

			goto done;

		} else {

			user->payload_size = userarg.payload_size;

			err = msm_lsm_ioctl_shared(substream, cmd, user);
@@ -1806,7 +1843,7 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, 
		if (err)

			dev_err(rtd->dev,

				"%s: lsmevent failed %d", __func__, err);

		return err;

		goto done;

	}



	case SNDRV_LSM_EVENT_STATUS_V3: {
@@ -1873,6 +1910,8 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, 
		err = msm_lsm_ioctl_shared(substream, cmd, arg);

	break;

	}

done:

	mutex_unlock(&prtd->lsm_api_lock);

	return err;

}
@@ -1889,6 +1928,7 @@ static int msm_lsm_open(struct snd_pcm_substream *substream) 
		       __func__);

		return -ENOMEM;

	}

	mutex_init(&prtd->lsm_api_lock);

	spin_lock_init(&prtd->event_lock);

	init_waitqueue_head(&prtd->event_wait);

	init_waitqueue_head(&prtd->period_wait);
@@ -2048,6 +2088,7 @@ static int msm_lsm_close(struct snd_pcm_substream *substream) 
	kfree(prtd->event_status);

	prtd->event_status = NULL;

	spin_unlock_irqrestore(&prtd->event_lock, flags);

	mutex_destroy(&prtd->lsm_api_lock);

	kfree(prtd);

	runtime->private_data = NULL;