Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8f5991c8 authored by Fred Oh's avatar Fred Oh
Browse files

ASoC: msm: qdsp6v2: fix incorrect packet size calculation 



APR header size is included twice which cause memory out of bounds. So
remove adding the header size again.

Change-Id: I059aaa8ff77dc32431fe5b52ad27f90df890c979
Signed-off-by: default avatarFred Oh <fred@codeaurora.org>
parent c952020e

sound/soc/msm/qdsp6v2/q6adm.c

+6 −7
Original line number Diff line number Diff line
@@ -289,7 +289,7 @@ int adm_dts_eagle_set(int port_id, int copp_idx, int param_id, 


	admp.hdr.hdr_field = APR_HDR_FIELD(APR_MSG_TYPE_SEQ_CMD,

		APR_HDR_LEN(APR_HDR_SIZE), APR_PKT_VER);

	admp.hdr.pkt_size = APR_PKT_SIZE(APR_HDR_SIZE, sizeof(admp));

	admp.hdr.pkt_size = sizeof(admp);

	admp.hdr.src_svc = APR_SVC_ADM;

	admp.hdr.src_domain = APR_DOMAIN_APPS;

	admp.hdr.src_port = port_id;
@@ -386,7 +386,7 @@ int adm_dts_eagle_get(int port_id, int copp_idx, int param_id, 


	admp.hdr.hdr_field = APR_HDR_FIELD(APR_MSG_TYPE_SEQ_CMD,

			     APR_HDR_LEN(APR_HDR_SIZE), APR_PKT_VER);

	admp.hdr.pkt_size = APR_PKT_SIZE(APR_HDR_SIZE, sizeof(admp));

	admp.hdr.pkt_size = sizeof(admp);

	admp.hdr.src_svc = APR_SVC_ADM;

	admp.hdr.src_domain = APR_DOMAIN_APPS;

	admp.hdr.src_port = port_id;
@@ -632,8 +632,8 @@ int srs_trumedia_open(int port_id, int copp_idx, __s32 srs_tech_id, 
	adm_params->hdr.token = port_idx << 16 | copp_idx;

	adm_params->hdr.opcode = ADM_CMD_SET_PP_PARAMS_V5;

	if (outband && this_adm.outband_memmap.paddr) {

		adm_params->hdr.pkt_size = APR_PKT_SIZE(APR_HDR_SIZE, sizeof(

					      struct adm_cmd_set_pp_params_v5));

		adm_params->hdr.pkt_size =

					sizeof(struct adm_cmd_set_pp_params_v5);

		adm_params->payload_addr_lsw = lower_32_bits(

						this_adm.outband_memmap.paddr);

		adm_params->payload_addr_msw = upper_32_bits(
@@ -1719,8 +1719,7 @@ static int send_adm_cal_block(int port_id, int copp_idx, 


	adm_params.hdr.hdr_field = APR_HDR_FIELD(APR_MSG_TYPE_SEQ_CMD,

		APR_HDR_LEN(20), APR_PKT_VER);

	adm_params.hdr.pkt_size = APR_PKT_SIZE(APR_HDR_SIZE,

		sizeof(adm_params));

	adm_params.hdr.pkt_size = sizeof(adm_params);

	adm_params.hdr.src_svc = APR_SVC_ADM;

	adm_params.hdr.src_domain = APR_DOMAIN_APPS;

	adm_params.hdr.src_port = port_id;
@@ -3833,7 +3832,7 @@ int adm_get_source_tracking(int port_id, int copp_idx, 


	admp.hdr.hdr_field = APR_HDR_FIELD(APR_MSG_TYPE_SEQ_CMD,

				APR_HDR_LEN(APR_HDR_SIZE), APR_PKT_VER);

	admp.hdr.pkt_size = APR_PKT_SIZE(APR_HDR_SIZE, sizeof(admp));

	admp.hdr.pkt_size = sizeof(admp);

	admp.hdr.src_svc = APR_SVC_ADM;

	admp.hdr.src_domain = APR_DOMAIN_APPS;

	admp.hdr.src_port = port_id;

sound/soc/msm/qdsp6v2/q6afe.c

+1 −2
Original line number Diff line number Diff line
@@ -2421,8 +2421,7 @@ int afe_loopback(u16 enable, u16 rx_port, u16 tx_port) 


	lb_cmd.hdr.hdr_field = APR_HDR_FIELD(APR_MSG_TYPE_SEQ_CMD,

						APR_HDR_LEN(20), APR_PKT_VER);

	lb_cmd.hdr.pkt_size = APR_PKT_SIZE(APR_HDR_SIZE,

						sizeof(lb_cmd) - APR_HDR_SIZE);

	lb_cmd.hdr.pkt_size = sizeof(lb_cmd);

	lb_cmd.hdr.src_port = 0;

	lb_cmd.hdr.dest_port = 0;

	lb_cmd.hdr.token = index;

sound/soc/msm/qdsp6v2/q6asm.c

+1 −0
Original line number Diff line number Diff line
@@ -6311,6 +6311,7 @@ static int q6asm_send_asm_cal(struct audio_client *ac) 
		goto unlock;

	}



	/* asm_stream_cmd_set_pp_params_v2 has no APR header in it */

	q6asm_add_hdr_async(ac, &hdr, (sizeof(struct apr_hdr) +

		sizeof(struct asm_stream_cmd_set_pp_params_v2)), TRUE);